From owner-freebsd-questions@FreeBSD.ORG Mon Feb 21 02:18:20 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C36416A4CE for ; Mon, 21 Feb 2005 02:18:19 +0000 (GMT) Received: from apophis.email.starband.net (apophis.email.starband.net [148.78.247.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D40D143D46 for ; Mon, 21 Feb 2005 02:18:18 +0000 (GMT) (envelope-from scottclansman@cwazy.co.uk) Received: from [192.168.0.2] (vsat-148-63-97-60.c002.t7.mrt.starband.net [148.63.97.60])j1L2JsMs009371; Sun, 20 Feb 2005 21:19:57 -0500 Message-ID: <421A958B.3020209@cwazy.co.uk> Date: Mon, 21 Feb 2005 20:14:35 -0600 From: SigmaX User-Agent: Mozilla Thunderbird 1.0 (X11/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <421A21F4.1050509@cwazy.co.uk> <011e01c5177f$0e520970$6702a8c0@George> In-Reply-To: <011e01c5177f$0e520970$6702a8c0@George> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.80/706/Sun Feb 13 19:14:02 2005 clamav-milter version 0.80j on apophis.email.starband.net X-Virus-Status: Clean cc: Paul Schmehl Subject: Re: IPFW config X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 02:18:20 -0000 Paul Schmehl wrote: > ----- Original Message ----- From: "SigmaX" > To: > Sent: Monday, February 21, 2005 12:01 PM > Subject: IPFW config > >> >> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the >> default SSH port, right?) >> Then start IPFW with the kernel module (I know how to do this) >> > fwcmd=/sbin/ipfw > myip=x.x.x.x > mymask=255.255.255.0 > > setup_loopback > > # Allow icmp > ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via > xl0 > > # Setup dynamic rules > ${fwcmd} add check-state > ${fwcmd} add deny tcp from any to any via xl0 established > > # Allow DNS queries out to the world > ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state > ${fwcmd} add deny udp from any to any > # Allow all outbound traffic > ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state > > # Allow inbound http, ssh and port 10000 > ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state > ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state > ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag via xl0 > > # Deny everything else > ${fwcmd} add deny ip from any to any via xl0 > > Paul Schmehl (pauls@utdallas.edu) > Adjunct Information Security Officer > University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/ > Well... *ahem*... I put the above script into /etc/ipfw.rules and did "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the server. Did the above script only open those ports to localhost or something? I can go in tonight and fix it from the local computer, but I'd like to know what to do when I get there. I need to have connectivity to said ports from the internet... apparently I don't :-P. Cheerio, SigmaX -- Registered Linux Freak #: 366,862 "If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free."