Date: Thu, 22 Jan 2004 01:30:48 +1100 From: Tony Frank <tfrank@optushome.com.au> To: Marc Silver <marcs@draenor.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: dialup firewalling Message-ID: <20040121143048.GA62883@marvin.home.local> In-Reply-To: <20040121132610.GX70495@draenor.org> References: <20040121132610.GX70495@draenor.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Marc,
On Wed, Jan 21, 2004 at 01:26:10PM +0000, Marc Silver wrote:
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
>
> # Divert all packets through the tunnel interface.
> $fwcmd add divert natd all from any to any via tun0
For dialup using user-ppp I prefer to use the ppp built-in nat functionality.
You also probably want some rules upfront for loopback, although the 'me to any'
likely covers it:
>From /etc/rc.firewall:
${fwcmd} add 100 allow all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> # Allow all connections that we initiate, and keep their state,
> # but deny established connections that don't have a dynamic rule.
> $fwcmd add check-state
> $fwcmd add allow ip from me to any keep-state
> $fwcmd add deny tcp from any to any established
> # Allow internet users to connect to the port 22 and 80 on my machine.
> # This example specifically allows connections to the sshd and a
> # webserver.
> $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state
Looks ok.
> # Allow ICMP packets: remove type 8 if you don't want your host
> # to be pingable.
> $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
I personally have never seen a use for 13 & 14 (timestamp) so would block these also.
Hope it helps,
Tony
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040121143048.GA62883>