From owner-freebsd-questions Fri Dec 28 16:47:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp2.mx.pitdc1.stargate.net (smtp2.mx.pitdc1.stargate.net [206.210.69.142]) by hub.freebsd.org (Postfix) with SMTP id 73ED237B41F for ; Fri, 28 Dec 2001 16:47:21 -0800 (PST) Received: (qmail 4223 invoked from network); 29 Dec 2001 00:47:11 -0000 Received: from dap-216-151-64-67.nfas.greensburg-tnt-2.sns234.pa.stargate.net (HELO wastegate.net) (216.151.64.67) by smtp2.mx.pitdc1.stargate.net with SMTP; 29 Dec 2001 00:47:11 -0000 Received: (qmail 537 invoked from network); 29 Dec 2001 00:47:10 -0000 Received: from mother.wg.local (HELO mother.wastegate.net) (192.168.1.2) by dap-216-151-64-67.nfas.greensburg-tnt-2.sns234.pa.stargate.net with SMTP; 29 Dec 2001 00:47:10 -0000 From: "Doug Reynolds" To: "freebsd-questions" Date: Fri, 28 Dec 2001 19:48:37 -0500 Reply-To: "Doug Reynolds" X-Mailer: PMMail 2000 Professional (2.20.2380) For Windows 98 (4.10.2222) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: ipfw rules Message-Id: <20011229004721.73ED237B41F@hub.freebsd.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG can someone pick this apart and see if it is ok?? i want to run: httpd sshd ftpd smtp telnet & pop3 i pickup this up off google someplace and changed it a bit # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via xl0 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to ssh and apache. $fwcmd add allow tcp from any to any 80 setup # httpd $fwcmd add allow tcp from any to any 22 setup # ssh $fwcmd add allow tcp from any to any 21 setup # ftp $fwcmd add allow udp from any to any 21 setup $fwcmd add allow tcp from any to any 20 setup # ftp-data #$fwcmd add allow udp from any to any 20 setup $fwcmd add allow tcp from any to any 25 setup # smtp #$fwcmd add allow udp from any to any 25 setup $fwcmd add allow tcp from any to any 465 setup # ssl smtp #$fwcmd add allow udp from any to any 465 setup $fwcmd add allow tcp from any to any 110 setup # pop3 $fwcmd add allow udp from any to any 110 setup $fwcmd add allow tcp from any to any 23 setup # telnet $fwcmd add allow udp from any to any 23 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to any 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from any 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any # Deny all the rest. $fwcmd add 65435 deny log ip from any to any --- doug reynolds | the maverick | mav@wastegate.net PGP Public Key Fingerprint: 6E7B 9993 B503 6D45 E33A 2019 26E5 C1DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message