Date: Tue, 22 Feb 2005 14:54:31 +0200 From: Petre Bandac <petre@kgb.ro> To: freebsd-questions@freebsd.org Subject: Re: IPFW config Message-ID: <20050222145431.0d0955da@xxl.rdsbv.ro> In-Reply-To: <421A958B.3020209@cwazy.co.uk> References: <421A21F4.1050509@cwazy.co.uk> <011e01c5177f$0e520970$6702a8c0@George> <421A958B.3020209@cwazy.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
http://www.kgb.ro/Ipfw-HOWTO On Mon, 21 Feb 2005 20:14:35 -0600 Anno Domini, the honourable SigmaX wrote using one of his keyboards: > Paul Schmehl wrote: > > > ----- Original Message ----- From: "SigmaX" <scottclansman@cwazy.co.uk> > > To: <freebsd-questions@freebsd.org> > > Sent: Monday, February 21, 2005 12:01 PM > > Subject: IPFW config > > > >> > >> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the > >> default SSH port, right?) > >> Then start IPFW with the kernel module (I know how to do this) > >> > > fwcmd=/sbin/ipfw > > myip=x.x.x.x > > mymask=255.255.255.0 > > > > setup_loopback > > > > # Allow icmp > > ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via > > xl0 > > > > # Setup dynamic rules > > ${fwcmd} add check-state > > ${fwcmd} add deny tcp from any to any via xl0 established > > > > # Allow DNS queries out to the world > > ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state > > ${fwcmd} add deny udp from any to any > > # Allow all outbound traffic > > ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state > > > > # Allow inbound http, ssh and port 10000 > > ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state > > ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state > > ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state > > > > # Allow IP fragments to pass through > > ${fwcmd} add pass all from any to any frag via xl0 > > > > # Deny everything else > > ${fwcmd} add deny ip from any to any via xl0 > > > > Paul Schmehl (pauls@utdallas.edu) > > Adjunct Information Security Officer > > University of Texas at Dallas > > AVIEN Founding Member > > http://www.utdallas.edu/ > > > Well... *ahem*... I put the above script into /etc/ipfw.rules and did > "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the > server. Did the above script only open those ports to localhost or > something? I can go in tonight and fix it from the local computer, but > I'd like to know what to do when I get there. I need to have > connectivity to said ports from the internet... apparently I don't :-P. > Cheerio, > SigmaX > > -- > Registered Linux Freak #: 366,862 > > "If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free." > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Login: petre Name: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Mon Feb 21 09:52 (EET) on ttyv0, idle 1 day 4:04 (messages off) On since Mon Feb 21 10:50 (EET) on ttyv2, idle 1 day 4:03 (messages off) Last login Tue Feb 22 00:14 (EET) on ttyp5 from 82-77-40-105.br New mail received Mon May 24 19:09 2004 (EEST) Unread since Tue Feb 17 12:31 2004 (EET) No Plan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050222145431.0d0955da>