From owner-freebsd-security Thu Feb 8 10:45:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (ppp-80.nav.kiev.ua [213.169.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 9060D37B6AA; Thu, 8 Feb 2001 10:45:17 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.1/8.11.1) id f18Iibv07095; Thu, 8 Feb 2001 20:44:37 +0200 (EET) (envelope-from never) Date: Thu, 8 Feb 2001 20:44:35 +0200 From: Nevermind To: "Christian G.Charette" Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw Message-ID: <20010208204435.A4867@nevermind.kiev.ua> References: <01020814513000.00915@spod.mic_ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01020814513000.00915@spod.mic_ar>; from chcharette@millic.com.ar on Thu, Feb 08, 2001 at 02:51:30PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Christian G.Charette! On Thu, Feb 08, 2001 at 02:51:30PM -0300, you wrote: > Hi, Im a newbie in Unix and Im running a FreeBSD box with Apache, and > I want to build some Firewall but all the instructives I found are > about firewalling for gateways. All I need is an example of a rule > set or something like that. > What I want to do is block ICMP and only allow a couple of IPs make > telnet to the box. Cris, first you should include "options IPFIREWALL" (without quotes) into your custom kernel config. Then you should decide wether you want closed or opened firewall type. The differences are: closed firewall: everything that is not allowed is denied. opened firewall: everything that is not denied is allowed. If you need to restrict only telnet and icmp, you will need opened firewall, so, you will need following rules: ipfw add deny icmp from any to any ipfw add allow ip from first_box_ip to any 23 ipfw add allow ip from second_box_ip to any 23 ... ipfw add allow ip from any 23 to first_box_ip ipfw add allow ip from any 23 to second_box_ip ... ipfw add deny ip from any to any 23 ipfw add deny ip from any 23 to any ipfw add allow ip from any to any You need the last rule because default is that last rule in ruleset is deny ip from any to any. There is also another option to kernel which sets default to allow, but I don't have LINT here, so, let somebody other to tell it to you. Be aware that this ruleset is only good for home pc because it is not secure and "sdelan na kolenke"(russian, means that it was made in few seconds :>). Or, there is a second way of doing the same thing. Then you'll need closed firewall. I'm not very good at this though, because I'm too lazy to write all of these allowing rules. But I'm working on it on my home box. Maybe there is volounteers to answer Cris about closed firewall with detailed instructions? :) Anyways, it is question for -questions maillist, so I Cc:'ing it there. P.S. Forgive me my owful English. -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message