Date: Wed, 5 Sep 2001 05:15:55 -0500 From: Mike Meyer <mwm@mired.org> To: "Big B" <tiffany@crshjnke.com> Cc: questions@freebsd.org Subject: Re: easy firewall option for 1 NIC machine? Message-ID: <15253.64347.65627.742104@guru.mired.org> In-Reply-To: <28477796@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Big B <tiffany@crshjnke.com> types: > I have been reading and reading and reading... > but all of the tute and examples show people using > FBSD as gateway/firewall/natd... > I am looking to kill off certain ports and ICMP attacks > on a machine with one network card. > I need to keep open ssh ftp www and several high ports for > CS server without extreme cpu usage.. > > Can anyone point me in the right direction.. > > IPFW seems the correct way to go but the man pages do not help. There's something very close to the configuration you want already installed on the system. Add lines to /etc/rc.conf that say: firewall_enable="YES" firewall_type="client" This will run /etc/rc.firewall at boot, telling it you want to protect a single machine. You'll have to customize /etc/rc.firewall, but it's got comments in it that should guide you. You'll need to change the net, mask and ip variables, then delete the ${fwcmd} line that allows incoming maiol, and add similar lines to allow ssh, www and ftp. Note that ftp can be problematical. For maximum security, require that they use active ftp, and that will do. If you want to allow passive ftp, you've got to open the data ports, and those depend on your server. To test it, you can just run /etc/rc.firewall as a shell script. Do it at the console, because if things screw up, you may not have network access to the machine. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15253.64347.65627.742104>