Date: Tue, 2 Jul 2002 15:59:36 +0200 From: thrawn@linux.nu To: W Ryan M <wrmine@SDF.LONESTAR.ORG> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW rules Message-ID: <20020702155936.A67665@thrawn.birch.se> In-Reply-To: <Pine.NEB.4.44.0207012003390.3624-100000@sdf.lonestar.org>; from wrmine@SDF.LONESTAR.ORG on Mon, Jul 01, 2002 at 08:14:37PM %2B0000 References: <afq7v4$270k$1@FreeBSD.csie.NCTU.edu.tw> <Pine.NEB.4.44.0207012003390.3624-100000@sdf.lonestar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, and thanks for the reply. On Mon, Jul 01, 2002 at 08:14:37PM +0000, W Ryan M wrote: > On Mon, 1 Jul 2002 thrawn@linux.nu wrote: > > > Date: Mon, 1 Jul 2002 18:44:52 +0000 (UTC) > > From: thrawn@linux.nu > > Newsgroups: mailing.freebsd.questions > > Subject: IPFW rules > > > > Hi, > > > > I would like to have some help/advice to perhaps correct my firewall rules. I have not read the manual page for ipfw that mutch yet. > > > > Well before I start to comment my ipfw rules... I will explain in words. I have a machine that is firewall/gateway and it has an modem attached to it. The interface name of that is tun0 as you can see. The internal interface is as you can see a xl0. > > > > Basicly I want to allow everything from xl0 too go to any point in my network and to any internet site. > > I want only ssh connections to be allowed from the internet to my firewall/gateway. Block 1 to port 1023 and some other ports as Im runing a squid proxy. And X windows as well on the box. Any way i think you will get my point. Here are my rules and som comments: > > I have never used tun0 to in conjunction with IPFW. The Freebsd Handbook > lists 3 ways to use ipfw.(router, bridge, natd) > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ > advanced-networking.html > > Your setup sounds like a bridge. No its not for some reason my dialup connection uses tun0 as an interface and that is that interface that gets an ip when i connect to the internet via ppp. Here is a dump from my latest ifconfig: xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=3<rxcsum,txcsum> inet6 fe80::2a0:24ff:fe53:cc3a%xl0 prefixlen 64 scopeid 0x1 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:a0:24:53:cc:3a media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 stf0: flags=0<> mtu 1280 tun0: flags=8050<POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet6 fe80::2a0:24ff:fe53:cc3a%tun0 prefixlen 64 scopeid 0x6 inet 62.66.14.46 --> 10.0.0.2 netmask 0xffffff00 Opened by PID 13914 > > > > > One thing I didin't mention earlyer is that I run the firewall default as open in the kernel config. > > > > ipfw -f flush > > ipfw add allow tcp from any to any in recv tun0 > > ipfw add allow udp from any to any in recv tun0 > > > > I don't know exactly why I did put them there but well I did that because I thin that the have to be there if the outgoing traffic from my LAN to the internet should work? I don't think that the rules are right. > > > > ipfw add allow tcp from any to any 53 in recv tun0 > > ipfw add allow udp from any to any 53 in recv tun0 > > > > I not sure this must be here to make my DNS server to work correct? My DNS server is a caching server and used as a DNS server for my internal network but they do not excist any where else then on my LAN. > > > > ipfw add allow tcp from any to any 1-65535 via xl0 > > ipfw add allow udp from any to any 1-65535 via xl0 > > > > That allows any port connection from any computer that is in my LAN. > > > > ipfw add allow ip from any to any via xl0 > > > > Allow any ip on my LAN to connect to any place. > > > > ipfw add allow ip from any to any out recv tun0 xmit xl0 > > ipfw add allow tcp from any to any out recv tun0 xmit xl0 > > ipfw add allow udp from any to any out recv tun0 xmit xl0 > > > > Must be here to allow outgoing traffic from xl0 to tun0, the internet? > > > > ipfw add deny tcp from any to any 1-1023 in recv tun0 > > ipfw add deny udp from any to any 1-1023 in recv tun0 > > ipfw add deny tcp from any to any 1064 in recv tun0 > > ipfw add deny udp from any to any 1064 in recv tun0 > > ipfw add deny tcp from any to any 1305 in recv tun0 > > ipfw add deny udp from any to any 1305 in recv tun0 > > ipfw add deny tcp from any to any 2049 in recv tun0 > > ipfw add deny udp from any to any 2049 in recv tun0 > > ipfw add deny tcp from any to any 3128 in recv tun0 > > ipfw add deny udp from any to any 3128 in recv tun0 > > ipfw add deny tcp from any to any 3130 in recv tun0 > > ipfw add deny udp from any to any 3130 in recv tun0 > > ipfw add deny tcp from any to any 8080 in recv tun0 > > ipfw add deny udp from any to any 8080 in recv tun0 > > ipfw add deny tcp from any to any 6000-6063 in recv tun0 > > ipfw add deny udp from any to any 6000-6063 in recv tun0 > > > > Do not allow any traffic to the specfied ports above? > > > > As you can see Im not an expert in ipfw rules but you have to start somewhere... > > Any thoughts is well come. Thanks for your time. > > Try using default to deny. Then add two rules to you firewall > ipfw add 64000 deny log udp from any to any > ipfw add 65000 reset log tcp from any to any I will try that out thanks. > Then in a terminal #less /var/log/security this will give you the output > from the log statments. Use the log file to build your firewall rules. That is one way to do it also will check that out as well. > > > > Mvh Mattias Björk > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > Not an expert Well who is an expert? > Ryan M > wrmine@sdf.lonestar.org > SDF Public Access UNIX System - http://sdf.lonestar.org Mvh Mattias Björk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020702155936.A67665>