From owner-freebsd-ipfw  Tue Jan 18  9:35:53 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1C1B414F85; Tue, 18 Jan 2000 09:35:45 -0800 (PST)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA48588;
	Tue, 18 Jan 2000 09:35:35 -0800 (PST)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200001181735.JAA48588@gndrsh.dnsmgr.net>
Subject: Re: New Firewall
In-Reply-To: <Pine.BSF.4.10.10001181116020.131-100000@hydrant.intranova.net> from Omachonu Ogali at "Jan 18, 2000 11:22:27 am"
To: oogali@intranova.net (Omachonu Ogali)
Date: Tue, 18 Jan 2000 09:35:34 -0800 (PST)
Cc: briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG,
	freebsd-ipfw@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> The following rules can help if you are going to be running SMTP, HTTP,
> POP3, and HTTPS, delete what you don't need.

Allowing anything other than ``setup'' packets on these rules is a mistake...

> 
> # -- Pass through for already established connections
> ipfw add allow tcp from any to any established
> 
> # -- SMTP
> ipfw add allow tcp from any to x.x.x.x 25
                                             ^setup
> 
> # -- HTTP
> ipfw add allow tcp from any to x.x.x.x 80
                                             ^setup
> 
> # -- POP3
> ipfw add allow tcp from any to x.x.x.x 110
                                             ^setup
> 
> # -- HTTPS
> ipfw add allow tcp from any to x.x.x.x 443
                                             ^setup
> 
> # -- Allow setup of outgoing connections
> ipfw add allow tcp from x.x.x.x to any setup
> 
> # -- Deny setup of other incoming connections
> ipfw add deny tcp from any to any setup
> 
> # -- Deny other incoming IP packets.
> ipfw add deny ip from any to any

This should be the default rule and is not needed...

> 
> Omachonu Ogali
> Intranova Networking Group
> 
> On Tue, 18 Jan 2000, Brian Gallucci wrote:
> 
> > We are looking at putting up a new firewall at one of our clients sites
> > using FreeBSD 3-4. Is there any bugs we should know about with IPFW ? They
> > will be
> > doing some webhosting and email.
> > 
> > Thanks
> > -Brian
> > 
> > 
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-isp" in the body of the message
> > 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
> 


-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message