Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Sep 1999 11:23:31 -0600
From:      Brett Glass <brett@lariat.org>
To:        Monte Westlund <montejw@memes.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: default rc.firewall
Message-ID:  <4.2.0.58.19990924111600.04809a90@localhost>
In-Reply-To: <3.0.5.32.19990923152232.007c94c0@memes.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

The default rc.firewall's "simple" ruleset lets through so little that it
is not a good default for most users -- especially users who are creating
a NAT router. (Of course, it does not work at all unless you set the
variables near the beginning of the ruleset properly.)

Usually, I see folks add rules like the following:

     # Allow access to our WWW server and vice versa
     $fwcmd add pass tcp from any to ${oip} 80 setup
     $fwcmd add pass tcp from ${oip} 80 to any setup

     # Allow FTP data channels in for active FTP
     $fwcmd add pass log tcp from any 20 to any 1024-65535 setup

     # Allow SSH through, both ways
     $fwcmd add pass tcp from any to ${oip} 22
     $fwcmd add pass tcp from $oip to any 22

Remember that if you have more than one external IP you will
need to duplicate many rules.

--Brett

At 03:22 PM 9/23/99 -0700, Monte Westlund wrote:
>Hello,
>I setting up a FreeBSD box as firewall to a windows LAN. I've installed 2
>NIC's. One connects to a DSL modem, the other connects to the LAN.
>
>Using the 'simple' firewall that is in the default rc.firewall I can't get
>out from any of the machines on the LAN without adding
>
>allow ip from any to any
>
>to the ipfw rules. I have been adding it manually using 'ipfw add ....'
>
>Can anyone point me in the direction of an example of a 'modified'
>rc.firewall for the simple firewall? Or give me an idea of what I need to
>add/allow?
>
>Thanks,
>Monte Westlund
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19990924111600.04809a90>