Date: Tue, 12 Jan 1999 00:08:03 +0100 (CET) From: Patrick Barmentlo <pbm@barmentlo.net> To: "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU> Cc: hackers@FreeBSD.ORG Subject: Re: examples rules ipfw Message-ID: <Pine.BSF.4.05.9901112359420.325-100000@gateway.barmentlo.net> In-Reply-To: <Pine.BSF.4.05.9901111442510.854-100000@smarter.than.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Jan 1999, Brian W. Buchanan wrote: > On Mon, 11 Jan 1999, Patrick Barmentlo wrote: > > > Can someone please point me out to some good examples for the rc.firewall > > file (ipfw )?? > > (with most variant of opties/features...) > > > > i have to set up some filtering, but still having some difficulties with > > it after checking freebsd.org.... > > What kind of filtering? For a single machine, or on a gateway for a LAN? This what it is about, i have a bsd host with ep0 and ppp0 interfaces (the ppp0 is connected to the Internet, of course ;-)) i have a small subnet, so i don't need to do any 'nat' I want to allow all traffic out of my 'lan' to the internet, but only want to allow mail (smtp) and dns from the internet in.. (and eventualy other services) I also want to allow from a certain host traffic into my 'lan' If you can help me with something like this , the it would help me on the right way.. ;-) thanks.. > > Here are my firewall rules and a brief explanation of them: > > add 00002 allow ip from smarter to any > > This allows any IP traffic from the local host (its hostname is "smarter") > to any host. > > add 00003 allow tcp from any to smarter established > > This allows any TCP traffic into the local host that does not have the > SYN flag set. That is, it allows TCP connections that have already been > established to continute to send us data. > > add 00050 allow ip from localhost to localhost via lo0 > > This allows all IP traffic from/to localhost over the loopback interface. > > add 00051 deny ip from localhost to any > > This denies any IP traffic claiming to be from the loopback address > coming in from any interface. (Legitimate loopback traffic will be allowed > by the rule above, and therefore won't get filtered out here) > > add 00101 deny log udp from any to smarter printer,nfsd,sunrpc > > This denies and logs any UDP packets sent to smarter's printer, nfsd, > and sunrpc ports. > > add 00102 deny udp from any to smarter 137,138 > > This denies any UDP packets sent to netbios-ns and netbios-dgm. > > add 00199 allow udp from any to any > > This allows any UDP packets not previously filtered out. > > add 00201 allow icmp from any to smarter > > This allows all ICMP traffic destined for the local host. > > add 00301 allow tcp from any to smarter ftp > > This allows all traffic to the ftp daemon. > > add 00401 allow tcp from any to smarter ssh > > This allows all traffic to the ssh daemon. > > add 00450 deny tcp from any to smarter 3306 > > This denies all traffic to port 3306 (mysqld) > > add 00501 allow tcp from any to smarter 1024-65535 > > This allows all traffic to ports 1024 through 65535 (to let FTP work > correctly) > > add 00601 allow tcp from 169.229.99.90 to smarter 25,139 > add 00602 allow tcp from 169.229.99.92 to smarter 25,139 > > These rules allow my roommates' Windows computers to relay mail via my > sendmail daemon (port 25) and to access my SAMBA daemon for > filesharing/printing (port 139) > > add 60000 deny igmp from any to any > > This drops all IGMP packets. > > add 60001 reset tcp from any to smarter ident > > This sends a TCP RST in response to any attempt to connect to identd. > (Initiator gets "Connection Refused") > > add 64000 reset tcp from any to smarter 139 > > This sends a TCP RST in response to any attempt to connect to SAMBA. > > add 65000 deny log ip from any to any > > This denies any packets not already accepted or denied, and logs them. > > > Hope that helped. IPFW can do many more things which I don't currently > use, but that should serve to give you a general idea of what you can do > with IPFW. > > -- > Brian Buchanan brian@smarter.than.nu > brian@CSUA.Berkeley.EDU > > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." > -- Benjamin Franklin, 1759 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9901112359420.325-100000>