Date: Sat, 31 Jan 2004 15:50:02 -0500 From: Chuck Swiger <cswiger@mac.com> To: "Jack L. Stone" <jacks@sage-american.com>, freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: where am I supposed to put my rc.firewall? Message-ID: <401C14FA.8050105@mac.com> In-Reply-To: <3.0.5.32.20040131133901.01e62e10@10.0.0.15> References: <20040131185300.3ced93f6.dion@bredband.net> <200401301846.52757.ecrist@adtechintegrated.com> <401AFCBB.1010300@mac.com> <200401301947.54492.ecrist@adtechintegrated.com> <20040131153521.1d660315.peder.blom@bredband.net> <401BCEBB.90001@mac.com> <20040131185300.3ced93f6.dion@bredband.net> <3.0.5.32.20040131133901.01e62e10@10.0.0.15>
next in thread | previous in thread | raw e-mail | index | archive | help
Jack L. Stone wrote: > At 02:04 PM 1.31.2004 -0500, Chuck Swiger wrote: >>#### >># set these to your inside interface network and netmask and ip >> >>#define IIF fxp0 >>#define INET 10.1.1.0/24 >>#define IIP 10.1.1.1 >>[ ...OIF info snipped... ] >> >># port number ranges >>#define LOPORTS 1-1023 >>#define HIPORTS 1024-65535 A simple example would be: # dynamic rules add check-state # permit some services inbound... add pass tcp from any HIPORTS to INET 22,80,143,443,993,3128 setup keep-state # ...but block most other services (ie, ones with root privs) add deny tcp from any to INET LOPORTS For a more complicated example, where PI is a mailserver which performs virus scanning and spamfiltering, PONG is an internal reader box: INET ---> [FW1] <--DMZ + Mailserver PI--> [FW2] <--Internal subnet + PONG> # on FW1: add pass tcp from PI HIPORTS to any 25 add pass tcp from any 25 to PI HIPORTS established add pass tcp from any HIPORTS to PI 25 add pass tcp from PI 25 to OIP HIPORTS established add unreach filter-prohib log tcp from any to INET 25 # on FW2: # permit SMTP exchange between pi and pong/fw add pass tcp from PI HIPORTS to PONG 25 add pass tcp from PONG 25 to PI HIPORTS established add pass tcp from PONG HIPORTS to PI 25 add pass tcp from PI 25 to PONG HIPORTS established [ ... ] # track SMTP from inside to outside and block SMTP from outside add pass log logamount 20 tcp from INET HIPORTS to any 25 setup add pass tcp from INET HIPORTS to any 25 established add pass tcp from any 25 to INET HIPORTS established -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?401C14FA.8050105>