Date: Thu, 7 Jun 2001 13:57:14 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Josh Thomas <jdt2101@ksu.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW rules and outward connections Message-ID: <Pine.BSF.4.21.0106071349220.67902-100000@ren.sasknow.com> In-Reply-To: <Pine.GSO.4.21L.0106071358560.1095-100000@unix1.cc.ksu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Josh Thomas wrote to freebsd-questions@FreeBSD.ORG:
> I am looking to set up a firewall to be closed to all incoming
> connections except for 20-22 (for ftp and ssh), and to allow all
> outward connections. However, I'm having trouble specifically keeping
> the dynamically assigned ports above 1024 for normal usage open. ie,
> http from other machines, ftp from other machines.
You shouldn't need any keep-state or dynamic rules at all, for what you've
described here.
To enable arbitrary outgoing connections from the firewall machine:
network=192.168.0.0/24 # This could also just be an IP address
# Allow all outgoing connections
ipfw 1000 allow ip from ${network} to any
# OR, only allow connections to remote ports 1024-9999
ipfw 1000 allow ip from ${network} to any 1024-9999
# OR, allow all outgoing connections, with some exceptions
ipfw 900 deny ip from ${network} to any 119 # Deny usenet
ipfw 901 deny ip from ${network} to any ??? # Additional services
ipfw 902 deny ip from ${network} to any ??? # Additional services
ipfw 1000 allow ip from ${network} to any
# And, then, you need to allow all established
# incoming tcp connections through to your network.
ipfw 1010 allow tcp from any to ${network} established
> Is there specifically a way to allow outgoing connections and then
> keep that port open for incoming connections for a short time? This
> seems to be somewhat the functionality of keep-state, however that
> does not appear to work. If anybody has any examples, I would
> appreciate them. Neither the freebsd handbook nor the ipfw manpage
> goes into enough detail as I needed. Please cc responses, as I am not
> on the freebsd-questions list.
>
> Thanks,
>
> Josh Thomas
> Student Systems Analyst
> w
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
--
Ryan Thompson <ryan@sasknow.com>
Network Administrator, Accounts
SaskNow Technologies - http://www.sasknow.com
#106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0106071349220.67902-100000>