Date: Wed, 21 Jan 2004 13:26:10 +0000 From: Marc Silver <marcs@draenor.org> To: freebsd-ipfw@freebsd.org Subject: dialup firewalling Message-ID: <20040121132610.GX70495@draenor.org>
next in thread | raw e-mail | index | archive | help
Hi guys and gals, The short story: I wrote an article a while back about dialup firewalling with FreeBSD, and after an update was made to the article a few months back by another individual it's been slightly broken. I am currently working on fixing this document and get it more up to date, and was hoping to run the following ruleset past all of you. The problem is mostly that I no longer have a dialup connection to test with this, so I was hoping to ask opinions on whether or not the following rulebase would work: # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all connections that we initiate, and keep their state, # but deny established connections that don't have a dynamic rule. $fwcmd add check-state $fwcmd add allow ip from me to any keep-state $fwcmd add deny tcp from any to any established # Allow internet users to connect to the port 22 and 80 on my machine. # This example specifically allows connections to the sshd and a # webserver. $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state # Allow ICMP packets: remove type 8 if you don't want your host # to be pingable. $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 # Deny and log everything else. $fwcmd add deny log ip from any to any Now, if my knowledge of ipfw2 is correct, this should allow everything out, and should only allow port 22 and 80 in. It'll also allow ICMP. Simple enough, but am I correct in my assumptions? Any help would be highly appreciated as I would like to correct the article as soon as possible. Thanks again, Marc p.s. please reply to me as I am not subscribed to this list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040121132610.GX70495>