Date: Sun, 28 Mar 1999 12:13:26 -0800 From: "Michael Bryan" <fbsd-security@ursine.com> To: "Noor Dawod" <noor@NetVision.net.il> Cc: freebsd-security@freebsd.org Subject: Re: ipfw behavior, is it normal? Message-ID: <199903281213260190.4BEF77D0@quaggy.ursine.com> In-Reply-To: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il> References: <Pine.GSO.4.05.9903281416150.20028-100000@nvt.netvision.net.il>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/28/99 at 2:23 PM Noor Dawod wrote: > > My current ipfw rules are: > >----------------------------------------------------------------- >00100 allow ip from any to any via lo0 >00200 allow ip from [machine-a-ip] to [server-ip] via xl0 >00300 allow ip from [machine-b-ip] to [server-ip] via xl0 >00400 allow ip from any to [server-ip] 80 in via xl0 >00500 allow ip from any to [server-ip] 21 in via xl0 >65000 allow ip from any to any >65535 deny ip from any to any >----------------------------------------------------------------- If you remove rule 65000, then you have no rules to allow any traffic -out- of your system. If you wanted to fully open up traffic to machine-a and machine-b, then you could have these rules: 00250 allow ip from [server-ip] to [machine-a-ip] via xl0 00350 allow ip from [server-ip] to [machine-b-ip] via xl0 Similarly, you need counterparts to rules 400 and 500 for the outbound side. (You should also be specifying "tcp" in those rules, not "ip".) The http port is easy enough: 00450 allow tcp from [server-ip] 80 to any out via xl0 (Assuming you're using a single IP address and a single port with your HTTP server, of course.) FTP access is a little trickier, thanks to the data port used by FTP, and the issues of active vs passive FTP. I'd recommend looking at a good firewall security book, such as the O'Reily book. (www.ora.com) There are a number of ways to open up FTP access, each with their own set of pros and cons. Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903281213260190.4BEF77D0>