From owner-freebsd-questions@FreeBSD.ORG Wed Jan 12 15:03:42 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9F0A106564A for ; Wed, 12 Jan 2011 15:03:42 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7DB6D8FC17 for ; Wed, 12 Jan 2011 15:03:42 +0000 (UTC) Received: by wwi17 with SMTP id 17so3984434wwi.1 for ; Wed, 12 Jan 2011 07:03:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ORKx78Ey6UGc5tU5ZX1YeRTgShdEcqO7GRQRMjK8Bsg=; b=nBXnB7EZi+/bhSzX2n1l+l8Qf0IJq7WYvDs10COexYgR+fEL9Smvqnb0HPTzu0nmto zV4578G0HVswY+9pJ7MwFtiWcpME/WoINSn0EDPBabiRQO2oeVWi+yo+OuRbyGspKHNB KqyOAWOBuh3F1nVNYwcmZYBzq24x/7ehjWVqo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=UfHEd+qSYnoX/gUN8hwT/igooE7ulwSPr/3atQ2QhIx1+Uz4Zr05fR8LTc2aK2IH3O G5y23dcNvOL7MSVqQ8wRgszRni8RztuZmE5c/GPU/gHplQ6sREYBwg3JEUZ86XvRL1im 0vt7Pf0f/SY8FIOntKkTLvQf6y7HHlqymUxpg= MIME-Version: 1.0 Received: by 10.216.52.143 with SMTP id e15mr1078946wec.44.1294844621189; Wed, 12 Jan 2011 07:03:41 -0800 (PST) Received: by 10.216.229.73 with HTTP; Wed, 12 Jan 2011 07:03:41 -0800 (PST) In-Reply-To: References: <4D2DBF12.3050809@esiee.fr> Date: Wed, 12 Jan 2011 15:03:41 +0000 Message-ID: From: krad To: Frank Bonnet Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-questions@freebsd.org" Subject: Re: protect a single interface with IPFW ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2011 15:03:43 -0000 On 12 January 2011 15:01, krad wrote: > > > On 12 January 2011 14:47, Frank Bonnet wrote: > >> Hello >> >> is it possible to protect a single interface with IPFW >> my server has only one interface and I want to >> allow only SSH LDAP LDAPS >> >> thanks for any examples >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > > something likes this > > add pass all from any to any via lo0 > add pass tcp from w.x.y.z to any 22 in via $int keep-state > add pass tcp from w.x.y.z to any 389 in via $int keep-state > add deny ip from any to any > > or for pf (better in my opinion) > > table const { hosta, hostb, ... } > table const { hosta, hostb, ... } > > set skip on lo0 > > block any from any > pass in quick proto tcp from to any port ssh synproxy state > pass in quick proto tcp from to any port ldap synproxy state > > > whops forgot the all important lines. Without these you box itself cant intiate connections to the outside world ipfw add before the deny add pass all from any to any out via $int keep-state and for pf, add at the end pass out from any to any keep state