From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 00:32:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE8361065672 for ; Fri, 5 Dec 2008 00:32:45 +0000 (UTC) (envelope-from gwg7webbcom@yahoo.com) Received: from web52202.mail.re2.yahoo.com (web52202.mail.re2.yahoo.com [206.190.48.125]) by mx1.freebsd.org (Postfix) with SMTP id 67E918FC08 for ; Fri, 5 Dec 2008 00:32:45 +0000 (UTC) (envelope-from gwg7webbcom@yahoo.com) Received: (qmail 68176 invoked by uid 60001); 5 Dec 2008 00:26:04 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Message-ID; b=cyEtLubw7Eas/dWc54XXBOvXNtPARM/SLPEYlHS/SVQtgMmWs144xEJTYGouFR5EUlqrnIg60qcJ1a3VmrUlWm9oqvQ7AMBVqtRBnBy04x/GKXjW865b6kdUbavbA+XKpto8T/uQne+nEIqPstgYYkOXtz+Dnrhgw3lO7Zkific=; X-YMail-OSG: rrv7mwkVM1leZ4ufGVyARO6PyyIAL_41EevT9b71eUVzCIjxuqU8BlvD04I0niTvhxEeUKqIiTM8qbqnnoymYp28v_bANe0a4LKD0gHmiUdcPclc4dEa1Ur10uMTW85TwSKfdW_01asOAxDUeCtF4uMWvmmyffXTBBNu6WqkD_xSTbWA4MjrB5ELi37Lhl4GUUNLUywfwNdymqUwSTFadhvaP5SgAiSvT6T5XjABeDcWS_4Qd3A- Received: from [71.180.152.129] by web52202.mail.re2.yahoo.com via HTTP; Thu, 04 Dec 2008 16:26:04 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Thu, 4 Dec 2008 16:26:04 -0800 (PST) From: G magicman To: Freebsd Questions MIME-Version: 1.0 Message-ID: <916515.67967.qm@web52202.mail.re2.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW Firewall Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gwg7webbcom@yahoo.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 00:32:45 -0000 1.=A0 I need help to reconfigure my firewall on the server using BSD's ipfw here is part of the configuration file so far that the Co-lo people put in. 2. short of a reboot how do you start stop and restart the=A0 firewall #!/usr/local/bin/bash export IPF=3D"ipfw -q add" ports=3D"11 21 22 23 25 37 42 43 53 63 69 70 80 101 109 110 115 119 123 143= 443 4321 50001" clearaddresses=3D"209.131.0.0/16 66.65.0.0/16 71.173.96.0/19 71.173.128.0/1= 7 blah blah" count=3D60 ipfw -q -f flush $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag $IPF 50 allow icmp from any to any for a in $clearaddresses; do =A0=A0=A0=A0=A0=A0=A0 $IPF $count allow ip from $a to any =A0=A0=A0=A0=A0=A0=A0 $IPF $(($count+1)) allow ip from any to $a =A0=A0=A0=A0=A0=A0=A0 count=3D$(($count+10)) done for p in $ports; do =A0=A0=A0=A0=A0=A0=A0 $IPF $count allow ip from any to any $p in =A0=A0=A0=A0=A0=A0=A0 $IPF $(($count+1)) allow ip from any to any $p out =A0=A0=A0=A0=A0=A0=A0 $IPF $(($count+2)) allow ip from any $p to any in =A0=A0=A0=A0=A0=A0=A0 $IPF $(($count+3)) allow ip from any $p to any out =A0=A0=A0=A0=A0=A0=A0 count=3D$(($count+10)) done $IPF 5000 deny log all from any to any echo Firewall created Here is what i want : 1. i want all ports open to the ipaddresses in line 4 "clearaddresses" 2. I want to be able to control access to port 25 sendmail to be able to de= ny =A0=A0=A0=A0=A0 whole "A" "B" and "C" addresses Why because of the following: 1. Hosts.access=A0 on freebsd works on the Application Layer instead of the= Network Layer Therefore Hosts.allow/hosts.deny=A0=A0 no longer works the way i want and i= do not feel like running Sendmail and sshd out of Inetd which appearantly = is the only way to be able to use hosts.allow/deny 2. Next openssh doesnot have an AllowHosts directive like the Finnish one d= oes it only has an AllowUsers directive so i need to protect the system fro= m DDOS attacks and Hacking I already tried to block things using the Sendmail Access file but all that= did was choak up the server with moronic shit.=A0 And i want to be able to= use my sftp program but it opens random ports which can not be controlled = so i need the Clearaddresses to be able to see all ports. =0A=0A=0A