Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Jun 2001 11:47:27 +0200
From:      "Karsten W. Rohrbach" <karsten@rohrbach.de>
To:        default013 - subscriptions <default013subscriptions@hotmail.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPFW newbie
Message-ID:  <20010619114726.D30037@mail.webmonster.de>
In-Reply-To: <OE34va7DYaOqlOQq2vX00002c3c@hotmail.com>; from default013subscriptions@hotmail.com on Tue, Jun 19, 2001 at 02:11:01AM -0500
References:  <OE34va7DYaOqlOQq2vX00002c3c@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
how about 

    options IPFILTER
    options IPFILTER_LOG

in the kernel config and

    ipfilter_enable=YES
    ipfilter_flags=""
    ipmon_enable=YES

in /etc/rc.conf and

    pass in quick on INT proto tcp from ADM to SRV port = 22

as the first rule in /etc/ipf.rules where
INT = interface name (fxp0, tx0, ...)
ADM = ip of the workstation you want to log in from
SRV = ip of your server the firewall runs on

this gives you a dumbfire non-lockout rule regardless of the rest of the
filter rules...

/k

default013 - subscriptions(default013subscriptions@hotmail.com)@2001.06.19 02:11:01 +0000:
> Hi,
> 
> I'm about to compile IPFW into the kernel for the first time... and just had
> a quick question... also, if anyone has any tips I would appreciate it.
> (this is going to be used on a webserver that runs everything from apache to
> shoutcast...)
> 
> I am going to compile it in using this option:
> options IPFIREWALL_VERBOSE_LIMIT=10
> 
> My question is, I connect to my box using an SSH session. The default for
> IPFW is not to accept connections correct? So after my machine reboots with
> these new rules in place, will I have to set the IPFW rules in place so that
> I can once again open an SSH session to it again? Or how does that work...
> 
> Thanks
> 
> Jordan
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
> "The path of excess leads to the tower of wisdom." --W. Blake
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7Lx+uM0BPTilkv0YRAvMsAJwJ+kQBBUQHZE88Iunop0twkCZ+gQCfZ/Yu
9OdjHaCV5/KGiiAgtuU13Js=
=iVXp
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010619114726.D30037>