Date: Mon, 8 Dec 2008 16:33:58 +0100 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org, gwg7webbcom@yahoo.com Subject: Re: IPFW Firewall Question Message-ID: <200812081634.01296.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <198267.54082.qm@web52209.mail.re2.yahoo.com> References: <198267.54082.qm@web52209.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 05 December 2008 20:29:40 G magicman wrote:
> I have tried this it did not work and the Co-Lo people are convinced that
> sshd and sendmail need to be run out of inetd.conf for this to work.
That wouldn't explain sshd being linked against libwrap. Did you comment:
# The rules here work on a "First match wins" basis.
ALL : ALL : allow
> As i said i am used to BSDI=A0 and the Finnish SSHD
Hehe, I remember having libwrap as backup, cause the firewall's=20
pre-in/pre-out/in/out concepts were confusing at times.
Anyway, I'll give you a pf example, maybe someone with ipfw skills will pic=
k=20
it up and translate, or you can kldload pf and use that ;)
<Assuming 7.0 or higher, so that keep state is implicit>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
openports=3D"{ 11, 21, 22, 23, 25, 37, 42, 43, 53, 63, 69, 70, 80, 101, 109=
,=20
110, 115, 119, 123, 143, 443, 4321, 50001 }"
table <trusted> persist { 209.131.0.0/16, 66.65.0.0/16, 71.173.96.0/19, \
71.173.128.0/17, blabla }
table <spammers> persist file "/etc/pf/spammers.table"
ext_if=3D"bge0" # External interface
# Rules, last match wins
block in all
pass in from <trusted> to any
pass in on $ext_if proto {tcp, udp} from any to ($ext_if) port $openports
block in on $ext_if from <spammers> to any port 25
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The file /etc/pf/spammers.table can then be filled with one CIDR per line,=
=20
easy to maintain/fail and possible to have the file maintained by grok or=20
alike automation scripts. The file is only read on start up, but the table=
=20
can be maintained 'live', using pfctl -T commands.
Hope this helps.
=2D-=20
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812081634.01296.fbsd.questions>