From owner-freebsd-questions Fri Aug 10 20: 4:51 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-57-209.knology.net [24.214.57.209]) by hub.freebsd.org (Postfix) with ESMTP id D8C2437B407 for ; Fri, 10 Aug 2001 20:04:46 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.3/8.11.4) with ESMTP id f7B34hc04780; Fri, 10 Aug 2001 22:04:43 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200108110304.f7B34hc04780@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "George Genovezos" Cc: freebsd-questions@FreeBSD.ORG From: David Kelly Subject: Re: ipfw & firewall. In-reply-to: Message from "George Genovezos" of "Sat, 11 Aug 2001 00:55:42 -0000." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 10 Aug 2001 22:04:43 -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "George Genovezos" writes: > > Hey all, > > I just installed ipfw and the only thing I want to go in & out is ssh. So > this is the only line I have in my rules > > allow tcp from any to any ssh setup Is not enough, as you have found out. You let the setup thru but didn't let any of the data packets thru. Am assuming ipfw is in the "default deny all" mode? Should find something like this in dmesg: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, unlimited logging Without actually trying it, I suggest you start with something like this. You want the localhost device to work. And I'm guessing you'd like DNS to work as well. Correct the DNS address/net. Use static address or subnet or whatever. Another good idea would be to limit ssh connections to known IP addresses. #!/bin/sh nic="fxp0" dns="1.2.3.4/24" ipfw -f flush ipfw allow ip from any to any via lo0 ipfw deny log ip from any to 127.0.0.0/8 ipfw deny log ip from 192.168.0.0/16 to any in recv ${nic} ipfw allow tcp from any to any established ipfw allow udp from ${dns} 53 to any in recv ${nic} ipfw allow udp from any to ${dns} 53 out xmit ${nic} ipfw allow log tcp from any to me ssh setup ipfw deny log ip from any to any Logged items can be found in /var/log/security. I find it nice to log the ssh setups as a way to know from where my ssh connections are coming from. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message