Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 5 Apr 2003 21:49:53 +0200
From:      "Robin Ericsson" <lobbin@localhost.nu>
To:        <freebsd-questions@freebsd.org>
Subject:   input on ipfw rules
Message-ID:  <008d01c2fbac$86dcf710$0401a8c0@metis>
next in thread | raw e-mail | index | archive | help 
Hi,

I would like to get some input of these rules I'm currenly using.

I come from a linux/cisco background, so I want to know how bad these are :)
mostly my questions are the keep-state stuff. I guess 00235 can go, as I
think that
one allows all trafic from that specific ip if already connected elsewhere?

It is compiled with IP_FIREWALL only, so there is also a
65535 deny ip from any to any.

# regular stuff
ipfw add 00100 allow ip from any to any via lo0

# normal trafic
ipfw add 00220 deny log ip from me to any in
ipfw add 00225 deny log tcp from any to any in tcpflags fin,syn
ipfw add 00230 check-state
ipfw add 00235 allow tcp from any to any in established
ipfw add 00240 allow tcp from any to any frag
ipfw add 00245 allow ip from any to any keep-state out

# icmp
ipfw add 00300 allow icmp from any to any icmptype 3
ipfw add 00301 allow icmp from any to any icmptype 4
ipfw add 00302 allow icmp from any to any icmptype 11

# ident
ipfw add 00600 allow tcp from any to any 113 keep-state setup

# ssh
ipfw add 00700 allow tcp from any to me 22 keep-state

# webhosting services
ipfw add 00800 allow tcp from any to me 80 keep-state
ipfw add 00810 allow tcp from any to me 21 keep-state
ipfw add 00820 allow tcp from any to me 40000-45000 keep-state

# dns
ipfw add 00900 allow udp from me to any 53 keep-state
ipfw add 00910 allow udp from any to me 53

# mail services
ipfw add 01000 allow tcp from any to me 143 keep-state
ipfw add 01010 allow tcp from any to me 110 keep-state
ipfw add 01020 allow tcp from any to me 25 keep-state



best regards
Robin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008d01c2fbac$86dcf710$0401a8c0>