From owner-freebsd-questions@FreeBSD.ORG Mon Feb 21 03:56:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE85C16A4CE for ; Mon, 21 Feb 2005 03:56:48 +0000 (GMT) Received: from smtp803.mail.sc5.yahoo.com (smtp803.mail.sc5.yahoo.com [66.163.168.182]) by mx1.FreeBSD.org (Postfix) with SMTP id 9937143D53 for ; Mon, 21 Feb 2005 03:56:48 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from unknown (HELO George) (pschmehl@sbcglobal.net@68.90.207.92 with login) by smtp803.mail.sc5.yahoo.com with SMTP; 21 Feb 2005 03:56:48 -0000 Message-ID: <069601c517c9$5df48b20$6702a8c0@George> From: "Paul Schmehl" To: "SigmaX" , References: <421A21F4.1050509@cwazy.co.uk><011e01c5177f$0e520970$6702a8c0@George> <421A958B.3020209@cwazy.co.uk> Date: Sun, 20 Feb 2005 21:56:47 -0600 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: IPFW config X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 03:56:48 -0000 ----- Original Message ----- From: "SigmaX" To: Cc: "Paul Schmehl" Sent: Monday, February 21, 2005 8:14 PM Subject: Re: IPFW config > > Well... *ahem*... I put the above script into /etc/ipfw.rules and did > "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the > server. Geez, I thought you learned from the first time.... > >Did the above script only open those ports to localhost or > something? It was meant to be an example for you to work from. It's taken from a working example that I use on several servers, altered to meet the requirements you gave in your post. First of all, you should *never* work on a firewall config remotely. Secondly, the expectation is that you will take information give here and use it with a grain of salt. Try this. Sitting at the console in front of the computer, enable the firewall: % ipfw enable firewall This will block all access to the computer. Now type this at the command line: % ipfw add allow tcp from any to (type in the computer's IP address here) ssh Now ssh to some other computer that you have access to and back to this computer and see if you don't get in. (Note that the assumption is that you have not yet configured /etc/hosts.allow to deny access from the computer you're ssh'ing back to this computer from.) Look at the /etc/rc.firewall script. Read man ipfw carefully. Don't forget that you must enable the firewall in the /etc/rc.conf file, but you must *also* define what *type* of firewall it is. Here's an example: firewall_enable="YES" firewall_logging_enable="YES" firewall_quiet="NO" firewall_script="/etc/rc.firewall" firewall_type="CLIENT" Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/