Date: Fri, 21 Dec 2001 17:33:41 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Chris Appleton <appleton_chris@yahoo.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw Message-ID: <20011221172457.P2811-100000@catalyst.sasknow.net> In-Reply-To: <20011221220234.62703.qmail@web14803.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Appleton wrote to freebsd-questions@FreeBSD.ORG:
> [...]
> when i try: add allow ip from any to a.b.c.d 80 to
> specify port, i get an error loading the rules.
The IP protocol doesn't know anything about ports. Only when you
specify a transport protocol (TCP or UDP) do ports make sense. HTTP
works on TCP port 80, so specify that:
add 400 allow tcp from any to a.b.c.d 80
add 401 allow tcp from a.b.c.d 80 to any
This is a BAD way to do it. See the "established" rule below:
> also, do i require 2 rules everytime, one for each direction.
> ideally i would like to 'allow any 80 to any 80 - is that
> possible.
Sure, you can do this...
add 400 allow tcp from any to any 80
> any good ipfw rule help - keeping in mind i don't
> think i can use in via and such with bridge.
You might also want to consider, as a low-numbered rule, allowing
established connections through:
add 350 allow tcp from any to any established
This means that once a connection is set up, the firewall will allow
all inbound and outbound packets in that session through. This allows
you to simplify your ruleset, and provides an added bit of security,
as you don't have to unilaterally allow all outgoing connections per
port.
Your complete ruleset for allowing HTTP in both directions would be
something like this:
add 350 pass tcp from any to any established
add 375 pass ip from ${you} to any
add 400 pass tcp from any to ${you} 80 setup
[deny everything else by default]
This way, YOU can initiate connections with anyone, on any port. But
outside users can ONLY initiate connections with you on port 80. (In
other words, you'll need more rules than this to have a functional
network :-)
Hope this helps,
- Ryan
--
Ryan Thompson <ryan@sasknow.com>
Network Administrator, Accounts
SaskNow Technologies - http://www.sasknow.com
#106-380 3120 8th St E - Saskatoon, SK - S7H 0W2
Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011221172457.P2811-100000>