From owner-freebsd-questions  Thu May 16 15:11:16 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from tninet.se (lennier.tninet.se [195.100.94.105])
	by hub.freebsd.org (Postfix) with ESMTP id 4B23137B403
	for <freebsd-questions@FreeBSD.ORG>; Thu, 16 May 2002 15:11:04 -0700 (PDT)
Received: from  cs.umu.se (h146n1c1o1023.bredband.skanova.com [213.64.164.146])
 by lennier.tninet.se (BMR ErlangTM/OTP 3.0) with ESMTP
 id 898767.587199.1021.0s33334352lennier
 ; Fri, 17 May 2002 00:13:19 +0200
Message-ID: <3CE42E6F.A4436739@cs.umu.se>
Date: Fri, 17 May 2002 00:10:55 +0200
From: Paul Everlund <tdv94ped@cs.umu.se>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: sv,en
MIME-Version: 1.0
To: Patrick Thomas <root@utility.clubscholarship.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: quick ipfw ruleset advice needed...
References: <20020516144842.B79837-100000@utility.clubscholarship.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Patrick Thomas wrote:
> 
> I have a single machine behind my firewall.  On that machine I would like
> to do this:
> 
> 1. allow incoming sshd connections
> 2. allow incoming identd requests
> 3. block ALL other requests coming into my server
> 4. be able to use any client programs from my server going outwards
> (bitchx, ftp, ssh, lynx, mud client, etc)
> 
> so I came up with this:
> 
> 00100 allow tcp from any to [my IP] 22          # incoming sshd
> 00101 allow tcp from any to [my IP] 113         # incoming identd
> 00102 allow udp from any to [my IP] 113         # incoming identd
> 00103 deny all from any to [my IP]
> 
> This sort of works.  I can ssh _to_ my machine and log in, and i can get
> identd to respond, but:
> 
> - I cannot ssh from that machine to other places
> - I cannot use things like lynx and bitchx

It seems you only allow packets into your computer, but not out.
Try to use something like:

- Allow you to setup connections.
allow tcp from [your IP] to any out via ed0 setup

- Allow established connections back in.
allow tcp from any to [your IP] in via ed0 established

(Exchange ed0 to your own network device.)

Put those lines before the deny all line.

How do you by the way manage DNS lookups with that ruleset of yours,
or it was only an example?

Also you should take a closer look at stateful rules! They seem to be
quite neat.

Good luck!

Best regards,
Paul


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message