Date: Sun, 4 Aug 2002 17:12:28 -0400 (EDT) From: "Mike" <root@unixhideout.com> To: <freebsd-questions@freebsd.org> Subject: IPFW Message-ID: <2678.192.168.1.10.1028495548.squirrel@email.unixhideout.com>
next in thread | raw e-mail | index | archive | help
All these guys on here are posting about ipfw so it got me wanting to
learn it. I got it compiled in the kernel, i made my rc.firewall, the only
problem is people can go to irc, and use other services, but they cant
view my webpages. which one of these rules or options are blocking http
access? =]
rc.conf:
#BEGIN IPFW
tcp_extensions="NO"
tcp_keepalive="YES"
tcp_restrict_rst="YES"
icmp_bmcastecho="NO"
icmp_drop_redirect="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="custom"
firewall_quiet="NO"
firewall_logging_enable="YES"
log_in_vain="NO"
#IPFW END
rc.firewall:
# set these to your network and netmask and ip
net="192.168.1.1"
mask="255.255.255.0"
ip="192.168.1.20"
#LOOP
${fwcmd} add 10 allow ip from any to any via lo0
${fwcmd} add 20 deny ip from any to 127.0.0.0/8
#Allow TCP through if setup succeeded
${fwcmd} add 30 pass tcp from any to any established
#Allow access to FTPD
${fwcmd} add 40 pass udp from any to ${ip} 20
${fwcmd} add 50 pass tcp from any to ${ip} 20
${fwcmd} add 60 pass udp from any to ${ip} 21
${fwcmd} add 70 pass tcp from any to ${ip} 21
#Allow access to OPENSSH
${fwcmd} add 80 pass tcp from any to ${ip} 22 setup
#Allow access to SENDMAIL
${fwcmd} add 90 pass tcp from any to ${ip} 25 setup
#Allow access to BIND
${fwcmd} add 100 pass tcp from any to ${ip} 53 setup
#Allow access to HTTP
${fwcmd} add 110 pass tcp from any to ${ip} 80 setup
#Allow access to POP3
${fwcmd} add 120 pass tcp from any to ${ip} 110 setup
#Allow access to IDENT
${fwcmd} add 130 pass tcp from any to ${ip} 113 setup
#Allow access to SAMBA
${fwcmd} add 140 pass udp from any to any 137
${fwcmd} add 150 pass tcp from any to any 137
${fwcmd} add 160 pass udp from any to any 138
${fwcmd} add 170 pass tcp from any to any 138
${fwcmd} add 180 pass udp from any to any 139
${fwcmd} add 190 pass tcp from any to any 139
#Allow access to IMAP
${fwcmd} add 200 pass tcp from any to ${ip} 143 setup
#Allow access to HTTPS
${fwcmd} add 210 pass tcp from any to ${ip} 443 setup
#Allow access to MUD
${fwcmd} add 220 pass tcp from any to ${ip} 4000 setup
#Allow access to JABBERD
${fwcmd} add 230 pass tcp from any to ${ip} 5222 setup
#Allow access to CVSUPD
${fwcmd} add 240 pass tcp from any to ${ip} 5999 setup
#Allow access to IRC
${fwcmd} add 250 pass tcp from any to ${ip} 6667 setup
#Allow access to SQUID
${fwcmd} add 260 pass tcp from any to ${ip} 8080 setup
#Reject&Log all setup of incoming connections from the outside
${fwcmd} add 270 deny log tcp from any to any in via ${ip} setup
#Allow setup of any other TCP connection
${fwcmd} add 280 pass tcp from any to any setup
#Allow DNS queries out in the world
${fwcmd} add 290 pass udp from ${ip} to any 53 keep-state
#Allow NTP queries out in the world
${fwcmd} add 300 pass udp from ${ip} to any 123 keep-state
#Allow setup of outgoing TCP connections only
${fwcmd} add 310 pass tcp from ${ip} to any setup
#Disallow setup of all other TCP connections
${fwcmd} add 320 deny tcp from any to any setup
#Everything else is denied by default
#Everything else is denied by default
$fwcmd add 65532 deny udp from any to any
$fwcmd add 65533 deny icmp from any to any
$fwcmd add 65534 deny log ip from any to any
The machine in question is behind a firewall router which has the ip of
192.168.1.1, it is my "gateway" the server i am allowing access to is
"192.168.1.20" and of course all the proper ports have been forwarded. Its
either one of those options in rc.conf, or a rule thats missing me..
Thanks for any help!
-----------------------------------------
Free email that kicks ass from UnixHideout
"The UnixHideout network"
http://www.unixhideout.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2678.192.168.1.10.1028495548.squirrel>