Date: Tue, 02 Feb 1999 04:48:54 -0700 From: Emmanuel Gravel <chemtechweb@psn.net> To: freebsd-questions@FreeBSD.ORG Subject: Firewall rules Message-ID: <36B6E626.2C67786A@psn.net>
next in thread | raw e-mail | index | archive | help
I've been trying to setup a firewall. I barely modified the simple
ruleset (just changed the IP addresses and interfaces). I have a
few computers connected on an internal LAN. The FreeBSD machine will
serve as a gateway. I set up the oip to a bogus address since I don't
know how to set it up to a dynamically allocated address (if someone
could tell me how, I'd appreciate it :)
My problem, however, isn't the oif or oip (not for now at least). I've
been trying to ping out to my LAN and get a permission denied. I try
to ping in from the LAN and don't get a response. I try connecting to
the named server from the LAN and don't get anything either. Only
the FreeBSD machine has access to the web server, no others. They
don't even really know the machine exists, except for the fact that
I set it as the primary name server on the NIC. I'd also like to get
SAMBA to be useful (I've already set up the scripts, all I need is to
open up the connection to the LAN while keeping it closed to the world).
I' also like to use Exceed on the LAN (Win98 machines) therefore I need
to have X opened to the LAN and closed to the world.
Here are my firewall rules:
oif="tun0"
onet="222.168.0.0"
omask="255.255.255.0"
oip="222.168.0.11"
iif="ep0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.11"
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
$fwcmd add pass tcp from any to any established
$fwcmd add pass tcp from any to ${oip} 25 setup
$fwcmd add pass tcp from any to ${oip} 53 setup
$fwcmd add pass tcp from any to ${oip} 80 setup
$fwcmd add deny log tcp from any to any in via ${oif} setup
$fwcmd add pass tcp from any to any setup
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123
I've tried to understand why my machine is still so closed, but nothing
seems to work (mind you it's also very late and my mind is mush, but
I should have at least understood why it's not open to simple tasks
with these rules). I'm sure I need to add more rules, I just don't know
how to formulate them properly yet.
BTW, this is FreeBSD R 2.2.7 straight off of CD's, and I do have Greg's
book, and have looked through the pages on how to setup the firewall,
but no more than that and the man pages for docs on ipfw.
Thanks,
Manu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36B6E626.2C67786A>