From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 21 05:26:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CE8716A4CE for ; Wed, 21 Jan 2004 05:26:13 -0800 (PST) Received: from riffraff.plig.net (riffraff.plig.net [195.40.6.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF8A643D1D for ; Wed, 21 Jan 2004 05:26:11 -0800 (PST) (envelope-from marcs@draenor.org) Received: by riffraff.plig.net (Postfix, from userid 3010) id 990D5FA2EB; Wed, 21 Jan 2004 13:26:10 +0000 (GMT) Date: Wed, 21 Jan 2004 13:26:10 +0000 From: Marc Silver To: freebsd-ipfw@freebsd.org Message-ID: <20040121132610.GX70495@draenor.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: dialup firewalling X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2004 13:26:13 -0000 Hi guys and gals, The short story: I wrote an article a while back about dialup firewalling with FreeBSD, and after an update was made to the article a few months back by another individual it's been slightly broken. I am currently working on fixing this document and get it more up to date, and was hoping to run the following ruleset past all of you. The problem is mostly that I no longer have a dialup connection to test with this, so I was hoping to ask opinions on whether or not the following rulebase would work: # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all connections that we initiate, and keep their state, # but deny established connections that don't have a dynamic rule. $fwcmd add check-state $fwcmd add allow ip from me to any keep-state $fwcmd add deny tcp from any to any established # Allow internet users to connect to the port 22 and 80 on my machine. # This example specifically allows connections to the sshd and a # webserver. $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state # Allow ICMP packets: remove type 8 if you don't want your host # to be pingable. $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14 # Deny and log everything else. $fwcmd add deny log ip from any to any Now, if my knowledge of ipfw2 is correct, this should allow everything out, and should only allow port 22 and 80 in. It'll also allow ICMP. Simple enough, but am I correct in my assumptions? Any help would be highly appreciated as I would like to correct the article as soon as possible. Thanks again, Marc p.s. please reply to me as I am not subscribed to this list.