From owner-freebsd-questions@FreeBSD.ORG Thu Dec 21 13:36:50 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B2C8516A524 for ; Thu, 21 Dec 2006 13:36:50 +0000 (UTC) (envelope-from jurjenm@stack.nl) Received: from mx1.stack.nl (meestal.stack.nl [131.155.140.141]) by mx1.freebsd.org (Postfix) with ESMTP id 7025C13C474 for ; Thu, 21 Dec 2006 13:36:50 +0000 (UTC) (envelope-from jurjenm@stack.nl) Received: by mx1.stack.nl (Postfix, from userid 65534) id 9C8AB4B217; Thu, 21 Dec 2006 14:12:57 +0100 (CET) X-Spam-DCC: sonic.net: snail.stack.nl 1156; Body=1 Fuz1=1 Fuz2=1 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on snail.stack.nl X-Spam-Level: X-Spam-Status: No, score=-3.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, J_CHICKENPOX_32 autolearn=ham version=3.1.5 X-Spam-Relay-Country: Received: from jurjen (wlan073187.nbw.tue.nl [131.155.73.187]) by mailhost.stack.nl (Postfix) with ESMTP id A37E34B1B1 for ; Thu, 21 Dec 2006 14:12:56 +0100 (CET) Received: by jurjen (sSMTP sendmail emulation); Thu, 21 Dec 2006 14:12:28 +0100 From: "Jurjen Middendorp" Date: Thu, 21 Dec 2006 14:12:28 +0100 To: freebsd-questions Message-ID: <20061221131228.GA1975@jurjenm.stack.nl> Mail-Followup-To: freebsd-questions References: <20061216170123.GA962@jurjenm.stack.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061216170123.GA962@jurjenm.stack.nl> User-Agent: Mutt/1.4.2.2i Subject: Re: ipfw rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2006 13:36:50 -0000 Ok, i changed my original rules. I'm going to use both the ruleset you recommended and these ones (not at the same time though :). And see which one gives me the least trouble. greetings, jurjen. #!/bin/sh ipfw -q flush cmd="ipfw -q add" ks="keep-state" oif="ath0" #sort in en out packets $cmd 1 skipto 15 ip from any to any in recv $oif $cmd 2 skipto 100 ip from any to any out xmit $oif #setup the loopback $cmd 011 allow all from any to any via lo0 $cmd 012 deny all from any to 127.0.0.0/8 $cmd 013 deny ip from 127.0.0.0/8 to any $cmd 014 allow icmp from any to any #### # Outgoing (15) #check state of incoming packets $cmd 015 check-state #internet sites: $cmd 020 allow tcp from me to any 80 out via $oif setup $ks #allow dns queries $cmd 025 allow udp from me to any 53 out via $oif $ks #to stack $cmd 030 allow all from me to 131.155.0.0/16 via $oif $ks #e-mail pop $cmd 040 allow tcp from me to any 110 out via $oif setup $ks #imap #$cmd 041 allow tcp from me to any 143 out via $oif setup $ks #allow ssh $cmd 050 allow all from me to any 22 out via $oif setup $ks #https $cmd 054 allow tcp from me to any 443 out via $oif setup $ks #gopher $cmd 055 allow tcp from me to any 70 out via $oif setup $ks #root can do anything $cmd 070 allow log all from me to any out via $oif setup $ks uid root #### # Incoming (100) #log ACK packets that did'nt match the dynamic ruleset $cmd 100 deny log all from any to any established in via $oif #default: deny ip from any to any