Date: Mon, 1 Jul 2002 19:36:30 -0600 From: "Ramsey G. Brenner" <rgbrenner@myrealbox.com> To: nascar24@home.nl Cc: security@freebsd.org Subject: Re: Making a firewall more closed Message-ID: <200207011936.30545.rgbrenner@myrealbox.com> In-Reply-To: <008d01c22164$89107ac0$0200a8c0@winxp> References: <01a001c22107$3d3b2850$0200a8c0@winxp> <200207011859.23581.rgbrenner@myrealbox.com> <008d01c22164$89107ac0$0200a8c0@winxp>
next in thread | previous in thread | raw e-mail | index | archive | help
You forgot about DNS. If you change rule 550 from add 550 allow log udp from me to any 21,80 keep-state out to add 550 allow log udp from me to any 21,53,80 keep-state out it should work. You may want to find out what IPs you use for DNS, and specifically allow= =20 those addresses. I loaded your rules and im not having any problems now. On Monday 01 July 2002 07:05 pm, nascar24 wrote: > This is my current ruleset: > > # allow loopback traffic > add 100 allow ip from any to any via lo0 > > # protect loopback address > add 200 deny log ip from 127.0.0.1 to any > add 249 deny log ip from any to 127.0.0.1 > > # block spoofs > add 400 deny log ip from me to any in via ed0 > > # enable NATD > add 425 divert 8668 ip from any to any via ed0 > > # check dynamic rules > add 450 check-state > > # make dynamic entries for all outgoing traffic > add 500 allow log tcp from me to any 1-65535 keep-state out > add 550 allow log udp from me to any 1-65535 keep-state out > > # services we offer to the world > add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state= in > > # pass ICMP > add 700 allow log icmp from me to any out > add 750 allow log icmp from any to me in > > # pass everything on private LAN > add 800 allow log all from 192.168.0.0/16 to any > add 850 allow log all from any to 192.168.0.0/16 > > # log rejects that have fallen through > add 65000 deny log ip from any to any > > Whith this ruleset I can browse websites, FTP sites etc. > > But when I replace rules 500 and 550 with this: > > add 500 allow log tcp from me to any 21,80 keep-state out > add 550 allow log udp from me to any 21,80 keep-state out > > I cannot acces any websites nor FTP sites. But I guess I had just allow= ed > it? > > Or is the 'out' the problem here. > > Marcel. > > On Monday 01 July 2002 06:45 pm, nascar24 wrote: > > What I mean is that I want to grand acces to the internet. But only t= o > > ports I 'trust', like 80,21,22 etc. But when I make a rule like: > > > > add 550 allow ip from me to any 80,21,22 > > > > I cannot acces a website, that puzzles me. > > There is a problem with the rule in the example: You allowed traffic to > leave > through those ports, but not to enter. We can fix this rule: > > add 550 allow tcp from me to any 80,21,22 keep-state > > I noticed you already had a rule 550 - you may want to give it a differ= ent > number. IPFW (running 4.5R here) gives the following error when trying = to > load your rule: > > ipfw: only TCP and UDP protocols are valid with port specifications > > hence why i changed it from ip to tcp. > > GL --=20 ---------- Ramsey G. Brenner rgbrenner@myrealbox.com http://rgbrenner.cjb.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207011936.30545.rgbrenner>