Date: Thu, 29 Sep 2005 22:55:35 +0900 From: Horinouchi Hiroyuki <chofu.tap@ce.wakwak.com> To: <doc@freebsd.org> Subject: Personal Firewall with IPFW Message-ID: <BF622166.1CE%chofu.tap@ce.wakwak.com>
next in thread | raw e-mail | index | archive | help
Hi I would be interested in hearing opinion about the personal firewal confuguring with IPFW. I will make a personal firewall referring to the example has been shown by you. I am using mobile PC. Therefore, the connection destination and the interface are also different in every case. Is a stateful filtering possible even in such an environment? The address of the DNS server and the address of the DHCP server are different according to the situation. I will omit the via interface. In addition, a part of the rule that you showed is changed as follows. ipfw -q -f flush cmd="ipfw -q add" $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00110 allow tcp from any to any 53 out setup keep-state $cmd 00111 allow udp from any to any 53 out keep-state $cmd 00120 allow log udp from any to any 67 out keep-state $cmd 00200 allow tcp from any to any 80 out setup keep-state $cmd 00220 allow tcp from any to any 443 out setup keep-state $cmd 00230 allow tcp from any to any 25 out setup keep-state $cmd 00231 allow tcp from any to any 110 out setup keep-state $cmd 00250 allow icmp from any to any out keep-state $cmd 00260 allow tcp from any to any 37 out setup keep-state $cmd 00270 allow tcp from any to any 119 out setup keep-state $cmd 00280 allow tcp from any to any 22 out setup keep-state $cmd 00290 allow tcp from any to any 43 out setup keep-state $cmd 00299 deny log all from any to any out $cmd 00300 deny all from 192.168.0.0/16 to any in $cmd 00301 deny all from 172.16.0.0/12 to any in $cmd 00302 deny all from 10.0.0.0/8 to any in $cmd 00303 deny all from 127.0.0.0/8 to any in $cmd 00304 deny all from 0.0.0.0/8 to any in $cmd 00305 deny all from 169.254.0.0/16 to any in $cmd 00306 deny all from 192.0.2.0/24 to any in $cmd 00307 deny all from 204.152.64.0/23 to any in $cmd 00308 deny all from 224.0.0.0/3 to any in $cmd 00310 deny icmp from any to any in $cmd 00315 deny tcp from any to any 113 in $cmd 00320 deny tcp from any to any 137 in $cmd 00321 deny tcp from any to any 138 in $cmd 00322 deny tcp from any to any 139 in $cmd 00323 deny tcp from any to any 81 in $cmd 00330 deny all from any to any frag in $cmd 00332 deny tcp from any to any established in $cmd 00360 allow udp from any to any 67 in keep-state $cmd 00499 deny log all from any to any in $cmd 00999 deny log all from any to any It would be greatly appreciated if something good advice could be gotten.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BF622166.1CE%chofu.tap>