Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Jan 2011 15:03:41 +0000
From:      krad <kraduk@gmail.com>
To:        Frank Bonnet <f.bonnet@esiee.fr>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: protect a single interface with IPFW ?
Message-ID:  <AANLkTi=CqsWY7KWM63MLVj1CN%2BDGOjvw%2BAC-5dh=5%2BkA@mail.gmail.com>
In-Reply-To: <AANLkTikLHn=6t3WvuQvdjUGYXobqTwa7YZyfsoJym=ND@mail.gmail.com>
References:  <4D2DBF12.3050809@esiee.fr> <AANLkTikLHn=6t3WvuQvdjUGYXobqTwa7YZyfsoJym=ND@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 12 January 2011 15:01, krad <kraduk@gmail.com> wrote:

>
>
> On 12 January 2011 14:47, Frank Bonnet <f.bonnet@esiee.fr> wrote:
>
>> Hello
>>
>> is it possible to protect a single interface with IPFW
>> my server has only one interface and I want to
>> allow only SSH LDAP LDAPS
>>
>> thanks for any examples
>>
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe@freebsd.org"
>>
>
>
> something likes this
>
> add pass all from any to any via lo0
> add pass tcp from w.x.y.z to any 22 in via $int keep-state
> add pass tcp from w.x.y.z to any 389 in via $int keep-state
> add deny ip from any to any
>
> or for pf (better in my opinion)
>
> table <sshhosts> const { hosta, hostb, ... }
> table <ldaphosts> const { hosta, hostb, ... }
>
> set skip on lo0
>
> block any from any
> pass in quick proto tcp from <sshhosts> to any port ssh synproxy state
> pass in quick proto tcp from <ldaphosts> to any port ldap synproxy state
>
>
>

whops forgot the all important lines. Without these you box itself cant
intiate connections to the outside world

ipfw add before the deny

add pass all from any to any out via $int keep-state

and for pf, add at the end

pass out from any to any keep state

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=CqsWY7KWM63MLVj1CN%2BDGOjvw%2BAC-5dh=5%2BkA>