Date: Wed, 22 Jun 2005 15:44:09 +0300 From: Abu Khaled <khaled.abu@gmail.com> To: apach3s@yahoo.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Deny action doest work on my fbsd box Message-ID: <a64c109e050622054444a9fe64@mail.gmail.com> In-Reply-To: <20050622043614.31252.qmail@web51303.mail.yahoo.com> References: <20050622043614.31252.qmail@web51303.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/22/05, James <apach3s@yahoo.com> wrote: > Hi! I used freebsd version 4.11 and Im new on ipfirewall (ipfw). > I've been started reading ipfw this month and my mind getting > something confused. I read handbook on IPFW and still Im dont > understand, not a whole but I understand little. >=20 > This is my network diagram: > ---------- > ISP > DSL Modem > DSL Router > (a)FBSD SERVER(b) > > TWO-PC-CLIENTS > ---------- >=20 > My `FBSD SERVER` has two ethernet. (a)vr0 (192.168.0.2 | > 255.255.255.0) and (b)rl0 (172.16.20.1 | 255.255.255.0).. My > `TWO-PC-CLIENTS` have an IP Address of 172.16.20.11 and > 172.16.20.12.. Now I had been successfully setup and configure > NATD to share the Internet Connection sharing to the > TWO-PC-CLIENTS that was I followed from > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.ht= ml > .. >=20 > Now I want to test how ipfw works and if it is effectively work > on my fbsd box to block such TWO-PC-CLIENTS from ssh, browsing, > and etc.. But I was failed and it doesnt work to block the port > 22, 80 and still the TWO-PC-CLIENTS can browse and SSH on my > fbsd box. here is my rc.conf, natd.conf and rules.firewall file > from >=20 > http://www.rootshell.be/~jam3s/file.txt >=20 > My question is, how can i block ports 22 and 80 so that the > TWO-PC-CLIENTS and other I wanted to block/deny will work? I do > reading rc.firewall and dont understand it very well :).. I hope > anyone could help me... If you have a nice tutorial for the > basic ipfw commands that much easy to understand, just tell me > :).. >=20 > thanks in advanced.. >=20 > james >=20 Take a look on my example rules and change them as needed. # /etc/rc.conf firewall_enable=3D"YES" firewall_type=3D"/etc/ipfw.rules" # /etc/rc.conf - end # /etc/ipfw.rules # nat add divert natd ip from any to any via vr0 # allow all via loopback interface and antispoof 127.0.0.1 add allow all from any to any via lo0 add deny ip from 127.0.0.0/8 to any add deny ip from any to 127.0.0.0/8 # some icmp rules for external interface (vr0) add allow icmp from any to any in via vr0 icmptypes 0,3,11 add allow icmp from any to any out via vr0 icmptypes 8 # some icmp fules for internal network (rl0) all allow icmp from any to any via rl0 icmptypes 0,3,8,11 # stateful rules for freebsd box add allow tcp from me to any setup keep-state add allow udp from me to any keep-state # # 'me' expands automaticly to any ip running on the FreeBSD box # in your case 192.168.0.2 and 172.16.20.1 so you do not have # to write two rules for them # # here we can put rules to allow local and/or external clients # to access the FreeBSD box # for example a dns server on port 53 'udp' for local clients # add allow udp from any to me 53 via rl0 keep-state # # deny everyone from accessing my FreeBSD box add deny all from any to me # deny local clients (rl0) from accessing port 80 and 22 add deny tcp from any to any 80,22 via rl0 # # I am not sure how to statefull filter rules for # clients behind nat (local network) so you might # just use firewalls on the clients and pass all on FreeBSD # rules for local network add allow tcp from any to any via rl0 add allow udp from any to any via rl0 # deny everything else (if allready not default) add deny all from any to any # /etc/ipfw.rules - end Check man ipfw for more information. And one last point, I started to use PF so things mixup for me from time to time. So wait for others to review the rules and advice or modify --=20 Kind regards Abu Khaled
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a64c109e050622054444a9fe64>