From owner-freebsd-questions Tue Jul 2 6:58:31 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 955D437B400 for ; Tue, 2 Jul 2002 06:58:26 -0700 (PDT) Received: from linux.nu (port271.cvx3-mal.ppp.netlink.se [62.66.14.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 5BF7A43E31 for ; Tue, 2 Jul 2002 06:58:20 -0700 (PDT) (envelope-from thrawn@linux.nu) Received: (qmail 22291 invoked by uid 1022); 2 Jul 2002 13:59:36 -0000 Date: Tue, 2 Jul 2002 15:59:36 +0200 From: thrawn@linux.nu To: W Ryan M Cc: freebsd-questions@freebsd.org Subject: Re: IPFW rules Message-ID: <20020702155936.A67665@thrawn.birch.se> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from wrmine@SDF.LONESTAR.ORG on Mon, Jul 01, 2002 at 08:14:37PM +0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, and thanks for the reply. On Mon, Jul 01, 2002 at 08:14:37PM +0000, W Ryan M wrote: > On Mon, 1 Jul 2002 thrawn@linux.nu wrote: > > > Date: Mon, 1 Jul 2002 18:44:52 +0000 (UTC) > > From: thrawn@linux.nu > > Newsgroups: mailing.freebsd.questions > > Subject: IPFW rules > > > > Hi, > > > > I would like to have some help/advice to perhaps correct my firewall rules. I have not read the manual page for ipfw that mutch yet. > > > > Well before I start to comment my ipfw rules... I will explain in words. I have a machine that is firewall/gateway and it has an modem attached to it. The interface name of that is tun0 as you can see. The internal interface is as you can see a xl0. > > > > Basicly I want to allow everything from xl0 too go to any point in my network and to any internet site. > > I want only ssh connections to be allowed from the internet to my firewall/gateway. Block 1 to port 1023 and some other ports as Im runing a squid proxy. And X windows as well on the box. Any way i think you will get my point. Here are my rules and som comments: > > I have never used tun0 to in conjunction with IPFW. The Freebsd Handbook > lists 3 ways to use ipfw.(router, bridge, natd) > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ > advanced-networking.html > > Your setup sounds like a bridge. No its not for some reason my dialup connection uses tun0 as an interface and that is that interface that gets an ip when i connect to the internet via ppp. Here is a dump from my latest ifconfig: xl0: flags=8843 mtu 1500 options=3 inet6 fe80::2a0:24ff:fe53:cc3a%xl0 prefixlen 64 scopeid 0x1 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:a0:24:53:cc:3a media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 faith0: flags=8002 mtu 1500 stf0: flags=0<> mtu 1280 tun0: flags=8050 mtu 1500 inet6 fe80::2a0:24ff:fe53:cc3a%tun0 prefixlen 64 scopeid 0x6 inet 62.66.14.46 --> 10.0.0.2 netmask 0xffffff00 Opened by PID 13914 > > > > > One thing I didin't mention earlyer is that I run the firewall default as open in the kernel config. > > > > ipfw -f flush > > ipfw add allow tcp from any to any in recv tun0 > > ipfw add allow udp from any to any in recv tun0 > > > > I don't know exactly why I did put them there but well I did that because I thin that the have to be there if the outgoing traffic from my LAN to the internet should work? I don't think that the rules are right. > > > > ipfw add allow tcp from any to any 53 in recv tun0 > > ipfw add allow udp from any to any 53 in recv tun0 > > > > I not sure this must be here to make my DNS server to work correct? My DNS server is a caching server and used as a DNS server for my internal network but they do not excist any where else then on my LAN. > > > > ipfw add allow tcp from any to any 1-65535 via xl0 > > ipfw add allow udp from any to any 1-65535 via xl0 > > > > That allows any port connection from any computer that is in my LAN. > > > > ipfw add allow ip from any to any via xl0 > > > > Allow any ip on my LAN to connect to any place. > > > > ipfw add allow ip from any to any out recv tun0 xmit xl0 > > ipfw add allow tcp from any to any out recv tun0 xmit xl0 > > ipfw add allow udp from any to any out recv tun0 xmit xl0 > > > > Must be here to allow outgoing traffic from xl0 to tun0, the internet? > > > > ipfw add deny tcp from any to any 1-1023 in recv tun0 > > ipfw add deny udp from any to any 1-1023 in recv tun0 > > ipfw add deny tcp from any to any 1064 in recv tun0 > > ipfw add deny udp from any to any 1064 in recv tun0 > > ipfw add deny tcp from any to any 1305 in recv tun0 > > ipfw add deny udp from any to any 1305 in recv tun0 > > ipfw add deny tcp from any to any 2049 in recv tun0 > > ipfw add deny udp from any to any 2049 in recv tun0 > > ipfw add deny tcp from any to any 3128 in recv tun0 > > ipfw add deny udp from any to any 3128 in recv tun0 > > ipfw add deny tcp from any to any 3130 in recv tun0 > > ipfw add deny udp from any to any 3130 in recv tun0 > > ipfw add deny tcp from any to any 8080 in recv tun0 > > ipfw add deny udp from any to any 8080 in recv tun0 > > ipfw add deny tcp from any to any 6000-6063 in recv tun0 > > ipfw add deny udp from any to any 6000-6063 in recv tun0 > > > > Do not allow any traffic to the specfied ports above? > > > > As you can see Im not an expert in ipfw rules but you have to start somewhere... > > Any thoughts is well come. Thanks for your time. > > Try using default to deny. Then add two rules to you firewall > ipfw add 64000 deny log udp from any to any > ipfw add 65000 reset log tcp from any to any I will try that out thanks. > Then in a terminal #less /var/log/security this will give you the output > from the log statments. Use the log file to build your firewall rules. That is one way to do it also will check that out as well. > > > > Mvh Mattias Björk > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > Not an expert Well who is an expert? > Ryan M > wrmine@sdf.lonestar.org > SDF Public Access UNIX System - http://sdf.lonestar.org Mvh Mattias Björk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message