From owner-freebsd-questions@FreeBSD.ORG Tue Feb 22 12:52:43 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 735E616A4CE for ; Tue, 22 Feb 2005 12:52:43 +0000 (GMT) Received: from xxl.rdsbv.ro (xxl.rdsbv.ro [82.77.46.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4ED5243D45 for ; Tue, 22 Feb 2005 12:52:42 +0000 (GMT) (envelope-from petre@kgb.ro) Received: from localhost (localhost.rdsbv.ro [127.0.0.1]) by xxl.rdsbv.ro (Postfix) with ESMTP id E604C60CD for ; Tue, 22 Feb 2005 14:54:33 +0200 (EET) Received: from xxl.rdsbv.ro ([127.0.0.1]) by localhost (xxl.rdsbv.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10292-03 for ; Tue, 22 Feb 2005 14:54:31 +0200 (EET) Received: from xxl.rdsbv.ro (localhost.rdsbv.ro [127.0.0.1]) by xxl.rdsbv.ro (Postfix) with ESMTP id 9E97760D4 for ; Tue, 22 Feb 2005 14:54:31 +0200 (EET) Date: Tue, 22 Feb 2005 14:54:31 +0200 From: Petre Bandac To: freebsd-questions@freebsd.org Message-ID: <20050222145431.0d0955da@xxl.rdsbv.ro> In-Reply-To: <421A958B.3020209@cwazy.co.uk> References: <421A21F4.1050509@cwazy.co.uk> <011e01c5177f$0e520970$6702a8c0@George> <421A958B.3020209@cwazy.co.uk> Organization: kgb.ro X-Mailer: Sylpheed-Claws 1.0.1 (GTK+ 1.2.10; i386-portbld-freebsd5.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at xxl.rdsbv.ro Subject: Re: IPFW config X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 12:52:43 -0000 http://www.kgb.ro/Ipfw-HOWTO On Mon, 21 Feb 2005 20:14:35 -0600 Anno Domini, the honourable SigmaX wrote using one of his keyboards: > Paul Schmehl wrote: > > > ----- Original Message ----- From: "SigmaX" > > To: > > Sent: Monday, February 21, 2005 12:01 PM > > Subject: IPFW config > > > >> > >> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the > >> default SSH port, right?) > >> Then start IPFW with the kernel module (I know how to do this) > >> > > fwcmd=/sbin/ipfw > > myip=x.x.x.x > > mymask=255.255.255.0 > > > > setup_loopback > > > > # Allow icmp > > ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via > > xl0 > > > > # Setup dynamic rules > > ${fwcmd} add check-state > > ${fwcmd} add deny tcp from any to any via xl0 established > > > > # Allow DNS queries out to the world > > ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state > > ${fwcmd} add deny udp from any to any > > # Allow all outbound traffic > > ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state > > > > # Allow inbound http, ssh and port 10000 > > ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state > > ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state > > ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state > > > > # Allow IP fragments to pass through > > ${fwcmd} add pass all from any to any frag via xl0 > > > > # Deny everything else > > ${fwcmd} add deny ip from any to any via xl0 > > > > Paul Schmehl (pauls@utdallas.edu) > > Adjunct Information Security Officer > > University of Texas at Dallas > > AVIEN Founding Member > > http://www.utdallas.edu/ > > > Well... *ahem*... I put the above script into /etc/ipfw.rules and did > "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the > server. Did the above script only open those ports to localhost or > something? I can go in tonight and fix it from the local computer, but > I'd like to know what to do when I get there. I need to have > connectivity to said ports from the internet... apparently I don't :-P. > Cheerio, > SigmaX > > -- > Registered Linux Freak #: 366,862 > > "If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free." > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Login: petre Name: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Mon Feb 21 09:52 (EET) on ttyv0, idle 1 day 4:04 (messages off) On since Mon Feb 21 10:50 (EET) on ttyv2, idle 1 day 4:03 (messages off) Last login Tue Feb 22 00:14 (EET) on ttyp5 from 82-77-40-105.br New mail received Mon May 24 19:09 2004 (EEST) Unread since Tue Feb 17 12:31 2004 (EET) No Plan.