Date: Fri, 4 Jan 2008 07:17:49 -0800 (PST) From: Nash Nipples <trashy_bumper@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <531195.13392.qm@web36310.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
I don't think that below shall ever replace this: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html --- #1. i suggest you should really consider moving check-state earlier so legitimate packets get in asap. #2. its never too late to start using tables #/sbin/ipfw table 1 flush #/sbin/ipfw table 1 add 0.0.0.0/8 #/sbin/ipfw table 1 add 1.0.0.0/8 #/sbin/ipfw table 1 add 2.0.0.0/8 #/sbin/ipfw table 1 add 10.0.0.0/8 #/sbin/ipfw table 1 add 127.0.0.0/8 #/sbin/ipfw table 1 add 169.254.0.0/16 #/sbin/ipfw table 1 add 192.0.2.0/24 #/sbin/ipfw table 1 add 192.168.0.0/16 #/sbin/ipfw table 1 add 172.16.0.0/12 #/sbin/ipfw table 1 add 192.88.99.0/24 #/sbin/ipfw table 1 add 198.18.0.0/15 #/sbin/ipfw table 1 add 224.0.0.0/3 #/sbin/ipfw table 1 add 240.0.0.0/4 add allow all from any to any via lo0 #3. all the hosts above are listed in a single rule: add deny ip from any to any not antispoof in add check-state add deny log all from table\(1\) to any in add deny log all from any to table\(1\) out #no comments below add allow tcp from any to me in established add allow tcp from me to any out established add deny log ip from any to any frag add count icmp from any to any icmptypes 8 in add allow icmp from any to any icmptypes 0,8,3,11 add allow udp from any to any 33434-34458 in add allow udp from any 33434-34458 to any out add allow udp from me to any 53 out keep-state add allow udp from any to me 53 in keep-state add allow tcp from any to me ssh setup add allow tcp from me to any ssh setup add allow tcp from any to me http setup add allow tcp from me to any http setup add allow tcp from any to me https setup add allow tcp from me to any https setup add allow tcp from any to me dst-port 8443 in setup add allow tcp from any to me pop3 in setup add allow tcp from any to me pop3s in setup add allow tcp from any to me smtp in setup add allow tcp from me to any smtp out setup add allow tcp from any to me smtps in setup add allow tcp from me to any smtps out setup add allow tcp from any to me imap in setup add allow tcp from any to me imaps in setup add allow tcp from any to me ftp in setup add allow tcp from me to any ftp out setup add allow tcp from any to me ftp\-data in setup add allow tcp from any ftp\-data to me setup out add allow tcp from any to me 49152-65535 in setup add allow tcp from any to me ftps in setup add allow tcp from me to any ftps out setup add allow udp from me ntp to 128.252.19.1 ntp out add allow udp from 128.252.19.1 ntp to me ntp in add allow tcp from me to any out setup uid root add allow tcp from me to 64.131.90.31 dst-port 5224 out setup add deny log udp from any to me in add deny log udp from any to me out add deny log udp from me to any in add deny log udp from me to any out add deny log tcp from any to me in add deny log tcp from any to me out add deny log tcp from me to any in add deny log tcp from me to any out add deny log all from any to any ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?531195.13392.qm>