From owner-freebsd-security Tue Jun 19 2:56:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 4625037B401 for ; Tue, 19 Jun 2001 02:56:49 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id NAA41256; Tue, 19 Jun 2001 13:56:34 +0400 (MSD) Message-ID: <02f101c0f8a6$1fad6210$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: "default013 - subscriptions" , Subject: Re: IPFW newbie Date: Tue, 19 Jun 2001 13:56:25 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The easiest way is: #echo 'firewall_enable="YES"' >>/etc/rc.conf #echo 'firewall_type="OPEN"' >>/etc/rc.conf after installing new kernel this will result in following set of rules (this is testted on 4.2, but should not differ for other versions): #ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any Now you can connect to your box via SSH and continue firewall setup. But WARNING! Learning ipfw without direct access to the server is, IMHO very unhealthy. IMHO, it sucks! I am IPFW newbie myself and had some sad experience with remote firewall setup ;-) . At least you must have remote reboot-knob, which does not relies on IP (like very very long broomstick mounted to RESET key :-) ). Good Luck! NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: default013 - subscriptions To: freebsd-security@FreeBSD.ORG Date: 19 èþíÿ 2001 ã. 11:11 Subject: IPFW newbie >Hi, > >I'm about to compile IPFW into the kernel for the first time... and just had >a quick question... also, if anyone has any tips I would appreciate it. >(this is going to be used on a webserver that runs everything from apache to >shoutcast...) > >I am going to compile it in using this option: >options IPFIREWALL_VERBOSE_LIMIT=10 > >My question is, I connect to my box using an SSH session. The default for >IPFW is not to accept connections correct? So after my machine reboots with >these new rules in place, will I have to set the IPFW rules in place so that >I can once again open an SSH session to it again? Or how does that work... > >Thanks > >Jordan > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message