From owner-freebsd-security Tue Jan 30 2: 1: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 642F937B6A4 for ; Tue, 30 Jan 2001 02:00:46 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 14NXac-0007XV-00; Tue, 30 Jan 2001 12:00:42 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id MAA12280; Tue, 30 Jan 2001 12:00:39 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 11836; Tue Jan 30 11:59:10 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.20 #1) id 14NXZ8-0001fz-00; Tue, 30 Jan 2001 11:59:10 +0200 From: Sheldon Hearn To: Pete Fritchman Cc: John Telford , freebsd-security@freebsd.org Subject: Re: IPFW modify the "simple" rule set 4.2 to allow ... In-reply-to: Your message of "Wed, 24 Jan 2001 10:46:31 EST." <20010124104631.B4887@databits.net> Date: Tue, 30 Jan 2001 11:59:10 +0200 Message-ID: <6446.980848750@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 24 Jan 2001 10:46:31 EST, Pete Fritchman wrote: > You'll need to modify /etc/rc.firewall. Look through until you see something > like: This isn't ideal. Rather, allow the system to boot with firewall_type="simple" in /etc/rc.conf. Then use ipfw(8) to show the ruleset in place. Then copy these rules into /etc/firewall.local or whatever. Then set firewall_type="/etc/firewall.local" or whatever. Here's what my /etc/firewall.axl looks like: ------------------------- -f flush add allow ip from any to any via lo0 add deny log ip from any to 127.0.0.0/8 # These two rules save over-use of dynamic rules instantiated by the # 'keep-state' rule at the bottom. # add allow tcp from 172.16.3.5 to 172.16.0.1 domain add allow tcp from 172.16.0.1 domain to 172.16.3.5 add allow tcp from 172.16.0.1 to 172.16.3.5 smtp add allow tcp from 172.16.3.5 smtp to 172.16.0.1 add allow tcp from any to 172.16.3.5 ssh add allow tcp from 172.16.3.5 ssh to any # The next six rules open up enough to allow Samba (NTLM sharing) access # from remote hosts. # add allow udp from 172.16.0.0/15 to 172.16.3.5 137 add allow udp from 172.16.3.5 137 to 172.16.0.0/15 add allow udp from 172.16.0.0/15 to 172.16.3.5 138 add allow udp from 172.16.3.5 138 to 172.16.0.0/15 add allow tcp from 172.16.0.0/15 to 172.16.3.5 139 add allow tcp from 172.16.3.5 139 to 172.16.0.0/15 # This is the rule that allows any kind of OUTBOUND connection to be # established and then used, given the net.inet.ip.fw lifetime values. # add allow all from 172.16.3.5 to any keep-state ------------------------- The '-f flush' allows me to make changes to the file and then reload it using the command "ipfw /etc/firewall.axl" whenever I feel like it, but I think that flushes dynamic rules as well, so use with caution. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message