From owner-freebsd-questions Thu Jan 31 10: 4:24 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.tecdigital.net (tecdigital.tol.itesm.mx [132.254.97.16]) by hub.freebsd.org (Postfix) with ESMTP id 281E437B404 for ; Thu, 31 Jan 2002 10:04:20 -0800 (PST) Received: from Deathstar (unknown [148.243.246.158]) by mail.tecdigital.net (Postfix) with ESMTP id A5AFA1D20 for ; Thu, 31 Jan 2002 12:04:08 -0600 (CST) Message-ID: <005e01c1aa81$b61531f0$0a00a8c0@Deathstar> From: "Mario Doria" To: Subject: Migrate from IPF to IPFW Date: Thu, 31 Jan 2002 12:04:07 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I'm planning to migrate a machine from IPF to IPFW, but before I make any changes (the machine is in production), I want to test the IPFW ruleset. Please, can someone provide me examples of an IPFW stateful ruleset?. Here's what I have so far: #!/bin/sh # fwcmd="/sbin/ipfw -q" ## Begin the ruleset ${fwcmd} -f flush ## Protect local interface ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any ## Some local protection ${fwcmd} add deny log tcp from any to any tcpflags fin,urg,psh in ${fwcmd} add deny log tcp from any to any tcpflags syn,fin in ## Check state first ${fwcmd} add check-state ## Deny ACK packets that did not match the dynamic ruleset ${fwcmd} add deny tcp from any to any established in ## Outgoing packets ${fwcmd} add allow tcp from any to any out keep-state ${fwcmd} add allow udp from any to any out keep-state ${fwcmd} add allow icmp from any to any out keep-state ## Offered Services # Samba ${fwcmd} add pass tcp from 192.168.0.0/24 to any port 137-139 in setup keep-state ${fwcmd} add pass udp from 192.168.0.0/24 to any port 137-139 in keep-state # WWW ${fwcmd} add pass tcp from any to any 80,443 in setup keep-state # SSH ${fwcmd} add pass tcp from any to any 22 in setup keep-state # Mail ${fwcmd} add pass tcp from any to any 25,995 in setup keep-state ${fwcmd} add reset tcp from any to any port 113 in setup # FTP ${fwcmd} add pass tcp from any to any 20-21 in setup keep-state ${fwcmd} add pass tcp from any to any 49152-53000 in setup keep-state # DNS ${fwcmd} add pass udp from any to any port 53 in keep-state ${fwcmd} add pass tcp from any to any port 53 in setup keep-state #Big-Brother ${fwcmd} add pass tcp from 192.168.0.10/32 to any port 1984 in setup keep-state ## ICMP ${fwcmd} add pass icmp from any to any icmptypes 0,3,8,11 in keep-state ## Disallow all other type of connections ${fwcmd} add deny log all from any to any in ------- Thanks a lot! Mario Doria To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message