Date: Thu, 25 Oct 2001 18:18:46 -0700 From: "Eric Lam" <elam101083@earthlink.net> To: <freebsd-questions@freebsd.org> Subject: IPFW Rules Help Message-ID: <IAEKKLIOEBMAKJIIGEBBCEKBCEAA.elam101083@earthlink.net>
next in thread | raw e-mail | index | archive | help
Hello, I am attempting to construct an inclusive firewall, so that all ports and protocols (udp, tcp) are blocked by default, except ones specificed, such as FTP, SSH, SMB, etc... However, I am not using natd or trying to turn this into a router. I am just trying to secure the box so that only specific services and their corresponding ports are open, and everything else closed. xl0 is my ethernet card. the 207/206 ip's are my dns servers. Someone told me to do that checkstate stuff for ftp; I have no idea what that is for, please advise on that. I am wondering did I do my rules correctly. Thanks for your help. /sbin/ipfw add allow ip from any to any via lo0 /sbin/ipfw add allow ip from any to any via xl0 /sbin/ipfw add allow tcp from any to any 20 out xmit setup /sbin/ipfw add allow tcp from any to any 21 out xmit setup /sbin/ipfw add allow tcp from any to any 22 out xmit setup /sbin/ipfw add allow tcp from any to any 23 out xmit setup /sbin/ipfw add allow tcp from any to any 25 out xmit setup /sbin/ipfw add allow tcp from any to 207.151.38.154 53 out xmit setup /sbin/ipfw add allow tcp from any to 207.151.38.133 53 out xmit setup /sbin/ipfw add allow tcp from any to 206.117.120.66 53 out xmit setup /sbin/ipfw add allow tcp from any to any 80 out xmit setup /sbin/ipfw add allow tcp from any to any 110 out xmit setup /sbin/ipfw add allow tcp from any to any 139 out xmit setup /sbin/ipfw add allow tcp from any to any 3128 out xmit setup /sbin/ipfw add allow tcp from any to any via xl0 estab /sbin/ipfw add allow udp from any to any 137 out xmit /sbin/ipfw add check-state /sbin/ipfw add allow tcp from any to any keep-state /sbin/ipfw deny udp from any to any /sbin/ipfw add 65435 deny ip from any to any /sbin/ipfw add 65434 allow icmp from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?IAEKKLIOEBMAKJIIGEBBCEKBCEAA.elam101083>