From owner-freebsd-questions@FreeBSD.ORG Fri Jan 9 05:11:18 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 418E116A4CE for ; Fri, 9 Jan 2004 05:11:18 -0800 (PST) Received: from mintaka.emea.mci.com (mintaka.wcom.co.uk [193.131.254.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id E950143D39 for ; Fri, 9 Jan 2004 05:11:15 -0800 (PST) (envelope-from philip.payne@uk.mci.com) Received: from sirius.emea.mci.com ([166.59.189.29] helo=sirus.emea.mci.com) by mintaka.emea.mci.com with esmtp (Exim 4.20) id 1AewPy-0005jO-Du for freebsd-questions@freebsd.org; Fri, 09 Jan 2004 13:11:14 +0000 Received: from ocampa.wcom.co.uk ([166.59.189.250] helo=ocampa.emea.mci.com) by sirus.emea.mci.com with esmtp (Exim 4.12) id 1AewPj-0006TW-00; Fri, 09 Jan 2004 13:10:59 +0000 Received: from [170.127.79.25] (helo=gblon1exch06.uk.mcilink.com) by ocampa.emea.mci.com with esmtp (Exim 4.14) id 1AewPj-0002PG-1f; Fri, 09 Jan 2004 13:10:59 +0000 Received: by gblon1exch06.uk.mcilink.com with Internet Mail Service (5.5.2653.19) id ; Fri, 9 Jan 2004 13:10:36 -0000 Message-ID: From: Philip Payne To: Dan Rossi , freebsd-questions@freebsd.org Date: Fri, 9 Jan 2004 13:10:31 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Score: 0.0 (/) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1AewPj-0006TW-00*ZspEM0BMpzo* Subject: RE: firewall settings in rc.firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 13:11:18 -0000 Hi Dan, > Hello, i am trying to make my webserver accessible to the net, i tried > to run the out of the box rc.firewall, but there was some > default rules > which blocked the 192.168.0 network which is my local lan > lol, so killed > it instead of helped it, anyway i tried setting it to open, but still > wont allow access to port 1023 which is wot the server is running on, > can someone please help me with an example rules which may > get me going, > let me know thanks. > Firstly, man ipfw will help you understand ipfw Look on www.bsdvault.com and do a search on google for building an ipfw firewall on BSD. There are some good tutorials out there. If you really don't know where to start this will be valuable. As you get more familiar you may want to look at fwbuilder.org as this provides a graphical interface for policy generation but I do suggest you are familiar with the command line first so you understand what fwbuilder.org is doing. fwbuilder.org does have some tools to help generate basic policies. Some generic statements on how to develop a network policy if you have absolutely no idea. This is painful but if you don't know where to start and ignore the tutorials I'm not sure what else you can do: 1) Operate from a default deny scenario unless you have a good reason not to. If you don't want to break stuff then have a permit all. Set this rule to log. e.g ipfw add 65000 deny log ip from any to any or ipfw add 65000 permit log ip from any to any 2) View the log at /var/log/security As you have no other rules in your policy the log will quickly get swamped by the traffic through your firewall. 3) Work out from the log what traffic/packets are required, what traffic is not and add relevant rules. e.g. ipfw add 100 permit tcp from to any setup keep-state out via ipfw add 110 permit udp from to any keep-state out via ...is an obvious example if you want your internal network to be able to initiate any connection. 4) Clear the logs: ipfw resetlog 5) repeat step 2 & 3 until you're only denying and logging the things you want. 6) Check your logs frequently for unexpected events. 7) Review your policy on a regular basis to collate rules and remove unwanted ones. Hope that helps. Phil.