From owner-freebsd-security Fri Sep 24 10:24:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 3F14C14C96 for ; Fri, 24 Sep 1999 10:24:08 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id LAA01318; Fri, 24 Sep 1999 11:23:42 -0600 (MDT) Message-Id: <4.2.0.58.19990924111600.04809a90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 24 Sep 1999 11:23:31 -0600 To: Monte Westlund , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: default rc.firewall In-Reply-To: <3.0.5.32.19990923152232.007c94c0@memes.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The default rc.firewall's "simple" ruleset lets through so little that it is not a good default for most users -- especially users who are creating a NAT router. (Of course, it does not work at all unless you set the variables near the beginning of the ruleset properly.) Usually, I see folks add rules like the following: # Allow access to our WWW server and vice versa $fwcmd add pass tcp from any to ${oip} 80 setup $fwcmd add pass tcp from ${oip} 80 to any setup # Allow FTP data channels in for active FTP $fwcmd add pass log tcp from any 20 to any 1024-65535 setup # Allow SSH through, both ways $fwcmd add pass tcp from any to ${oip} 22 $fwcmd add pass tcp from $oip to any 22 Remember that if you have more than one external IP you will need to duplicate many rules. --Brett At 03:22 PM 9/23/99 -0700, Monte Westlund wrote: >Hello, >I setting up a FreeBSD box as firewall to a windows LAN. I've installed 2 >NIC's. One connects to a DSL modem, the other connects to the LAN. > >Using the 'simple' firewall that is in the default rc.firewall I can't get >out from any of the machines on the LAN without adding > >allow ip from any to any > >to the ipfw rules. I have been adding it manually using 'ipfw add ....' > >Can anyone point me in the direction of an example of a 'modified' >rc.firewall for the simple firewall? Or give me an idea of what I need to >add/allow? > >Thanks, >Monte Westlund > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message