Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 Mar 2001 15:36:10 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        Carl <no1-carl@home.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Dynamic ipfw ruleset to block all unrequested packets...
Message-ID:  <20010325153610.D5425@rfx-216-196-73-168.users.reflex>
In-Reply-To: <01032512585203.00338@Demon>; from no1-carl@home.com on Sun, Mar 25, 2001 at 12:58:52PM -0500
References:  <01032512585203.00338@Demon>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Mar 25, 2001 at 12:58:52PM -0500, Carl wrote:
> Hello, I have been reading through the firewall literature and have set up a 
> very simple firewall.  It is just for my home connection to my cable modem 
> service.  I do have a router attached to the cable modem that has my FreeBSD 
> machine as a DMZ.  The router's IP is 192.168.1.1 and it assigns my FreeBSD 
> box 192.168.1.100.  The following is my rc.firewall file snippet:
> 
> ############
> # Local IP address of my computer
> ip="192.168.1.100"
> 
> ############
> # Dynamic rule set that only allows packets
> # that have been requested by this IP
> ${fwcmd} add check-state
> ${fwcmd} add deny log all from not ${ip} to any
> ${fwcmd} add pass all from ${ip} to any keep-state
> 
> When I use nmap to scan myself (ie: nmap -sS -p 111 <my @Home IP>) it lists 
> the sunrpc port as filtered (better than open), but I was wondering if is 
> possible to make this port disappear?

"Filtered" is the result you want. It means that nmap got no response
at all. Not sure what you mean by getting it to "disappear."

> The other strange thing, when I ping myself (ie: ping <my @Home IP>) the ICMP 
> packets get through.  Is this because I am not pinging my machine from an 
> outside source?  If so why doesn't nmap behave the same way?

OK, this is strange. Where are you doing the nmap and pinging from? If
you are doing all of this from the machine with the firewall, these
results are not meaningful. Do it from another machine.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010325153610.D5425>