From owner-freebsd-questions Thu Feb 8 11: 7:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 06F4B37B6B7 for ; Thu, 8 Feb 2001 11:07:24 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f18JSoJ04827; Thu, 8 Feb 2001 13:28:56 -0600 (CST) (envelope-from nick@rogness.net) Date: Thu, 8 Feb 2001 13:28:50 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "Christian G.Charette" Cc: freebsd-questions@freebsd.org Subject: Re: ipfw In-Reply-To: <01020814513000.00915@spod.mic_ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 8 Feb 2001, Christian G.Charette wrote: > Hi, Im a newbie in Unix and Im running a FreeBSD box with Apache, and > I want to build some Firewall but all the instructives I found are > about firewalling for gateways. All I need is an example of a rule > set or something like that. There are several ways to do it. Here is one way I find most convient. Make a file in /etc called "firewall.rules" or something along that lines. Then In /etc/firewall.rules: add 500 deny icmp from any to any in via ed0 icmptypes 8 add 600 allow tcp from X.X.X.X to any 23 in via ed0 add 601 allow tcp from Y.Y.Y.Y to any 23 in via ed0 add 800 allow ip from any to any out via ed0 add 1000 deny ip from any to any Then in /etc/rc.conf: firewall_enable="YES" firewall_type="/etc/firewall.rules" This is not a complete setup and needs some work. But it gives you a start. Another way to do it is to edit /etc/rc.firewall, which most people do, but I find the above technique easier to manage. I used ed0 as your outside interface to the world and X.X.X.X/Y.Y.Y.Y as IP's that you want to connect to your machine via telnet. > What I want to do is block ICMP and only allow a couple of IPs make > telnet to the box. Be careful of what you wish. Certain things use ICMP (like MTU path disc.) and blocking that could cause problems. If you look at rule number 500 above you can see how to deny ICMP_ECHO_REQUEST (ping). There is also some good references on how to build firewalls on the web. I think one was mentioned earlier at mostgraveconcern.com. Nick Rogness - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message