From owner-freebsd-questions@FreeBSD.ORG Wed Dec 29 12:02:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05A6216A4CE; Wed, 29 Dec 2004 12:02:30 +0000 (GMT) Received: from enterprise.thenetnow.com (enterprise.thenetnow.com [65.39.193.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 467A143D46; Wed, 29 Dec 2004 12:02:29 +0000 (GMT) (envelope-from gpeel@thenetnow.com) Received: from GRANT (hpeel.ody.ca [216.240.12.2])iBTC2Rx01534; Wed, 29 Dec 2004 07:02:27 -0500 (EST) (envelope-from gpeel@thenetnow.com) Message-ID: <008901c4ed9e$44478510$6401a8c0@GRANT> From: "Grant Peel" To: , Date: Wed, 29 Dec 2004 07:02:25 -0500 Organization: The Net Now MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: New IPFW Setup. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Grant Peel List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 12:02:30 -0000 Good morning all, Appologies for sending to both lists, I am hoping to root out the IPFW gurus ! Hope everyone had a Merry Christmas.... I have recentory activated ipfw on 5 of my productive server. All servers are Apache, Exim or Sendmail, MySQL, vm-pop3d, ProFTPD enabled. All serves have multiple domains and UNIX users, though, by default, we do not supply shell accounts. Here is the ruleset I currently use on all the servers. I would like nothing more than to tighten them up a bit, if possible, considering the environment they are used in (Internet). Please feel free to browse and send me any comments, critiques you may have on the ruleset below. 00010 allow ip from any to any via lo0 00020 allow ip from any to any via fxp1 # LAN access ... Is behind a managed switch, VLAN setup. 00030 check-state 00040 allow tcp from N.N.N.N to me 22 keep-state setup # Allow me in via ssh ... I hope! 00050 allow ip from any to 192.168.0.6 # An nfs mount 00060 allow ip from 192.168.0.6 to any 00070 allow icmp from any to any icmptype 0,3,4,8,11,12 00100 allow ip from any to any keep-state out 00110 allow tcp from any to any 20,21 keep-state setup 00120 allow tcp from any to any 25,110 keep-state setup 00130 allow tcp from any to any 53 keep-state setup 00140 allow udp from any to any 53 keep-state 00150 allow tcp from any to any 80,110,443 keep-state setup 00160 allow tcp from any to any 10000,20000 keep-state setup # Webmin and Usermin. 00170 allow tcp from any to any 1024-65534 in setup # ftp ports. Seems to negate alot of the firewall ??? 65534 deny log ip from any to any 65535 deny ip from any to any Of special concern to me is line 170 ... added to allow ftp. Any ideas here? -Grant