From owner-freebsd-questions@FreeBSD.ORG Sat Jan 31 12:50:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A646C16A4CF for ; Sat, 31 Jan 2004 12:50:10 -0800 (PST) Received: from out009.verizon.net (out009pub.verizon.net [206.46.170.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C13843D1F for ; Sat, 31 Jan 2004 12:50:08 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com ([68.160.236.34]) by out009.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040131205006.RJVA11926.out009.verizon.net@mac.com>; Sat, 31 Jan 2004 14:50:06 -0600 Message-ID: <401C14FA.8050105@mac.com> Date: Sat, 31 Jan 2004 15:50:02 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Jack L. Stone" , freebsd-questions References: <20040131185300.3ced93f6.dion@bredband.net> <200401301846.52757.ecrist@adtechintegrated.com> <401AFCBB.1010300@mac.com> <200401301947.54492.ecrist@adtechintegrated.com> <20040131153521.1d660315.peder.blom@bredband.net> <401BCEBB.90001@mac.com> <20040131185300.3ced93f6.dion@bredband.net> <3.0.5.32.20040131133901.01e62e10@10.0.0.15> In-Reply-To: <3.0.5.32.20040131133901.01e62e10@10.0.0.15> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out009.verizon.net from [68.160.236.34] at Sat, 31 Jan 2004 14:50:06 -0600 Subject: Re: where am I supposed to put my rc.firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2004 20:50:10 -0000 Jack L. Stone wrote: > At 02:04 PM 1.31.2004 -0500, Chuck Swiger wrote: >>#### >># set these to your inside interface network and netmask and ip >> >>#define IIF fxp0 >>#define INET 10.1.1.0/24 >>#define IIP 10.1.1.1 >>[ ...OIF info snipped... ] >> >># port number ranges >>#define LOPORTS 1-1023 >>#define HIPORTS 1024-65535 A simple example would be: # dynamic rules add check-state # permit some services inbound... add pass tcp from any HIPORTS to INET 22,80,143,443,993,3128 setup keep-state # ...but block most other services (ie, ones with root privs) add deny tcp from any to INET LOPORTS For a more complicated example, where PI is a mailserver which performs virus scanning and spamfiltering, PONG is an internal reader box: INET ---> [FW1] <--DMZ + Mailserver PI--> [FW2] <--Internal subnet + PONG> # on FW1: add pass tcp from PI HIPORTS to any 25 add pass tcp from any 25 to PI HIPORTS established add pass tcp from any HIPORTS to PI 25 add pass tcp from PI 25 to OIP HIPORTS established add unreach filter-prohib log tcp from any to INET 25 # on FW2: # permit SMTP exchange between pi and pong/fw add pass tcp from PI HIPORTS to PONG 25 add pass tcp from PONG 25 to PI HIPORTS established add pass tcp from PONG HIPORTS to PI 25 add pass tcp from PI 25 to PONG HIPORTS established [ ... ] # track SMTP from inside to outside and block SMTP from outside add pass log logamount 20 tcp from INET HIPORTS to any 25 setup add pass tcp from INET HIPORTS to any 25 established add pass tcp from any 25 to INET HIPORTS established -- -Chuck