From owner-freebsd-questions@FreeBSD.ORG Wed Aug 20 07:35:51 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8610A16A4BF for ; Wed, 20 Aug 2003 07:35:51 -0700 (PDT) Received: from out002.verizon.net (out002pub.verizon.net [206.46.170.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98F6543FBF for ; Wed, 20 Aug 2003 07:35:49 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.237.24.175]) by out002.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030820143548.VAOQ18222.out002.verizon.net@mac.com>; Wed, 20 Aug 2003 09:35:48 -0500 Message-ID: <3F43872F.6070400@mac.com> Date: Wed, 20 Aug 2003 10:35:27 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lucas Holt References: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com> In-Reply-To: <68D72AEE-D273-11D7-A8D3-0030656DD690@foolishgames.com> X-Enigmail-Version: 0.76.4.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out002.verizon.net from [68.237.24.175] at Wed, 20 Aug 2003 09:35:43 -0500 cc: freeBSD-Questions@FreeBSD.ORG Subject: Re: Firewall rules for servers, UDP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2003 14:35:51 -0000 Lucas Holt wrote: > My problem lies in UDP rules. I think I have TCP figured out. My first > attempt blocked off DNS queries from the machine outward. I could query > the DNS server, but apps could not do lookups. i figure it has > something to do with ports above 1024, but I'm not sure how to define a > rule with multi ports in a range, plus I don't know how high to go above > 1024. Is this the right action? Ideas on syntax? 6-sec% cat fw.codefab.com/CF_firewall ############ # Set variables for network addresses # set these to your inside interface network and netmask and ip #define IIF fxp0 #define INET 12.38.161.0/25 #define IIP 12.38.161.1 # set these to your outside interface network and netmask and ip #define OIF fxp1 #define ONET 12.38.161.128/26 #define OIP 12.38.161.130 #define CFNET 12.38.161.0/24 # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 [ ...anti-spoofing rules and "things to block first" snipped... ] ############ # UDP traffic ############ # allow DNS,NTP queries out in the world add pass udp from CFNET HIPORTS to any 53,123 add pass udp from any 53,123 to CFNET HIPORTS add pass udp from any 53,123 to any 53,123 # traceroute add pass udp from any HIPORTS to any 33434-33523 # external UDP add pass udp from ONET HIPORTS to INET HIPORTS add pass log udp from any HIPORTS to INET HIPORTS add pass udp from INET HIPORTS to any HIPORTS # log remaining UDP traffic add pass log udp from ONET to INET add pass log udp from INET to ONET add pass log udp from INET to any add unreach filter-prohib log udp from any to any [ ...followed by TCP and ICMP rules... ] -- Utilize this by saving this file to /etc/YOUR_firewall, and adding the following lines to /etc/rc.conf: #firewall_type='/etc/YOUR_firewall' #firewall_flags='-p /usr/bin/cpp' -- -Chuck