Date: Thu, 16 Jan 2003 16:05:07 -0700 From: Nate Williams <nate@yogotech.com> To: "."@babolo.ru Cc: Josh Brooks <user@mail.econolodgetulsa.com>, Sean Chittenden <sean@chittenden.org>, freebsd-hackers@FreeBSD.ORG, nate@yogotech.com Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <15911.15011.409213.712266@emerger.yogotech.com> In-Reply-To: <200301162254.h0GMsfLs001559@aaz.links.ru> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <200301162254.h0GMsfLs001559@aaz.links.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> Try this simple ruleset:
>
> possible deny log tcp from any to any setup tcpoptions !mss
>
> ipfw add allow ip from any to any out
> ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> ipfw add deny log ip from any to any
I'd limit these to the outside interface, for performance rules.
# Whatever the interface is...
outif="fxp0"
ipfw add allow ip from any to any out via ${outif}
ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif}
ipfw add deny log ip from any to any via ${outif}
etc...
Or, you could do.
# The internal interface is not filtered
intif="fxp1"
ipfw add allow all from any to any via ${inif}
# Everything else only applies to the external interface
ipfw add allow ip from any to any out
ipfw add allow ip from any to your.c.net{x,y,z,so on...}
ipfw add deny log ip from any to any
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15911.15011.409213.712266>