From owner-freebsd-questions@FreeBSD.ORG Wed Jan 12 15:05:18 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49A79106566C for ; Wed, 12 Jan 2011 15:05:18 +0000 (UTC) (envelope-from f.bonnet@esiee.fr) Received: from hp9.esiee.fr (hp9.esiee.fr [147.215.1.4]) by mx1.freebsd.org (Postfix) with ESMTP id 93C598FC08 for ; Wed, 12 Jan 2011 15:05:17 +0000 (UTC) Received: from mail.esiee.fr (mail.esiee.fr [147.215.1.3]) by hp9.esiee.fr (Postfix) with ESMTP id A22BD2DCF3F for ; Wed, 12 Jan 2011 16:05:16 +0100 (CET) Received: from mail.esiee.fr (localhost [127.0.0.1]) by VAMS.dummy (Postfix) with SMTP id 897E2105441D for ; Wed, 12 Jan 2011 16:05:16 +0100 (CET) Received: from [147.215.1.21] (lisa.esiee.fr [147.215.1.21]) by mail.esiee.fr (Postfix) with ESMTP id 538AD105441A for ; Wed, 12 Jan 2011 16:05:16 +0100 (CET) Message-ID: <4D2DC32C.7000800@esiee.fr> Date: Wed, 12 Jan 2011 16:05:16 +0100 From: Frank Bonnet User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4D2DBF12.3050809@esiee.fr> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: protect a single interface with IPFW ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2011 15:05:18 -0000 Thanks a lot ! On 01/12/2011 04:03 PM, krad wrote: > On 12 January 2011 15:01, krad wrote: > >> >> On 12 January 2011 14:47, Frank Bonnet wrote: >> >>> Hello >>> >>> is it possible to protect a single interface with IPFW >>> my server has only one interface and I want to >>> allow only SSH LDAP LDAPS >>> >>> thanks for any examples >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >> >> something likes this >> >> add pass all from any to any via lo0 >> add pass tcp from w.x.y.z to any 22 in via $int keep-state >> add pass tcp from w.x.y.z to any 389 in via $int keep-state >> add deny ip from any to any >> >> or for pf (better in my opinion) >> >> table const { hosta, hostb, ... } >> table const { hosta, hostb, ... } >> >> set skip on lo0 >> >> block any from any >> pass in quick proto tcp from to any port ssh synproxy state >> pass in quick proto tcp from to any port ldap synproxy sta= te >> >> >> > whops forgot the all important lines. Without these you box itself cant > intiate connections to the outside world > > ipfw add before the deny > > add pass all from any to any out via $int keep-state > > and for pf, add at the end > > pass out from any to any keep state > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd= .org" --=20 Frank BONNET 01.45.92.66.17 Service des Moyens Informatique Generaux ESIEE PARIS Cit=E9 Descartes / BP 99 93162 NOISY-LE-GRAND Cedex http://www.esiee.fr