Date: Mon, 11 Jan 1999 14:56:44 -0800 (PST) From: "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU> To: Patrick Barmentlo <pbm@gateway.barmentlo.net> Cc: hackers@FreeBSD.ORG Subject: Re: examples rules ipfw Message-ID: <Pine.BSF.4.05.9901111442510.854-100000@smarter.than.nu> In-Reply-To: <Pine.BSF.4.05.9901112327400.305-100000@gateway.barmentlo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Jan 1999, Patrick Barmentlo wrote:
> Can someone please point me out to some good examples for the rc.firewall
> file (ipfw )??
> (with most variant of opties/features...)
>
> i have to set up some filtering, but still having some difficulties with
> it after checking freebsd.org....
What kind of filtering? For a single machine, or on a gateway for a LAN?
Here are my firewall rules and a brief explanation of them:
add 00002 allow ip from smarter to any
This allows any IP traffic from the local host (its hostname is "smarter")
to any host.
add 00003 allow tcp from any to smarter established
This allows any TCP traffic into the local host that does not have the
SYN flag set. That is, it allows TCP connections that have already been
established to continute to send us data.
add 00050 allow ip from localhost to localhost via lo0
This allows all IP traffic from/to localhost over the loopback interface.
add 00051 deny ip from localhost to any
This denies any IP traffic claiming to be from the loopback address
coming in from any interface. (Legitimate loopback traffic will be allowed
by the rule above, and therefore won't get filtered out here)
add 00101 deny log udp from any to smarter printer,nfsd,sunrpc
This denies and logs any UDP packets sent to smarter's printer, nfsd,
and sunrpc ports.
add 00102 deny udp from any to smarter 137,138
This denies any UDP packets sent to netbios-ns and netbios-dgm.
add 00199 allow udp from any to any
This allows any UDP packets not previously filtered out.
add 00201 allow icmp from any to smarter
This allows all ICMP traffic destined for the local host.
add 00301 allow tcp from any to smarter ftp
This allows all traffic to the ftp daemon.
add 00401 allow tcp from any to smarter ssh
This allows all traffic to the ssh daemon.
add 00450 deny tcp from any to smarter 3306
This denies all traffic to port 3306 (mysqld)
add 00501 allow tcp from any to smarter 1024-65535
This allows all traffic to ports 1024 through 65535 (to let FTP work
correctly)
add 00601 allow tcp from 169.229.99.90 to smarter 25,139
add 00602 allow tcp from 169.229.99.92 to smarter 25,139
These rules allow my roommates' Windows computers to relay mail via my
sendmail daemon (port 25) and to access my SAMBA daemon for
filesharing/printing (port 139)
add 60000 deny igmp from any to any
This drops all IGMP packets.
add 60001 reset tcp from any to smarter ident
This sends a TCP RST in response to any attempt to connect to identd.
(Initiator gets "Connection Refused")
add 64000 reset tcp from any to smarter 139
This sends a TCP RST in response to any attempt to connect to SAMBA.
add 65000 deny log ip from any to any
This denies any packets not already accepted or denied, and logs them.
Hope that helped. IPFW can do many more things which I don't currently
use, but that should serve to give you a general idea of what you can do
with IPFW.
--
Brian Buchanan brian@smarter.than.nu
brian@CSUA.Berkeley.EDU
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, 1759
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9901111442510.854-100000>