Date: Sun, 25 Mar 2001 12:58:52 -0500 From: Carl <no1-carl@home.com> To: freebsd-questions@FreeBSD.ORG Subject: Dynamic ipfw ruleset to block all unrequested packets... Message-ID: <01032512585203.00338@Demon>
next in thread | raw e-mail | index | archive | help
Hello, I have been reading through the firewall literature and have set up a
very simple firewall. It is just for my home connection to my cable modem
service. I do have a router attached to the cable modem that has my FreeBSD
machine as a DMZ. The router's IP is 192.168.1.1 and it assigns my FreeBSD
box 192.168.1.100. The following is my rc.firewall file snippet:
############
# Local IP address of my computer
ip="192.168.1.100"
############
# Dynamic rule set that only allows packets
# that have been requested by this IP
${fwcmd} add check-state
${fwcmd} add deny log all from not ${ip} to any
${fwcmd} add pass all from ${ip} to any keep-state
When I use nmap to scan myself (ie: nmap -sS -p 111 <my @Home IP>) it lists
the sunrpc port as filtered (better than open), but I was wondering if is
possible to make this port disappear?
The other strange thing, when I ping myself (ie: ping <my @Home IP>) the ICMP
packets get through. Is this because I am not pinging my machine from an
outside source? If so why doesn't nmap behave the same way?
I have compiled my kernel with all the necessities for the firewall including
others like SYN/FIN and RST dropping. I have enabled the firewall as well as
SYN/FIN and RST dropping in rc.conf as well.
Am I just too paranoid, or do things seem ok the way they are set?
Thanks...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01032512585203.00338>