Date: Wed, 5 Mar 2003 13:48:45 -0600 From: "Brian Henning" <b1henning@hotmail.com> To: "freebsd" <freebsd-questions@FreeBSD.ORG> Subject: Re: firewall revisited Message-ID: <OE40IkLeoOWGMhLPBLY0001f008@hotmail.com> References: <OE14i67EKRuYDlrjbud000010a0@hotmail.com> <200303051114.25796.jeff@walters.name>
next in thread | previous in thread | raw e-mail | index | archive | help
> > how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall. > > can i change > > firewall_type="OPEN" to firewall_type="" and create the entry > > firewall_script="/etc/ipfw.rules"? > > I have that working right now with: > > firewall_enable="YES" > firewall_script="/etc/rc.firewall.local" > > ... where /etc/rc.firewall.local contains the customized ipfw commands. > > > what i would like to do is block all access to services on the router like > > httpd, sshd, etc > > the other think i would like to do is port forward ssh from another machine > > and allow access of that from an external network. > > does something like this make sense? > > thanks, > > If you are using NAT then the -redirect_port option to natd will do that (ie. > forward incoming port 22 connections to an internal machine), which can be > set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable. You > have to create a corresponding ipfw rule to allow the traffic after natd > rewrites the destination IP to your internal LAN machine, which it looks like > you have done below, except the "from" would be "any" not "ROUTER_IP". It > will be the IP of the outside machine trying to connect to port 22. > > I have a similar port forward set up. Early in the firewall rules allow all > established TCP connections, and then later allow the setup for the initial > SSH connection. 10.0.1.2 would be a machine behind the firewall to receive > SSH connections, and ed0 would be the external internet interface. > > in /etc/rc.conf: > natd_flags="-redirect_port tcp 10.0.1.2:ssh ssh" > > in the firewall script: > ipfw -q flush > ipfw add 00050 divert natd ip from any to any via ed0 > ipfw add 00100 allow tcp from any to any via ed0 established > <more rules here> > ipfw add 01000 allow tcp from any to 10.0.1.2 ssh setup > <more rules here> > ipfw add 65530 deny log ip from any to any > > I winged this so forgive any errors, but it's based on what I have working, > including a rule to deny and log everything by default at the bottom. > [snip] Jeff, you must have your firewall_type set to the default then in rc.conf or /etc/defaults/rc.conf. does you setup not run the standard rc.firewall file in /etc? does this rule allow any access to the outside network? ipfw add 00100 allow tcp from any to any via ed0 established thanks, brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE40IkLeoOWGMhLPBLY0001f008>