Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Jan 2004 13:26:10 +0000
From:      Marc Silver <>
Subject:   dialup firewalling
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi guys and gals,

The short story:  I wrote an article a while back about dialup
firewalling with FreeBSD, and after an update was made to the article a
few months back by another individual it's been slightly broken.

I am currently working on fixing this document and get it more up to
date, and was hoping to run the following ruleset past all of you.  The
problem is mostly that I no longer have a dialup connection to test with
this, so I was hoping to ask opinions on whether or not the following
rulebase would work:

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0

# Allow all connections that we initiate, and keep their state,
# but deny established connections that don't have a dynamic rule.
$fwcmd add check-state
$fwcmd add allow ip from me to any keep-state
$fwcmd add deny tcp from any to any established

# Allow internet users to connect to the port 22 and 80 on my machine.
# This example specifically allows connections to the sshd and a
# webserver.
$fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state

# Allow ICMP packets: remove type 8 if you don't want your host
# to be pingable.
$fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14

# Deny and log everything else.
$fwcmd add deny log ip from any to any

Now, if my knowledge of ipfw2 is correct, this should allow everything
out, and should only allow port 22 and 80 in.  It'll also allow ICMP.
Simple enough, but am I correct in my assumptions?

Any help would be highly appreciated as I would like to correct the
article as soon as possible.

Thanks again,

p.s. please reply to me as I am not subscribed to this list.

Want to link to this message? Use this URL: <>