Date: Fri, 10 Aug 2001 22:04:43 -0500 From: David Kelly <dkelly@hiwaay.net> To: "George Genovezos" <ggenovez@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw & firewall. Message-ID: <200108110304.f7B34hc04780@grumpy.dyndns.org> In-Reply-To: Message from "George Genovezos" <ggenovez@hotmail.com> of "Sat, 11 Aug 2001 00:55:42 -0000." <F111mKldz8axXzTx7Sx000064dd@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"George Genovezos" writes: > > Hey all, > > I just installed ipfw and the only thing I want to go in & out is ssh. So > this is the only line I have in my rules > > allow tcp from any to any ssh setup Is not enough, as you have found out. You let the setup thru but didn't let any of the data packets thru. Am assuming ipfw is in the "default deny all" mode? Should find something like this in dmesg: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, unlimited logging Without actually trying it, I suggest you start with something like this. You want the localhost device to work. And I'm guessing you'd like DNS to work as well. Correct the DNS address/net. Use static address or subnet or whatever. Another good idea would be to limit ssh connections to known IP addresses. #!/bin/sh nic="fxp0" dns="1.2.3.4/24" ipfw -f flush ipfw allow ip from any to any via lo0 ipfw deny log ip from any to 127.0.0.0/8 ipfw deny log ip from 192.168.0.0/16 to any in recv ${nic} ipfw allow tcp from any to any established ipfw allow udp from ${dns} 53 to any in recv ${nic} ipfw allow udp from any to ${dns} 53 out xmit ${nic} ipfw allow log tcp from any to me ssh setup ipfw deny log ip from any to any Logged items can be found in /var/log/security. I find it nice to log the ssh setups as a way to know from where my ssh connections are coming from. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108110304.f7B34hc04780>