Date: Sun, 11 Nov 2001 01:16:09 -0800 From: Ryan Merrick <ryanm139@home.com> To: doc@FreeBSD.org, nsayer@FreeBSD.org Subject: Filtering bridges Message-ID: <20011111100737.LVG21713.femail12.sdc1.sfba.home.com@c1529030-a.sttln1.wa.home.com>
next in thread | raw e-mail | index | archive | help
Hello, http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/filtering-bridges-ipfirewall.html The page mentioned above has a few errors in it. In the sample script the command to add a ipfw rule is ${ipfw} not ${fwcmd} like in rc.firewall. The numbers or probility for the rules are missing after the add. This sample firewall configuration was no help to me in its present state. The corrected "sample" would look like: us_ip=10.1.1.10 oif=fxp0 iif=fxp1 #mailhost= # Things that we've kept state on before get to go through in a hurry. ${fwcmd} add 500 check-state # Throw away RFC 1918 networks ${fwcmd} add 600 deny log ip from 10.0.0.0/8 to any in via ${oif} ${fwcmd} add 700 deny log ip from 172.16.0.0/12 to any in via ${oif} ${fwcmd} add 800 deny log ip from 192.68.0.0/16 to any in via ${oif} # Allow the bridge machine to say anything it wants (keep state if UDP) ${fwcmd} add 900 pass udp from ${us_ip} to any keep-state ${fwcmd} add 1000pass ip from ${us_ip} to any # Allow the inside net to say anything it wants (keep state if UDP) ${fwcmd} add 1100 pass udp from any to any in via ${iif} keep-state ${fwcmd} add 1200 pass ip from any to any in via ${iif} # Allow all manner of ICMP ${fwcmd} add 1300 pass icmp from any to any # TCP section # established TCP sessions are ok everywhere. ${fwcmd} add 1400 pass tcp from any to any established # Pass the "quarantine" range. ${fwcmd} add 1500 pass tcp from any to any 49152-65535 in via ${oif} # Pass ident probes. It's better than waiting for them to timeout ${fwcmd} add 1600 pass tcp from any to any 113 in via ${oif} # Pass SSH. ${fwcmd} add 1700 pass tcp from any to any 22 in via ${oif} # Pass DNS. Only if you have name servers inside. #${fwcmd} add pass tcp from any to any 53 in via ${oif} # Pass SMTP to the mail server only #${fwcmd} add pass tcp from any to ${mailhost} 25 in via ${oif} # UDP section # Pass the "quarantine" range. #${fwcmd} add pass udp from any to any 49152-65535 in via ${oif} # Pass DNS. Only if you have name servers inside. ${fwcmd} add pass udp from any to any 53 in via ${oif} # Everything else is suspect ${fwcmd} add deny log ip from any to any In the document there is no reference to where this configuration is placed. I dumped mine in under open in rc.firewall, but it could be placed in another file then referenced with the firewall_script="" in rc.conf. Ryan M. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011111100737.LVG21713.femail12.sdc1.sfba.home.com>