Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jan 2000 02:09:39 GMT
From:      mike@sentex.net (Mike Tancsa)
To:        sean@bebits.com ("Sean Heber")
Cc:        questions@freebsd.org
Subject:   Re: Quick firewall rule question..
Message-ID:  <388d03f2.165456873@mail.sentex.net>
In-Reply-To: <MAIL008301bf6615$89ac9ac0$0a04cfd1@mwci.net>
References:  <MAIL008301bf6615$89ac9ac0$0a04cfd1@mwci.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 23 Jan 2000 21:49:14 -0500, in sentex.lists.freebsd.questions you wrote:

>I got the following info from my colocation provider:
>
>Allocation: 216.218.200.112/28
>Gateway:    216.218.200.113
>Netmask 255.255.255.240
>Range: 216.218.200.114 - 216.218.200.126
>
>I know where gateway and netmask go and stuff for the regular networking
>config, but how does this work for my firewall config?  I want to be totaly
>sure as I don't want to be locked out when the server is a few thousand
>miles away..  :-)


When updating stuff remotely, I usually add a temp rule to make sure I can
get in.  For example, if your interface is fxp0, and you are connecting to
your machine from the dialup IP 192.168.1.1, add something like this
temporarily

ipfw add 1000 allow ip from 192.168.1.1 to any
ipfw add 1010 allow ip from any to 192.168.1.1

then add your new rules after that.  

In your case,
ipfw add 2000 allow all from 216.218.200.113 to any 
ipfw add 2100 deny log ip from 216.218.200.112/28 in via fxp0


2000 lets stuff in from your gateway, and 2100 stops packets coming at you
with an internal source address.

Then try and reach some third party machine (e.g. lynx
http://www.freebsd.org) to make sure other boxes can still get to you and
vice versa.  If thats the case, then you can get rid of rules 1000 and
1010.


	---Mike
Mike Tancsa  (mdtancsa@sentex.net)		
Sentex Communications Corp,   		
Waterloo, Ontario, Canada
"Given enough time, 100 monkeys on 100 routers 
could setup a national IP network." (KDW2)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?388d03f2.165456873>