Date: Tue, 19 Aug 2003 21:29:13 +0200 From: Alex de Kruijff <freebsd@akruijff.dds.nl> To: Lucas Holt <luke@foolishgames.com> Cc: freeBSD-Questions@FreeBSD.ORG Subject: Re: Firewall rules for servers, UDP Message-ID: <20030819192913.GJ13873@dds.nl> In-Reply-To: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com> References: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 19, 2003 at 02:31:55PM -0400, Lucas Holt wrote: > I want to setup a firewall (ipfw) on my freebsd 4.8 p3 server. The > machine runs web, ftp, ssh, dns, smtp, and imap to the outside world. > Does anyone have any links to example rules for servers? (I've already > looked at the handbook and man file) > > My problem lies in UDP rules. I think I have TCP figured out. My > first attempt blocked off DNS queries from the machine outward. I > could query the DNS server, but apps could not do lookups. i figure it > has something to do with ports above 1024, but I'm not sure how to > define a rule with multi ports in a range, plus I don't know how high > to go above 1024. Is this the right action? Ideas on syntax? First of all if you do: 20 allow ip from any to any via lo0 30 allow log ip from any to any and you compiles the verbose option in then you could look in /etc/services for packets that where acceptes by rule 30 I'm assuming you only have one NIC and that it is called xl0. # Just to make sure you have a connection when something goes wrong. 10 allow ip from YOUR_IP to SERVER_IP # Connection from server to it self 20 allow ip from any to any via lo0 # Allow DNS 30 allow tcp from any 53 to me in 31 allow tcp from any to me 53 out # Allow FTP 40 allow tcp from any to me ftp in 41 allow tcp from me ftp to any out 42 allow tcp from me ftp-data to any out 43 allow tcp from any to ftp-data in # Allow HTTP 50 allow tcp from any to me http in 51 allow tcp from me http to any out # Allow SSH 60 allow tcp from any to me ssh in 61 allow tcp from me ssh to any out # Allow SMTP 70 allow tcp from any to me smtp in 71 allow tcp from me smtp to any out # Allow IMAP 80 allow tcp from any to me imap in 81 allow tcp from me imap to any out # Sate firewall check 90 check-state # Allow traffic out (and back in) 91 allow tcp from me to any keep-state setup 92 allow udp from me to any keep-state 93 allow ip from me to any keep-state # Deny every thing else 100 deny log ip from any to any # Again loggin help you debug if something doesn't work. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030819192913.GJ13873>