From owner-freebsd-ipfw Thu Apr 12 0:31:37 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from moebius2.Space.Net (moebius2.Space.Net [195.30.1.100]) by hub.freebsd.org (Postfix) with SMTP id 79FCD37B61D for ; Thu, 12 Apr 2001 00:31:26 -0700 (PDT) (envelope-from mh@Space.Net) Received: (qmail 61554 invoked by uid 1408); 12 Apr 2001 07:31:25 -0000 Date: Thu, 12 Apr 2001 09:31:25 +0200 From: Martin Hasenbein To: freebsd-ipfw@freebsd.org Subject: what about this ruleset? Message-ID: <20010412093125.A60060@Space.Net> Reply-To: Martin Hasenbein Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i Organization: SpaceNet AG, Muenchen, Germany X-Operating-System: FreeBSD/3.3-RELEASE (i386) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi everybody, what do you think about this ruleset? This is the ruleset of my server. I need the following services available: SSH incoming and outgoing SMTP incoming and outgoing FTP outgoing Ping incoming and outgoing POP3 incoming Samba NFS I have official IP-Adresses and don't make NAT. work = my server home = my workstation router = my router tupac = my girlfriends windows-box ### Setup ###### fwcmd="/sbin/ipfw" ${fwcmd} -f flush # 00100 & 00200 loopback # 00300 tcp # 00400 udp # 00500 kiddie logging (netbus etc) # 00600 icmp logging ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 205 deny log all from any to 10.0.0.0/8 via fxp0 ${fwcmd} add 206 deny log all from any to 172.16.0.0/12 via fxp0 ${fwcmd} add 207 deny log all from any to 192.168.0.0/16 via fxp0 ${fwcmd} add 208 deny log all from 10.0.0.0/8 to any via fxp0 ${fwcmd} add 209 deny log all from 172.16.0.0/12 to any via fxp0 ${fwcmd} add 210 deny log all from 192.168.0.0/16 to any via fxp0 ${fwcmd} add 211 deny log all from any to 0.0.0.0/8 via fxp0 ${fwcmd} add 212 deny log all from any to 169.254.0.0/16 via fxp0 ${fwcmd} add 213 deny log all from any to 192.0.2.0/24 via fxp0 ${fwcmd} add 214 deny log all from any to 224.0.0.0/4 via fxp0 ${fwcmd} add 215 deny log all from any to 240.0.0.0/4 via fxp0 ${fwcmd} add 216 deny log all from 0.0.0.0/8 to any via fxp0 ${fwcmd} add 217 deny log all from 169.254.0.0/16 to any via fxp0 ${fwcmd} add 218 deny log all from 192.0.2.0/24 to any via fxp0 ${fwcmd} add 219 deny log all from 224.0.0.0/4 to any via fxp0 ${fwcmd} add 220 deny log all from 240.0.0.0/4 to any via fxp0 ${fwcmd} add 300 pass tcp from work to any out xmit fxp0 setup ${fwcmd} add 301 pass tcp from any to any established ${fwcmd} add 302 pass tcp from any to work 22 in recv fxp0 setup ${fwcmd} add 303 pass tcp from any to work 25 in recv fxp0 setup ${fwcmd} add 304 pass tcp from any to work 110 in recv fxp0 setup ${fwcmd} add 305 pass tcp from any 20 to work 1024-65535 in recv fxp0 setup ${fwcmd} add 306 reset tcp from any to work 113 in recv fxp0 setup ${fwcmd} add 307 reset log tcp from any to any in recv fxp0 setup ${fwcmd} add 400 pass log udp from home to work in recv fxp0 ${fwcmd} add 402 pass udp from any 53 to work in recv fxp0 ${fwcmd} add 403 pass udp from work to any 53 out xmit fxp0 ${fwcmd} add 404 pass log udp from tupac to work 137-139 via fxp0 ${fwcmd} add 405 pass log udp from work to any 33434-33534 ${fwcmd} add 406 unreach port log udp from any to any in recv fxp0 ${fwcmd} add 600 pass icmp from work to any icmptypes 0,3,4,8,11,12 out xmit fxp0 ${fwcmd} add 601 pass icmp from any to work icmptypes 0,3,4,8,11,12 in recv fxp0 ${fwcmd} add 602 deny icmp from any to any in recv fxp0 ${fwcmd} add 700 deny all from any to 255.255.255.255 ${fwcmd} add 701 deny log all from any to any Any suggestions, comments, tips, tricks ........ \thx\martin -- -------------------------------------------------------------------- Martin Hasenbein Phone (Fax): (+49) 89 1216376-1 (3) \|/ Weiglstr.9 mailto:martin@hasenbein.com @ @ D-80636 München http://martin.hasenbein.com -oOO-(_)-OOo-------------------------------------------------------- On the 8th day, god created Unix ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message