Date: Mon, 1 Jul 2002 20:44:11 +0200 From: thrawn@linux.nu To: freebsd-questions@freebsd.org Subject: IPFW rules Message-ID: <20020701204411.A45392@thrawn.birch.se>
next in thread | raw e-mail | index | archive | help
Hi, I would like to have some help/advice to perhaps correct my firewall rules. I have not read the manual page for ipfw that mutch yet. Well before I start to comment my ipfw rules... I will explain in words. I have a machine that is firewall/gateway and it has an modem attached to it. The interface name of that is tun0 as you can see. The internal interface is as you can see a xl0. Basicly I want to allow everything from xl0 too go to any point in my network and to any internet site. I want only ssh connections to be allowed from the internet to my firewall/gateway. Block 1 to port 1023 and some other ports as Im runing a squid proxy. And X windows as well on the box. Any way i think you will get my point. Here are my rules and som comments: One thing I didin't mention earlyer is that I run the firewall default as open in the kernel config. ipfw -f flush ipfw add allow tcp from any to any in recv tun0 ipfw add allow udp from any to any in recv tun0 I don't know exactly why I did put them there but well I did that because I thin that the have to be there if the outgoing traffic from my LAN to the internet should work? I don't think that the rules are right. ipfw add allow tcp from any to any 53 in recv tun0 ipfw add allow udp from any to any 53 in recv tun0 I not sure this must be here to make my DNS server to work correct? My DNS server is a caching server and used as a DNS server for my internal network but they do not excist any where else then on my LAN. ipfw add allow tcp from any to any 1-65535 via xl0 ipfw add allow udp from any to any 1-65535 via xl0 That allows any port connection from any computer that is in my LAN. ipfw add allow ip from any to any via xl0 Allow any ip on my LAN to connect to any place. ipfw add allow ip from any to any out recv tun0 xmit xl0 ipfw add allow tcp from any to any out recv tun0 xmit xl0 ipfw add allow udp from any to any out recv tun0 xmit xl0 Must be here to allow outgoing traffic from xl0 to tun0, the internet? ipfw add deny tcp from any to any 1-1023 in recv tun0 ipfw add deny udp from any to any 1-1023 in recv tun0 ipfw add deny tcp from any to any 1064 in recv tun0 ipfw add deny udp from any to any 1064 in recv tun0 ipfw add deny tcp from any to any 1305 in recv tun0 ipfw add deny udp from any to any 1305 in recv tun0 ipfw add deny tcp from any to any 2049 in recv tun0 ipfw add deny udp from any to any 2049 in recv tun0 ipfw add deny tcp from any to any 3128 in recv tun0 ipfw add deny udp from any to any 3128 in recv tun0 ipfw add deny tcp from any to any 3130 in recv tun0 ipfw add deny udp from any to any 3130 in recv tun0 ipfw add deny tcp from any to any 8080 in recv tun0 ipfw add deny udp from any to any 8080 in recv tun0 ipfw add deny tcp from any to any 6000-6063 in recv tun0 ipfw add deny udp from any to any 6000-6063 in recv tun0 Do not allow any traffic to the specfied ports above? As you can see Im not an expert in ipfw rules but you have to start somewhere... Any thoughts is well come. Thanks for your time. Mvh Mattias Björk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020701204411.A45392>