Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Aug 2003 10:35:27 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        Lucas Holt <luke@foolishgames.com>
Cc:        freeBSD-Questions@FreeBSD.ORG
Subject:   Re: Firewall rules for servers, UDP
Message-ID:  <3F43872F.6070400@mac.com>
In-Reply-To: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com>
References:  <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Lucas Holt wrote:
> My problem lies in UDP rules.  I think I have TCP figured out.  My first 
> attempt blocked off DNS queries from the machine outward.  I could query 
> the DNS server, but apps could not do lookups.  i figure it has 
> something to do with ports above 1024, but I'm not sure how to define a 
> rule with multi ports in a range, plus I don't know how high to go above 
> 1024.  Is this the right action?  Ideas on syntax?

6-sec% cat fw.codefab.com/CF_firewall

############
# Set variables for network addresses

# set these to your inside interface network and netmask and ip
#define IIF fxp0
#define INET 12.38.161.0/25
#define IIP 12.38.161.1

# set these to your outside interface network and netmask and ip
#define OIF fxp1
#define ONET 12.38.161.128/26
#define OIP 12.38.161.130

#define CFNET 12.38.161.0/24

# port number ranges
#define LOPORTS 1-1023
#define HIPORTS 1024-65535

[ ...anti-spoofing rules and "things to block first" snipped... ]
############
# UDP traffic
############

# allow DNS,NTP queries out in the world
add pass udp from CFNET HIPORTS to any 53,123
add pass udp from any 53,123 to CFNET HIPORTS
add pass udp from any 53,123 to any 53,123

# traceroute
add pass udp from any HIPORTS to any 33434-33523

# external UDP
add pass udp from ONET HIPORTS to INET HIPORTS
add pass log udp from any HIPORTS to INET HIPORTS
add pass udp from INET HIPORTS to any HIPORTS

# log remaining UDP traffic
add pass log udp from ONET to INET
add pass log udp from INET to ONET
add pass log udp from INET to any
add unreach filter-prohib log udp from any to any

[ ...followed by TCP and ICMP rules... ]

	--

Utilize this by saving this file to /etc/YOUR_firewall, and adding the following 
lines to /etc/rc.conf:

#firewall_type='/etc/YOUR_firewall'
#firewall_flags='-p /usr/bin/cpp'

-- 
-Chuck




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F43872F.6070400>