Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Dec 2004 07:02:25 -0500
From:      "Grant Peel" <gpeel@thenetnow.com>
To:        <freebsd-ipfw@freebsd.org>, <freebsd-questions@freebsd.org>
Subject:   New IPFW Setup.
Message-ID:  <008901c4ed9e$44478510$6401a8c0@GRANT>
next in thread | raw e-mail | index | archive | help 
Good morning all,

Appologies for sending to both lists, I am hoping to root out the IPFW gurus 
!

Hope everyone had a Merry Christmas....

I have recentory activated ipfw on 5 of my productive server. All servers 
are Apache, Exim or Sendmail, MySQL, vm-pop3d, ProFTPD enabled. All serves 
have multiple domains and UNIX users, though, by default, we do not supply 
shell accounts.

Here is the ruleset I currently use on all the servers. I would like nothing 
more than to tighten them up a bit, if possible, considering the environment 
they are used in (Internet).

Please feel free to browse and send me any comments, critiques you may have 
on the ruleset below.

00010 allow ip from any to any via lo0
00020 allow ip from any to any via fxp1  # LAN access ... Is behind a 
managed switch, VLAN setup.
00030 check-state
00040 allow tcp from N.N.N.N to me 22 keep-state setup    # Allow me in via 
ssh ... I hope!
00050 allow ip from any to 192.168.0.6     # An nfs mount
00060 allow ip from 192.168.0.6 to any
00070 allow icmp from any to any icmptype 0,3,4,8,11,12
00100 allow ip from any to any keep-state out
00110 allow tcp from any to any 20,21 keep-state setup
00120 allow tcp from any to any 25,110 keep-state setup
00130 allow tcp from any to any 53 keep-state setup
00140 allow udp from any to any 53 keep-state
00150 allow tcp from any to any 80,110,443 keep-state setup
00160 allow tcp from any to any 10000,20000 keep-state setup    # Webmin and 
Usermin.
00170 allow tcp from any to any 1024-65534 in setup     # ftp ports. Seems 
to negate alot of the firewall ???
65534 deny log ip from any to any
65535 deny ip from any to any

Of special concern to me is line 170 ... added to allow ftp. Any ideas here?

-Grant

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008901c4ed9e$44478510$6401a8c0>