Date: Fri, 9 Jan 2004 13:10:31 -0000 From: Philip Payne <philip.payne@uk.mci.com> To: Dan Rossi <daniel@electroteque.org>, freebsd-questions@freebsd.org Subject: RE: firewall settings in rc.firewall Message-ID: <A0A204EE2E51BC41BCDE3C1DD86D35ED209C03@gblon1exch06.uk.mcilink.com>
next in thread | raw e-mail | index | archive | help
Hi Dan, > Hello, i am trying to make my webserver accessible to the net, i tried > to run the out of the box rc.firewall, but there was some > default rules > which blocked the 192.168.0 network which is my local lan > lol, so killed > it instead of helped it, anyway i tried setting it to open, but still > wont allow access to port 1023 which is wot the server is running on, > can someone please help me with an example rules which may > get me going, > let me know thanks. > Firstly, man ipfw will help you understand ipfw Look on www.bsdvault.com and do a search on google for building an ipfw firewall on BSD. There are some good tutorials out there. If you really don't know where to start this will be valuable. As you get more familiar you may want to look at fwbuilder.org as this provides a graphical interface for policy generation but I do suggest you are familiar with the command line first so you understand what fwbuilder.org is doing. fwbuilder.org does have some tools to help generate basic policies. Some generic statements on how to develop a network policy if you have absolutely no idea. This is painful but if you don't know where to start and ignore the tutorials I'm not sure what else you can do: 1) Operate from a default deny scenario unless you have a good reason not to. If you don't want to break stuff then have a permit all. Set this rule to log. e.g ipfw add 65000 deny log ip from any to any or ipfw add 65000 permit log ip from any to any 2) View the log at /var/log/security As you have no other rules in your policy the log will quickly get swamped by the traffic through your firewall. 3) Work out from the log what traffic/packets are required, what traffic is not and add relevant rules. e.g. ipfw add 100 permit tcp from <your internal network> to any setup keep-state out via <your external interface> ipfw add 110 permit udp from <your internal network> to any keep-state out via <your external interface> ...is an obvious example if you want your internal network to be able to initiate any connection. 4) Clear the logs: ipfw resetlog 5) repeat step 2 & 3 until you're only denying and logging the things you want. 6) Check your logs frequently for unexpected events. 7) Review your policy on a regular basis to collate rules and remove unwanted ones. Hope that helps. Phil.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A0A204EE2E51BC41BCDE3C1DD86D35ED209C03>