Date: Wed, 20 Aug 2003 10:35:27 -0400 From: Chuck Swiger <cswiger@mac.com> To: Lucas Holt <luke@foolishgames.com> Cc: freeBSD-Questions@FreeBSD.ORG Subject: Re: Firewall rules for servers, UDP Message-ID: <3F43872F.6070400@mac.com> In-Reply-To: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com> References: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Lucas Holt wrote: > My problem lies in UDP rules. I think I have TCP figured out. My first > attempt blocked off DNS queries from the machine outward. I could query > the DNS server, but apps could not do lookups. i figure it has > something to do with ports above 1024, but I'm not sure how to define a > rule with multi ports in a range, plus I don't know how high to go above > 1024. Is this the right action? Ideas on syntax? 6-sec% cat fw.codefab.com/CF_firewall ############ # Set variables for network addresses # set these to your inside interface network and netmask and ip #define IIF fxp0 #define INET 12.38.161.0/25 #define IIP 12.38.161.1 # set these to your outside interface network and netmask and ip #define OIF fxp1 #define ONET 12.38.161.128/26 #define OIP 12.38.161.130 #define CFNET 12.38.161.0/24 # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 [ ...anti-spoofing rules and "things to block first" snipped... ] ############ # UDP traffic ############ # allow DNS,NTP queries out in the world add pass udp from CFNET HIPORTS to any 53,123 add pass udp from any 53,123 to CFNET HIPORTS add pass udp from any 53,123 to any 53,123 # traceroute add pass udp from any HIPORTS to any 33434-33523 # external UDP add pass udp from ONET HIPORTS to INET HIPORTS add pass log udp from any HIPORTS to INET HIPORTS add pass udp from INET HIPORTS to any HIPORTS # log remaining UDP traffic add pass log udp from ONET to INET add pass log udp from INET to ONET add pass log udp from INET to any add unreach filter-prohib log udp from any to any [ ...followed by TCP and ICMP rules... ] -- Utilize this by saving this file to /etc/YOUR_firewall, and adding the following lines to /etc/rc.conf: #firewall_type='/etc/YOUR_firewall' #firewall_flags='-p /usr/bin/cpp' -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F43872F.6070400>