Date: Fri, 21 Jul 2000 08:59:41 -0500 From: "Daryl Chance" <dchance@valuedata.net> To: "FreeBSD IPFW" <freebsd-ipfw@freebsd.org> Subject: IPFW rules. Message-ID: <005101bff31b$eae66ee0$0200000a@development1>
next in thread | raw e-mail | index | archive | help
Hi,
I'm currently running a FreeBSD 4.0-RELEASE box and we're using it as our
internet gateway.
It's on DHCP (cable modem) and was wondering if anyone has a link to an IPFW
tutorial for
setting up the rules. Last time I tried setting them up, the internet would
stop working for
about < 1 min intermittently. One of the tutorials I've been able to find
uses the actual IP
address. is there a way to do this using DHCP? Do we somehow include nat
in there instead of
the ip address?
Here's my current ruleset:
fwcmd="/sbin/ipfw -q"
# set the interfaces
oif="rl0"
iif="rl1"
# Flush out the list before we begin.
${fwcmd} -f flush
${fwcmd} add divert natd all from any to any via ${oif}
# Only in rare cases do you want to change these rules
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# couldn't get a good set of firewall rules to work,
# temporary
${fwcmd} add 65435 pass all from any to any
The main thing is I want to allow us to pretty much do anything from our
boxes, but only allow
connections on port 22. I'm not asking for it to be written for me, just
some help :).
Thanks,
Daryl Chance
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005101bff31b$eae66ee0$0200000a>