From owner-freebsd-questions Mon Mar 11 8:58:32 2002 Delivered-To: freebsd-questions@freebsd.org Received: from tninet.se (sheridan.tninet.se [195.100.94.102]) by hub.freebsd.org (Postfix) with ESMTP id 391C937B405 for ; Mon, 11 Mar 2002 08:58:26 -0800 (PST) Received: from cs.umu.se (h27n1c1o1023.bredband.skanova.com [213.64.164.27]) by sheridan.tninet.se (BMR ErlangTM/OTP 3.0) with ESMTP id 355718.865903.1015.1s4770544sheridan ; Mon, 11 Mar 2002 17:58:23 +0100 Message-ID: <3C8CE22F.7C60ECF4@cs.umu.se> Date: Mon, 11 Mar 2002 17:58:24 +0100 From: Paul Everlund X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: sv,en MIME-Version: 1.0 To: Peter =?iso-8859-1?Q?Lepp=E4nen?= Cc: questions@FreeBSD.ORG Subject: Re: IPFW question! References: <3.0.5.32.20020311102914.01130098@mail.sage-one.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > >Yes I understand that I have to modify the file if I like to have > additional services like ssh and ftp and so on. > >But the standard rc.firewall script, simple type should give me access to > DNS and HTTP. > > > >Is this not correct? This rule allow everything from you, that is TCP, to setup connections. $fwcmd add allow tcp from any to any out via tun0 setup This rule allow everything to and from you, that is TCP, and has an es- tablished connection, a connection that has been setup. $fwcmd add allow tcp from any to any via tun0 established This rule allow all to connect to your HTTP-server. Then the above rule applies to this particular connection. $fwcmd add allow tcp from any to any 80 in via tun0 setup These rules allow DNS-queries, in and out. You maybe have to change the IP-address to suit your needs. $fwcmd add allow udp from any to 10.0.0.1 53 out via tun0 $fwcmd add allow udp from any to 10.0.0.2 53 out via tun0 $fwcmd add allow udp from 10.0.0.1 53 to any in via tun0 $fwcmd add allow udp from 10.0.0.2 53 to any in via tun0 Some other rules can be handy, and if you would like to have my whole ruleset, just let me know. Then you can take it from there and change it to meet your own needs. If it's 100% correct though, I don't know, but I haven't had any intrusions that I know of yet. Best regards, Paul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message