From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 14:12:34 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B925106568B for ; Fri, 5 Dec 2008 14:12:34 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 096528FC21 for ; Fri, 5 Dec 2008 14:12:33 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: (qmail 33558 invoked by uid 89); 5 Dec 2008 14:21:12 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 5 Dec 2008 14:21:12 -0000 Message-ID: <493936DF.80300@ibctech.ca> Date: Fri, 05 Dec 2008 09:12:47 -0500 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: gwg7webbcom@yahoo.com References: <916515.67967.qm@web52202.mail.re2.yahoo.com> In-Reply-To: <916515.67967.qm@web52202.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Freebsd Questions Subject: Re: IPFW Firewall Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 14:12:34 -0000 G magicman wrote: > 1. I need help to reconfigure my firewall on the server using BSD's ipfw What part do you need to reconfigure? > 2. short of a reboot how do you start stop and restart the firewall Very, very carefully. Until I gained some extensive experience with IPFW, I would wrap the firewall restart within a sleep/undo of some sort. That said, now I use table(s) and set(s), so I can update rules without having to restart the firewall entirely. Below is an example, that also will guide you in answering your next two questions. The man page and Google will explain how to use tables and sets. To answer your question however, depending on where your firewall script is, simply execute it at the command line, like this: # /etc/ipfw.rules & > Here is what i want : > > 1. i want all ports open to the ipaddresses in line 4 "clearaddresses" > 2. I want to be able to control access to port 25 sendmail to be able to deny > whole "A" "B" and "C" addresses #!/bin/sh flush="/sbin/ipfw -q flush" cmd="/sbin/ipfw add" table="/sbin/ipfw table" $flush # Tables # Client/infrastructure IPs for allowing access $table 1 add 208.70.104.0/21 $table 1 add 64.39.160.0/19 $table 1 add 67.158.64.0/20 #...etc # SMTP ALLOWED OUTBOUND TABLE $table 2 add 208.70.104.202/32 $table 2 add 208.70.104.203/32 $table 2 add 208.70.104.205/32 #...etc # Block all inbound and outbound traffic for certain sites # ...review periodically to see if they are still valid $table 3 add 91.203.4.146/32 # phishing # set 3 = specific deny/allow by ids # set 4 = SSH access # set 29 = for counting/testing traffic patterns # set 30 = forwarding # SET 3 # SQL $cmd 20000 set 3 deny all from any to any 1433,1434 # NetBIOS $cmd 20100 set 3 allow tcp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 keep-state $cmd 20105 set 3 allow udp from 208.70.104.0/24 to 208.70.104.0/24 135,139,445,593 $cmd 20110 set 3 deny all from any to any 135,139,445,593 # SET 4 $cmd 40000 set 4 allow tcp from "table(1)" to any 22 keep-state $cmd 40005 set 4 deny tcp from any to any 22 # SET 29 #$cmd 59000 set 29 count log logamount 100 tcp from any to any # SET 30 $cmd 60000 set 30 fwd 208.70.104.3,53 all from any to 209.167.16.10 53 $cmd 60005 set 30 fwd 208.70.106.59,53 all from any to 209.167.16.30 53 $cmd 64998 deny all from "table(3)" to any $cmd 64999 deny all from any to "table(3)" ### end dummy ruleset ...if you want specific rule examples, just let me know. The above does pretty much what you want it to do. I've purposely left it up to you to do some further research. Tweaking a non-forgiving firewall remotely is not something you want to learn the hard way. The benefit of tables is that you can have one rule, but manually add/remove specific addresses or prefixes on the fly without having to reload the rule. With sets, you can disable an entire block of rules, modify it, and reload it without restarting IPFW, therefore destroying your existing established rules. Steve