From owner-freebsd-questions  Wed Sep  5  3:15:58 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-94-248-46.mmcable.com [24.94.248.46])
	by hub.freebsd.org (Postfix) with SMTP id AC8E437B401
	for <questions@freebsd.org>; Wed,  5 Sep 2001 03:15:55 -0700 (PDT)
Received: (qmail 58057 invoked by uid 100); 5 Sep 2001 10:15:55 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15253.64347.65627.742104@guru.mired.org>
Date: Wed, 5 Sep 2001 05:15:55 -0500
To: "Big B" <tiffany@crshjnke.com>
Cc: questions@freebsd.org
Subject: Re: easy firewall option for 1 NIC machine?
In-Reply-To: <28477796@toto.iv>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Big B <tiffany@crshjnke.com> types:
> I have been reading and reading and reading...
> but all of the tute and examples show people using
> FBSD as gateway/firewall/natd...
> I am looking to kill off certain ports and ICMP attacks
> on a machine with one network card.
> I need to keep open ssh ftp www and several high ports for
> CS server without extreme cpu usage..
>  
> Can anyone point me in the right direction..
>  
> IPFW seems the correct way to go but the man pages do not help.

There's something very close to the configuration you want already
installed on the system. Add lines to /etc/rc.conf that say:

	firewall_enable="YES"
	firewall_type="client"

This will run /etc/rc.firewall at boot, telling it you want to protect
a single machine. You'll have to customize /etc/rc.firewall, but it's
got comments in it that should guide you. You'll need to change the
net, mask and ip variables, then delete the ${fwcmd} line that allows
incoming maiol, and add similar lines to allow ssh, www and ftp. Note
that ftp can be problematical. For maximum security, require that they
use active ftp, and that will do. If you want to allow passive ftp,
you've got to open the data ports, and those depend on your server.

To test it, you can just run /etc/rc.firewall as a shell script. Do it
at the console, because if things screw up, you may not have network
access to the machine.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message