From owner-freebsd-isp Sat Sep 19 20:18:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA15648 for freebsd-isp-outgoing; Sat, 19 Sep 1998 20:18:23 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA15643 for ; Sat, 19 Sep 1998 20:18:21 -0700 (PDT) (envelope-from kim@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma022492; Sat Sep 19 22:13:30 1998 Received: by localhost (8.8.5/8.8.5) id WAA07731; Sat, 19 Sep 1998 22:18:18 -0500 (CDT) Message-ID: <360473F7.EAFA1E2@tinker.com> Date: Sat, 19 Sep 1998 22:18:15 -0500 From: Kim Shrier Organization: Shrier and Deihl X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: Paul Dlug CC: freebsd-isp@FreeBSD.ORG Subject: Re: Please i am desperate for help with ipfw References: <19980919191633.20317.qmail@hotmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paul Dlug wrote: > > Ok I am desperately in need of some assistance i'm trying to block out > all ports on a system and just enable telnet from two IP #'s that I set. > I also need to be able to have port 80 open so people can access the web > server..that's its purpose...Can someone please e-mail me back with some > help I have worked with ipfw alot but i can't figure this out or what > i'm doing wrong. I'm going insane...save me :) > > --Paul > voxelman@hotmail.com Try something like the following: ############# beginning of firewall rules ####################### rule="/sbin/ipfw -q add" TELNET="23" HTTP="80,443" HIGH="1024-65535" # address of me me="www.xxx.yyy.zzz" # replace with real IP address # machines with telnet access to me machine1="aaa.bbb.ccc.ddd" # replace with real IP address machine2="eee.fff.ggg.hhh" # replace with real IP address ############ WWW Rules, see C&Z p.253 # Allow www (and SSL) from outside to public Web server $rule pass tcp from any $HIGH to $in $HTTP in $rule pass tcp from $me $HTTP to any $HIGH out established ############ Telnet Rules, see C&Z p.239-40 # Allow inbound telnet from the approved machines to me  $rule pass tcp from $machine1 to $me $TELNET in $rule pass tcp from $me $TELNET to $machine1 out established $rule pass tcp from $machine2 to $me $TELNET in $rule pass tcp from $me $TELNET to $machine2 out established #################### end of firewall rules ###################### I also always put rules in to block rfc 1918 packets as well as blocking packets from the outside that have my IP address as a source IP address. Hope this helps, Kim Shrier kim@tinker.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message