Date: Fri, 21 Jul 2000 08:59:41 -0500 From: "Daryl Chance" <dchance@valuedata.net> To: "FreeBSD IPFW" <freebsd-ipfw@freebsd.org> Subject: IPFW rules. Message-ID: <005101bff31b$eae66ee0$0200000a@development1>
next in thread | raw e-mail | index | archive | help
Hi, I'm currently running a FreeBSD 4.0-RELEASE box and we're using it as our internet gateway. It's on DHCP (cable modem) and was wondering if anyone has a link to an IPFW tutorial for setting up the rules. Last time I tried setting them up, the internet would stop working for about < 1 min intermittently. One of the tutorials I've been able to find uses the actual IP address. is there a way to do this using DHCP? Do we somehow include nat in there instead of the ip address? Here's my current ruleset: fwcmd="/sbin/ipfw -q" # set the interfaces oif="rl0" iif="rl1" # Flush out the list before we begin. ${fwcmd} -f flush ${fwcmd} add divert natd all from any to any via ${oif} # Only in rare cases do you want to change these rules ${fwcmd} add pass all from any to any via lo0 ${fwcmd} add deny all from any to 127.0.0.0/8 # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # couldn't get a good set of firewall rules to work, # temporary ${fwcmd} add 65435 pass all from any to any The main thing is I want to allow us to pretty much do anything from our boxes, but only allow connections on port 22. I'm not asking for it to be written for me, just some help :). Thanks, Daryl Chance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005101bff31b$eae66ee0$0200000a>