From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 19 21:48:58 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7068916A4BF
	for <freeBSD-Questions@FreeBSD.ORG>;
	Tue, 19 Aug 2003 21:48:58 -0700 (PDT)
Received: from smtp03.wxs.nl (smtp03.wxs.nl [195.121.6.37])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 99B6A43FBF
	for <freeBSD-Questions@FreeBSD.ORG>;
	Tue, 19 Aug 2003 21:48:57 -0700 (PDT)
	(envelope-from akruijff@www.kruijff.org)
Received: from kruij557.speed.planet.nl
 (ipd50a97ba.speed.planet.nl [213.10.151.186])
 by smtp03.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18
 2003)) with ESMTP id <0HJW00FDGIF0MB@smtp03.wxs.nl> for
 freeBSD-Questions@FreeBSD.ORG; Wed, 20 Aug 2003 06:42:37 +0200 (MEST)
Received: from Intranet.lan (akruijff@localhost [127.0.0.1])
	h7K4hWQT091703;akruijff@Intranet.lan)
Received: (from akruijff@localhost)	by Intranet.lan (8.12.8p1/8.12.8/Submit)
	id h7K4hVbv091623; Wed, 20 Aug 2003 06:43:31 +0200 (CEST)
Date: Wed, 20 Aug 2003 06:43:31 +0200
From: Alex de Kruijff <freebsd@akruijff.dds.nl>
In-reply-to: <20030819192913.GJ13873@dds.nl>
To: Lucas Holt <luke@foolishgames.com>
Message-id: <20030820044331.GK13873@dds.nl>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Content-disposition: inline
User-Agent: Mutt/1.4.1i
References: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com>
 <20030819192913.GJ13873@dds.nl>
cc: freeBSD-Questions@FreeBSD.ORG
Subject: Re: Firewall rules for servers, UDP
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2003 04:48:58 -0000

On Tue, Aug 19, 2003 at 09:29:13PM +0200, Alex de Kruijff wrote:
> On Tue, Aug 19, 2003 at 02:31:55PM -0400, Lucas Holt wrote:
> > I want to setup a firewall (ipfw) on my freebsd 4.8 p3 server.  The 
> > machine runs web, ftp, ssh, dns, smtp, and imap to the outside world.  
> > Does anyone have any links to example rules for servers?  (I've already 
> > looked at the handbook and man file)
> > 
> > My problem lies in UDP rules.  I think I have TCP figured out.  My 
> > first attempt blocked off DNS queries from the machine outward.  I 
> > could query the DNS server, but apps could not do lookups.  i figure it 
> > has something to do with ports above 1024, but I'm not sure how to 
> > define a rule with multi ports in a range, plus I don't know how high 
> > to go above 1024.  Is this the right action?  Ideas on syntax?

These rules apply for both TCP and UPD:
Server use mostly ports below 1024 (fixed)
Clients use normaly ports above 1024 (totaly randum)


> 
> First of all if you do:
> 20 allow ip from any to any via lo0
> 30 allow log ip from any to any
> 
> and you compiles the verbose option in then you could look in 
> /etc/services for packets that where acceptes by rule 30
> 
> 
> 
> I'm assuming you only have one NIC and that it is called xl0.
> 
> # Just to make sure you  have a connection when something goes wrong.
> 10 allow ip from YOUR_IP to SERVER_IP 
> # Connection from server to it self
> 20 allow ip from any to any via lo0
> # Allow DNS
> 30 allow tcp from any 53 to me in
> 31 allow tcp from any to me 53 out
> 
> # Allow FTP
> 40 allow tcp from any to me ftp in 
> 41 allow tcp from me ftp to any out
> 42 allow tcp from me ftp-data to any out
> 43 allow tcp from any to ftp-data in
> 
> # Allow HTTP
> 50 allow tcp from any to me http in
> 51 allow tcp from me http to any out
> 
> # Allow SSH
> 60 allow tcp from any to me ssh in
> 61 allow tcp from me ssh to any out
> 
> # Allow SMTP
> 70 allow tcp from any to me smtp in
> 71 allow tcp from me smtp to any out
> 
> # Allow IMAP
> 80 allow tcp from any to me imap in
> 81 allow tcp from me imap to any out
> 
> # Sate firewall check
> 90 check-state
> 
> # Allow traffic out (and back in)
> 91 allow tcp from me to any keep-state setup
> 92 allow udp from me to any keep-state
> 93 allow ip from me to any keep-state
> 
> # Deny every thing else
> 100 deny log ip from any to any
> 
> # Again loggin help you debug if something doesn't work.
> 
> -- 
> Alex
> 
> Articles based on solutions that I use:
> http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

-- 
Alex

Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/