From owner-freebsd-hackers Mon Jan 11 14:57:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14194 for freebsd-hackers-outgoing; Mon, 11 Jan 1999 14:57:34 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from smarter.than.nu (thought.calbbs.com [207.71.213.16]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14188 for ; Mon, 11 Jan 1999 14:57:31 -0800 (PST) (envelope-from brian@CSUA.Berkeley.EDU) Received: from localhost (localhost [127.0.0.1]) by smarter.than.nu (8.9.1/8.9.1) with ESMTP id OAA00933; Mon, 11 Jan 1999 14:56:44 -0800 (PST) (envelope-from brian@CSUA.Berkeley.EDU) Date: Mon, 11 Jan 1999 14:56:44 -0800 (PST) From: "Brian W. Buchanan" X-Sender: brian@smarter.than.nu To: Patrick Barmentlo cc: hackers@FreeBSD.ORG Subject: Re: examples rules ipfw In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 11 Jan 1999, Patrick Barmentlo wrote: > Can someone please point me out to some good examples for the rc.firewall > file (ipfw )?? > (with most variant of opties/features...) > > i have to set up some filtering, but still having some difficulties with > it after checking freebsd.org.... What kind of filtering? For a single machine, or on a gateway for a LAN? Here are my firewall rules and a brief explanation of them: add 00002 allow ip from smarter to any This allows any IP traffic from the local host (its hostname is "smarter") to any host. add 00003 allow tcp from any to smarter established This allows any TCP traffic into the local host that does not have the SYN flag set. That is, it allows TCP connections that have already been established to continute to send us data. add 00050 allow ip from localhost to localhost via lo0 This allows all IP traffic from/to localhost over the loopback interface. add 00051 deny ip from localhost to any This denies any IP traffic claiming to be from the loopback address coming in from any interface. (Legitimate loopback traffic will be allowed by the rule above, and therefore won't get filtered out here) add 00101 deny log udp from any to smarter printer,nfsd,sunrpc This denies and logs any UDP packets sent to smarter's printer, nfsd, and sunrpc ports. add 00102 deny udp from any to smarter 137,138 This denies any UDP packets sent to netbios-ns and netbios-dgm. add 00199 allow udp from any to any This allows any UDP packets not previously filtered out. add 00201 allow icmp from any to smarter This allows all ICMP traffic destined for the local host. add 00301 allow tcp from any to smarter ftp This allows all traffic to the ftp daemon. add 00401 allow tcp from any to smarter ssh This allows all traffic to the ssh daemon. add 00450 deny tcp from any to smarter 3306 This denies all traffic to port 3306 (mysqld) add 00501 allow tcp from any to smarter 1024-65535 This allows all traffic to ports 1024 through 65535 (to let FTP work correctly) add 00601 allow tcp from 169.229.99.90 to smarter 25,139 add 00602 allow tcp from 169.229.99.92 to smarter 25,139 These rules allow my roommates' Windows computers to relay mail via my sendmail daemon (port 25) and to access my SAMBA daemon for filesharing/printing (port 139) add 60000 deny igmp from any to any This drops all IGMP packets. add 60001 reset tcp from any to smarter ident This sends a TCP RST in response to any attempt to connect to identd. (Initiator gets "Connection Refused") add 64000 reset tcp from any to smarter 139 This sends a TCP RST in response to any attempt to connect to SAMBA. add 65000 deny log ip from any to any This denies any packets not already accepted or denied, and logs them. Hope that helped. IPFW can do many more things which I don't currently use, but that should serve to give you a general idea of what you can do with IPFW. -- Brian Buchanan brian@smarter.than.nu brian@CSUA.Berkeley.EDU "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message