From owner-freebsd-security Sat Jun 10 10:34:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from hormann.tzo.cc (cvg-29-15-234.cinci.rr.com [24.29.15.234]) by hub.freebsd.org (Postfix) with ESMTP id F1C3C37B50B for ; Sat, 10 Jun 2000 10:34:54 -0700 (PDT) (envelope-from ghormann@alumni.indiana.edu) Received: from localhost (ghormann@localhost) by hormann.tzo.cc (8.9.3/8.9.3) with ESMTP id NAA01536 for ; Sat, 10 Jun 2000 13:37:55 -0400 (EDT) (envelope-from ghormann@alumni.indiana.edu) X-Authentication-Warning: hormann.tzo.cc: ghormann owned process doing -bs Date: Sat, 10 Jun 2000 13:37:50 -0400 (EDT) From: Greg Hormann X-Sender: ghormann@hormann.tzo.cc To: security@freebsd.org Subject: Setting up simple firewall with ipfw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm try to setup a simple little firewall for my stand alone FreeBSD-4.0 box. Most of what I want seems to be working, but I'm having a few problems I would appreciate some help with. (I'm *extremely* new to firewalls.) 1) This box obtains its internet address via dhcp. Because of that, I've been using "any to any via ed0". This box is dual homed, and at some point in time I'd like to use natd to make this box a gateway for my internal network. Is there a more secure way to set things up when using dhcp? 2) I can't get logging working to help me trouble shoot my problems. (IPFIREWALL_VERBOSE is in the kernel.) -- It may works, and I don't know where to look for it. Its not appear on the console, and after looking and the man page, i still couldn't figure it out. sysctl net.inet.ip.fw returns: net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 1000 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 5 3) I'm having trouble getting ftp/ssh traffic through my firewall. (I can get out, but not in.) When trying to ftp or ssh in, I receive "TCP/IP Failure" I currently have the following rules: (Remember, I'm using dhcp hence so many "any to any" 00100 108 7771 allow tcp from any to any via ed0 established 00100 114 15516 allow ip from any to any via lo0 00200 1 44 allow tcp from any to any 25 via ed0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 allow tcp from any to any 23 via ed0 00400 0 0 allow tcp from any to any 22 setup 00500 0 0 allow udp from any to any 22 00600 0 0 allow tcp from any 22 to any 00700 0 0 allow tcp from any to any 20 via ed0 00800 0 0 allow tcp from any to any 21 via ed0 00900 0 0 allow tcp from any to any 80 via ed0 01000 0 0 allow tcp from any to any 220 via ed0 01100 0 0 allow tcp from any to any 546 01200 0 0 allow udp from any to any 56 01300 4 176 allow tcp from any to any 110 01400 5 220 deny log tcp from any to any 1-1024 via ed0 65000 14 1701 allow ip from any to any 65535 6 672 deny ip from any to any Thanks in advance, Greg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message