From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 22 12:44:10 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94B4B16A433 for ; Wed, 22 Jun 2005 12:44:10 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49E5643D4C for ; Wed, 22 Jun 2005 12:44:10 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so227740wri for ; Wed, 22 Jun 2005 05:44:09 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FgfYZBgHhB145KmVEYschMKaqqeYRC+/oNEUVnamnNmpGstggTsOdvACJYGjcdwNv9DVEH4/pu1W8nv4lI0+y6BsNQRl9WPArolluLHsdy+mkp1r1etLpmG8/dVkCPTHeC4FMB06thv7gW+h/UU+GI3uUR9l3sAv/3/9ikM3aE8= Received: by 10.54.31.49 with SMTP id e49mr414740wre; Wed, 22 Jun 2005 05:44:09 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Wed, 22 Jun 2005 05:44:09 -0700 (PDT) Message-ID: Date: Wed, 22 Jun 2005 15:44:09 +0300 From: Abu Khaled To: apach3s@yahoo.com In-Reply-To: <20050622043614.31252.qmail@web51303.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050622043614.31252.qmail@web51303.mail.yahoo.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Deny action doest work on my fbsd box X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 12:44:11 -0000 On 6/22/05, James wrote: > Hi! I used freebsd version 4.11 and Im new on ipfirewall (ipfw). > I've been started reading ipfw this month and my mind getting > something confused. I read handbook on IPFW and still Im dont > understand, not a whole but I understand little. >=20 > This is my network diagram: > ---------- > ISP > DSL Modem > DSL Router > (a)FBSD SERVER(b) > > TWO-PC-CLIENTS > ---------- >=20 > My `FBSD SERVER` has two ethernet. (a)vr0 (192.168.0.2 | > 255.255.255.0) and (b)rl0 (172.16.20.1 | 255.255.255.0).. My > `TWO-PC-CLIENTS` have an IP Address of 172.16.20.11 and > 172.16.20.12.. Now I had been successfully setup and configure > NATD to share the Internet Connection sharing to the > TWO-PC-CLIENTS that was I followed from > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.ht= ml > .. >=20 > Now I want to test how ipfw works and if it is effectively work > on my fbsd box to block such TWO-PC-CLIENTS from ssh, browsing, > and etc.. But I was failed and it doesnt work to block the port > 22, 80 and still the TWO-PC-CLIENTS can browse and SSH on my > fbsd box. here is my rc.conf, natd.conf and rules.firewall file > from >=20 > http://www.rootshell.be/~jam3s/file.txt >=20 > My question is, how can i block ports 22 and 80 so that the > TWO-PC-CLIENTS and other I wanted to block/deny will work? I do > reading rc.firewall and dont understand it very well :).. I hope > anyone could help me... If you have a nice tutorial for the > basic ipfw commands that much easy to understand, just tell me > :).. >=20 > thanks in advanced.. >=20 > james >=20 Take a look on my example rules and change them as needed. # /etc/rc.conf firewall_enable=3D"YES" firewall_type=3D"/etc/ipfw.rules" # /etc/rc.conf - end # /etc/ipfw.rules # nat add divert natd ip from any to any via vr0 # allow all via loopback interface and antispoof 127.0.0.1 add allow all from any to any via lo0 add deny ip from 127.0.0.0/8 to any add deny ip from any to 127.0.0.0/8 # some icmp rules for external interface (vr0) add allow icmp from any to any in via vr0 icmptypes 0,3,11 add allow icmp from any to any out via vr0 icmptypes 8 # some icmp fules for internal network (rl0) all allow icmp from any to any via rl0 icmptypes 0,3,8,11 # stateful rules for freebsd box add allow tcp from me to any setup keep-state add allow udp from me to any keep-state # # 'me' expands automaticly to any ip running on the FreeBSD box # in your case 192.168.0.2 and 172.16.20.1 so you do not have # to write two rules for them # # here we can put rules to allow local and/or external clients # to access the FreeBSD box # for example a dns server on port 53 'udp' for local clients # add allow udp from any to me 53 via rl0 keep-state # # deny everyone from accessing my FreeBSD box add deny all from any to me # deny local clients (rl0) from accessing port 80 and 22 add deny tcp from any to any 80,22 via rl0 # # I am not sure how to statefull filter rules for # clients behind nat (local network) so you might # just use firewalls on the clients and pass all on FreeBSD # rules for local network add allow tcp from any to any via rl0 add allow udp from any to any via rl0 # deny everything else (if allready not default) add deny all from any to any # /etc/ipfw.rules - end Check man ipfw for more information. And one last point, I started to use PF so things mixup for me from time to time. So wait for others to review the rules and advice or modify --=20 Kind regards Abu Khaled