Date: Wed, 3 Aug 2005 16:42:04 -0400 From: Jason Morgan <jwm-freebsd@sentinelchicken.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Fetch able to get around firewall? Message-ID: <20050803204204.GC7833@sentinelchicken.net>
next in thread | raw e-mail | index | archive | help
I have three clients behind my FreeBSD gateway/firewall. Two of the clients run FreeBSD and the other runs FreeBSD and Windows. I would like for my firewall to be fairly tight, disallowing unspecified connections outbound. However, while I have no trouble getting most services up and running correctly (qmail,apache,ssh,etc.), I am having trouble getting fetch (for portupgrade) to get through the firewall. I have tried 'fetch -p', which doesn't seem to work. My question is, is it going to be possible to maintain a restrictive firewall and still have the ability to upgrade my ports from the inside clients? Below is my firewall (a slightly edited version of the one available in the handbook). 00005 allow ip from any to any via fxp0 00010 allow ip from any to any via lo0 00014 divert 8668 ip from any to any in via xl0 00015 check-state 00020 skipto 800 udp from any to X.X.X.X dst-port 53 out via xl0 keep-state 00021 skipto 800 udp from any to X.X.X.X dst-port 53 out via xl0 keep-state 00030 skipto 800 udp from any to X.X.X.X dst-port 67 out via xl0 keep-state 00040 skipto 800 tcp from any to any dst-port 80 out via xl0 setup keep-state 00050 skipto 800 tcp from any to any dst-port 443 out via xl0 setup keep-state 00060 skipto 800 tcp from any to any dst-port 25 out via xl0 setup keep-state 00061 skipto 800 tcp from any to any dst-port 110 out via xl0 setup keep-state 00070 skipto 800 tcp from me to any out via xl0 setup uid root keep-state 00080 skipto 800 icmp from any to any out via xl0 keep-state 00090 skipto 800 tcp from any to any dst-port 37 out via xl0 setup keep-state 00100 skipto 800 tcp from any to any dst-port 119 out via xl0 setup keep-state 00105 skipto 800 tcp from any to any dst-port 20,21 out via xl0 setup keep-state 00110 skipto 800 tcp from any to any dst-port 22 out via xl0 setup keep-state 00120 skipto 800 tcp from any to any dst-port 43 out via xl0 setup keep-state 00130 skipto 800 udp from any to any dst-port 123 out via xl0 keep-state 00300 deny ip from 192.168.0.0/16 to any in via xl0 00301 deny ip from 172.16.0.0/12 to any in via xl0 00303 deny ip from 127.0.0.0/8 to any in via xl0 00304 deny ip from 0.0.0.0/8 to any in via xl0 00305 deny ip from 169.254.0.0/16 to any in via xl0 00306 deny ip from 192.0.2.0/24 to any in via xl0 00307 deny ip from 204.152.64.0/23 to any in via xl0 00308 deny ip from 224.0.0.0/3 to any in via xl0 00315 deny tcp from any to any dst-port 113 in via xl0 00320 deny tcp from any to any dst-port 137 in via xl0 00321 deny tcp from any to any dst-port 138 in via xl0 00322 deny tcp from any to any dst-port 139 in via xl0 00323 deny tcp from any to any dst-port 81 in via xl0 00330 deny ip from any to any frag in via xl0 00332 deny tcp from any to any established in via xl0 00360 allow udp from X.X.X.X to any dst-port 68 in via xl0 keep-state 00370 allow tcp from any to me dst-port 80 in via xl0 setup limit src-addr 2 00380 allow tcp from any to me dst-port 22 in via xl0 setup limit src-addr 2 00390 allow tcp from any to me dst-port 25 in via xl0 setup limit src-addr 2 00400 deny log logamount 10 ip from any to any in via xl0 00450 deny log logamount 10 ip from any to any out via xl0 00800 divert 8668 ip from any to any out via xl0 00801 allow ip from any to any 00999 deny log logamount 10 ip from any to any 65535 deny ip from any to any Any suggestions? Is is the standard solution to allow all outbound connections through? Thanks, Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050803204204.GC7833>
