From owner-freebsd-questions@FreeBSD.ORG Sun Feb 20 19:04:52 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62A4116A4D1 for ; Sun, 20 Feb 2005 19:04:52 +0000 (GMT) Received: from smtp805.mail.sc5.yahoo.com (smtp805.mail.sc5.yahoo.com [66.163.168.184]) by mx1.FreeBSD.org (Postfix) with SMTP id 1DD6243D54 for ; Sun, 20 Feb 2005 19:04:52 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from unknown (HELO George) (pschmehl@sbcglobal.net@68.90.207.92 with login) by smtp805.mail.sc5.yahoo.com with SMTP; 20 Feb 2005 19:04:51 -0000 Message-ID: <011e01c5177f$0e520970$6702a8c0@George> From: "Paul Schmehl" To: "SigmaX" , References: <421A21F4.1050509@cwazy.co.uk> Date: Sun, 20 Feb 2005 13:04:50 -0600 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: IPFW config X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2005 19:04:52 -0000 ----- Original Message ----- From: "SigmaX" To: Sent: Monday, February 21, 2005 12:01 PM Subject: IPFW config > > Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default > SSH port, right?) > Then start IPFW with the kernel module (I know how to do this) > fwcmd=/sbin/ipfw myip=x.x.x.x mymask=255.255.255.0 setup_loopback # Allow icmp ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via xl0 # Setup dynamic rules ${fwcmd} add check-state ${fwcmd} add deny tcp from any to any via xl0 established # Allow DNS queries out to the world ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state ${fwcmd} add deny udp from any to any # Allow all outbound traffic ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state # Allow inbound http, ssh and port 10000 ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag via xl0 # Deny everything else ${fwcmd} add deny ip from any to any via xl0 Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/