Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Aug 2001 22:04:43 -0500
From:      David Kelly <dkelly@hiwaay.net>
To:        "George Genovezos" <ggenovez@hotmail.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw & firewall. 
Message-ID:  <200108110304.f7B34hc04780@grumpy.dyndns.org>
In-Reply-To: Message from "George Genovezos" <ggenovez@hotmail.com>  of "Sat, 11 Aug 2001 00:55:42 -0000." <F111mKldz8axXzTx7Sx000064dd@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
"George Genovezos" writes:
> 
> Hey all,
> 
> I just installed ipfw and the only thing I want to go in & out is ssh. So 
> this is the only line I have in my rules
> 
> allow tcp from any to any ssh setup

Is not enough, as you have found out. You let the setup thru but didn't
let any of the data packets thru. Am assuming ipfw is in the "default
deny all" mode? Should find something like this in dmesg:

IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, unlimited logging

Without actually trying it, I suggest you start with something like
this. You want the localhost device to work. And I'm guessing you'd like
DNS to work as well. Correct the DNS address/net. Use static address or
subnet or whatever. Another good idea would be to limit ssh connections 
to known IP addresses.

#!/bin/sh
nic="fxp0"
dns="1.2.3.4/24"
ipfw -f flush
ipfw allow ip from any to any via lo0
ipfw deny log ip from any to 127.0.0.0/8
ipfw deny log ip from 192.168.0.0/16 to any in recv ${nic}
ipfw allow tcp from any to any established
ipfw allow udp from ${dns} 53 to any in recv ${nic}
ipfw allow udp from any to ${dns} 53 out xmit ${nic}
ipfw allow log tcp from any to me ssh setup
ipfw deny log ip from any to any

Logged items can be found in /var/log/security. I find it nice to log 
the ssh setups as a way to know from where my ssh connections are 
coming from.

-- 
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108110304.f7B34hc04780>