Date: Wed, 9 May 2001 14:45:26 -0600 (MDT) From: Nate Williams <nate@yogotech.com> To: Michael Sharp <msharp@medmail.com> Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Ip filtering with ipfw Message-ID: <15097.44134.876784.259823@nomad.yogotech.com> In-Reply-To: <20010509160500.7232.cpmta@c000.sfo.cp.net> References: <20010509160500.7232.cpmta@c000.sfo.cp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> After reboot, I do: ipfw list and get this: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > which I am assuming is the defaults. This is the default 'open' setup, yes, and happens because you added the following (mentioned in another email). > SO, from /etc/rc.firewall I added IPFIREWALL_DEFAULT_TO_ACCEPT to my > kernel and recompiled. Otherwise, rule 65000 wouldn't have existed. > Now, to keep it simple, I have a router between my internal machine ( > 192.168.1.3 ) and the Internet and I set the router to allow only port > 113 in to 192.168.1.3 Am I to assume the 'router' is the firewall box? > ifconfig reveals that my ethernet card is on x10 > > I added to ipfw: > > ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 in via x10 > ipfw add deny all from any to 192.168.1.3 0-1023 in via x10 > > 199.163.7.34 is the ip of a DALnet IRC server that checks identd So far so good. > My thinking here was I only wanted 199.163.7.34 to get a identd > responce on 113 and block all the others from getting a responce on > 113. If you're just worried about 113, then a rule like this may be more effective. ipfw add allow tcp from 199.163.7.34 to 192.168.1.3 113 in via x10 This limits the IRC server to a single port. The second rule is adequate. > However, all the OTHER DALnet servers are getting a responce from > 113 ( not just 199.163.7.34 ) and when I ran nmap from a friends box, > it showed 113 open. > > What am I missing? What does an 'ipfw list' after you add the rules show? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15097.44134.876784.259823>