Date: Thu, 10 May 2001 04:53:22 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Michael Sharp <msharp@medmail.com> Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Ip filtering with ipfw Message-ID: <Pine.BSF.3.96.1010510044308.23489J-100000@gaia.nimnet.asn.au> In-Reply-To: <20010509160500.7232.cpmta@c000.sfo.cp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9 May 2001, Michael Sharp wrote: > I am very new to FreeBSD, and have some questions about ipfw > I compiled: options IPFIREWALL > into my kernel, and added: firewall_enable="YES" in /etc/rc.conf > on reboot, I see ipfiltering initializing and the default policy is > to deny. After reboot, I do: ipfw list and get this: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any This default policy is to allow (line 65000) except from/to 127.0.0.0/8 > I added to ipfw: > ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 > ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 [..] > However, all the OTHER DALnet servers are getting a responce from 113 > ( not just 199.163.7.34 ) and when I ran nmap from a friends box, it > showed 113 open. > What am I missing? # ipfw delete 65000 But then, you want to check out example rules regarding denying spoofing in and out, allowing established TCP but only allowing specific setups, allowing UDP such as DNS, etc .. eg, not much use allowing 199.163.7.34 to connect if the reply packets can't get back, and such .. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1010510044308.23489J-100000>