Date: Mon, 5 Feb 2001 17:15:19 -0000 From: "G D McKee" <freebsd@gdmckee.com> To: "freebsd-questions" <freebsd-questions@FreeBSD.ORG> Subject: FIREWALL - IPFW & NATD Message-ID: <002601c08f97$378d1380$0500a8c0@gdmckee.local>
next in thread | raw e-mail | index | archive | help
Hi I want to build a firewall that enables everything to go out, but only accept connections in for port 22 and 25, and any port that gets initiated from inside the local LAN. I trust this is not at all hard. I was looking down the rc.firewall file and the second section in here seems to pretty much what I want. How can I enable this. I need to add a line into the /etc/rc/conf, but what is it? I got most of this from dial up firewall. Will it do as I require? # Firewall rules # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via ep0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via ep1 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit ep0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via ep0 established # Everyone on the internet is allowed to connect to the following # services on the machine. This example shows that people may connect # to ssh and apache. $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 22 setup $fwcmd add allow tcp from any to any 25 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv ep0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 194.72.6.57 53 out xmit ep0 $fwcmd add allow udp from any to 194.73.73.95 53 out xmit ep0 $fwcmd add allow udp from any to 152.32.107.18 out xmit ep0 # Allow them back in with the answers... :) $fwcmd add allow udp from 194.72.6.57 53 to any in recv ep0 $fwcmd add allow udp from 194.73.73.95 53 to any in recv ep0 $fwcmd add allow udp from 154.32.107.18 53 to any in recv ep0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add 65435 allow icmp from any to any # Deny all the rest. #$fwcmd add 65435 deny log ip from any to any Gordon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002601c08f97$378d1380$0500a8c0>