From owner-freebsd-questions@FreeBSD.ORG Thu Oct 23 02:53:52 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B790516A4B3 for ; Thu, 23 Oct 2003 02:53:52 -0700 (PDT) Received: from gregale.emea.mci.com (gregale.wcom.co.uk [193.131.254.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6383243F85 for ; Thu, 23 Oct 2003 02:53:51 -0700 (PDT) (envelope-from philip.payne@uk.mci.com) Received: from breen ([166.59.191.248] helo=breen.emea.mci.com) by gregale.emea.mci.com with esmtp (Exim 4.12) id 1ACcA7-0001oI-00 for freebsd-questions@freebsd.org; Thu, 23 Oct 2003 10:53:47 +0100 Received: from [62.191.1.65] (helo=ukcamgate1.cbg.uk.corp.eu.uu.net) by breen.emea.mci.com with esmtp (Exim 4.14) id 1ACcA6-0006Dw-Lf for freebsd-questions@freebsd.org; Thu, 23 Oct 2003 09:53:46 +0000 Received: by ukcamgate1.cbg.uk.corp.eu.uu.net with Internet Mail Service (5.5.2653.19) id ; Thu, 23 Oct 2003 10:54:10 +0100 Message-ID: <36D04A8168B2D41182250008C7E6F87805671C14@ukcamexch2.cbg.uk.corp.eu.uu.net> From: Philip Payne To: freebsd-questions@freebsd.org Date: Thu, 23 Oct 2003 10:54:07 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Spam-Score: -3.2 (---) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1ACcA7-0001oI-00*laFbeIDBOzY* Subject: RE: Firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 09:53:52 -0000 Hi, I've found fwbuilder (/usr/ports/fwbuilder) to be very useful. Nice GUI = for writing your firewall policy. Some simple "Druids" :-/ for generating generic rulesets. Formerly, I've always configured the firewall from = command line but this certainly helps in managing your policy. I admit, I'm an IPFW person myself but fwbuilder theoretically supports ipfilter on FreeBSD as well (I haven't used it). One quirk, when using fwbuilder with IPFW, the divert to natd isn't supported so I'm installing the rules with a little script that inserts = the natd rule appropriately. --- #!/bin/sh .fw # Installs the rules generated by fwbuilder ipfw delete 1 # delete the check-state rule at 00001 ipfw add 1 divert natd ip from any to any via # = add new divert rule at 1 ipfw add 2 check-state # re-add the check-state 2 --- Phil. > -----Original Message----- > From: Petre Bandac [mailto:petre@kgb.ro] > Sent: 23 October 2003 09:13 > To: fbsd_user@a1poweruser.com; Mihail; freebsd-questions@freebsd.org > Subject: Re: Firewall rules >=20 >=20 > www.kgb.ro/Ipfw-HOWTO >=20 > HTH, >=20 > petre >=20 > On Wednesday 22 October 2003 18:05 Anno Domini, fbsd_user=20 > wrote using one of=20 > his keyboards: > > The FBSD handbook gives the idea that IPFW is the only firewall. > > FBSD also comes with ipfilter which is much easier to use and > > sertup. Google the questions archives for loads of info about > > configuring ipfilter. You will be glade you did. > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mihail > > Sent: Wednesday, October 22, 2003 9:29 AM > > To: freebsd-questions@freebsd.org > > Subject: Firewall rules > > > > Hello, > > > > I'm trying to set up a firewall with ipfw by using the client > > firewall type given in rc.firewall as an example. My problem > > is that the client rules don't allow me to do common > > web-browsing. What should I add to the script to > > resolve this without seriously compromising security? > > > > cheers, > > Mihail > > > > > > ----------------------------------------- > > Hot Mobiil - helinad, logod ja pilts=F5numid! > > http://portal.hot.ee > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" >=20 > --=20 > Login: petre Name: Petre Bandac > Directory: /home/petre Shell: /usr/local/bin/zsh > On since Sat Oct 18 00:13 (EEST) on ttyv0, idle 5 days 1:47=20 > (messages off) > On since Thu Oct 16 16:27 (EEST) on ttyv1, idle 5 days 10:35=20 > (messages off) > Last login Mon Oct 20 21:52 (EEST) on ttyp6 from lubyanka.kgb.ro > No Mail. > No Plan. >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20