Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 Aug 2001 22:52:26 -0400
From:      Ted Sikora <tsikora@home.com>
To:        "freebsd-stable@FreeBSD.ORG" <freebsd-stable@FreeBSD.ORG>
Subject:   firewall ruleset questions
Message-ID:  <3B68C06A.131C4C67@home.com>
next in thread | raw e-mail | index | archive | help 

I have stable on both cable and dsl. Each machine has 2 nic cards. I
just setup up a firewall with the following rules. I just need 
http
ftp
ssh
nfs(internal network)

# Define the firewall command

fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.

$fwcmd -f flush

# Divert all packets through the xl0 interface.

$fwcmd add divert natd all from any to any via xl0

# Allow all data from my network cards and localhost.

$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via xl0
$fwcmd add allow ip from any to any via ed0

# Allow all connections that I initiate.

$fwcmd add allow tcp from any to any out xmit xl0 setup

# Once connections are made, allow them to stay open.

$fwcmd add allow tcp from any to any via xl0 established

# Everyone on the internet is allowed to connect to the following
# services on the machine.

$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 20 setup
$fwcmd add allow tcp from any to any 21 setup
$fwcmd add allow tcp from any to any 22 setup

# This sends a RESET to all ident packets.

$fwcmd add reset log tcp from any to any 113 in recv xl0

# Allow outgoing DNS queries ONLY to the specified servers.

# $fwcmd add allow udp from any to x.x.x.x 53 out xmit xl0

# Allow them back in with the answers... :)

# $fwcmd add allow udp from x.x.x.x 53 to any in recv xl0

# Allow ICMP (for ping and traceroute to work). 

$fwcmd add 65435 allow icmp from any to any

# Deny all the rest.

$fwcmd add 65435 deny log ip from any to any

Will this suffice or does it need tightening. Also do I need
:

# If you're using 'options BRIDGE'
#${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0

with cable and dsl modems?

Can I limit nat to one ip like 192.168.1.5?  Will nat cause a problem 
with other machines on the internal network with their own net
connection?

--
Ted Sikora
tsikora@ntplx.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B68C06A.131C4C67>