From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 27 14:54:08 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8C79B16A419
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Aug 2007 14:54:08 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.freebsd.org (Postfix) with ESMTP id 321E513C45B
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Aug 2007 14:54:08 +0000 (UTC)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.14.1/8.14.1) id l7REs75p011580;
	Mon, 27 Aug 2007 09:54:07 -0500 (CDT) (envelope-from dan)
Date: Mon, 27 Aug 2007 09:54:07 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Aminuddin <amin.scg@gmail.com>
Message-ID: <20070827145406.GB71842@dan.emsphone.com>
References: <20070826061435.GD25055@dan.emsphone.com>
	<46d27138.07ec720a.0343.ffffbba7@mx.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <46d27138.07ec720a.0343.ffffbba7@mx.google.com>
X-OS: FreeBSD 7.0-CURRENT
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: freebsd-questions@freebsd.org
Subject: Re: How to block 200K ip addresses?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2007 14:54:08 -0000

In the last episode (Aug 27), Aminuddin said:
> Will give this a try. Since my server is a remote server that I can
> accessed only by ssh, what are other rules do I need to add in? I
> don't want to have a situation where I will lock myself out.

The safest method is to have a serial console configured, so even if
you completely mess up your firewall you can still get to it. 
Otherwise, add some rules as the very beginning that permit traffic
to/from the server you are ssh'ing in from, and start off using "count
log" rules instead of "deny", so you can tell which packets are being
matched.
 
> Is it correct to say that the rules that I put in will only block
> those in the rules and allow all that are not in the rules?

ipfw always has a final rule 65536, which is either "allow ip from any
to any" or "deny ip from any to any" depending on whether the kernel
option "IPFIREWALL_DEFAULT_TO_ACCEPT" was set or not.

-- 
	Dan Nelson
	dnelson@allantgroup.com