The Planet Forums > FreeBSD -- IPFW Question

The Planet Forums > Operating Systems > BSD

xPsycho

Jul 26 2004, 12:12 PM

I haven't setup an IPFW system for a really long time now, the documentation these days sorta scares me as well. I set it up yesterday and it got a little "complacent" to say the least of it (denied everything). Maybe someone can just check my settings and let me know where I might have gone wrong? Personally...I don't see it...the error that is.

Interface for NIC = em0
/etc/rc.firewall = DEFAULT 4.9/10_REL

QUOTE

#!/bin/sh
#ipfw="/sbin/ipfw"

# Clear All Rules
-f -q flush

# Allow all traffic through loopback interface
add 100 allow all from any to any via lo0
add 200 deny log all from any to 127.0.0.0/8
add 300 deny log all from 127.0.0.0/8 to any
add 400 deny log tcp from any to any in tcpflags syn,fin

# Do stateful rules
add 500 check-state

#allow all
add 600 allow all from any to any via em0 keep-state

#Deny all fragmented packets as bogus packets
add 620 deny all from any to any frag in via em0

# Deny ACK packets that do not match dynamic rule table entries
add 630 deny tcp from any to any established in via em0

#DNS
add 700 allow tcp from any to any 53 out via em0 setup keep-state
add 750 allow udp from any to any out via em0 keep-state

#TCP Connections
#FTP
add 900 allow tcp from any to any 20 via em0 keep-state
add 910 allow tcp from any to any 21 via em0 keep-state
#SMTP
add 920 allow tcp from any to any 25 via em0 keep-state
#HTTP
add 925 allow tcp from any to any 80 in via em0 keep-state limit src-addr 4
add 930 allow tcp from any to any 80 in via em0 setup keep-state
#POP3
add 940 allow tcp from any to any 110 via em0 keep-state
#HTTPS
add 950 allow tcp from any to any 443 via em0 keep-state
#Webmin
add 980 allow tcp from any to any 10000 via em0 keep-state
#SSH
add 990 allow tcp from any to any 62222 via em0 keep-state

#ICMP
add 1200 allow icmp from any to any out via em0 keep-state

#Misc
add 1250 allow all from any to any out via em0
add 1300 deny log all from any to any

QUOTE

# Firewall stuff
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="/etc/rc.firewall.rules" # Firewall type (see /etc/rc.fir
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file

# Disable portmap, because it sucks at life...
portmap_enable="NO"

# Drop ICMP redirects, we don't need these anyway
icmp_drop_redirect="YES"

# Drop SYNFIN
# natively support this option anyway.
tcp_drop_synfin="YES"

#Blackholes
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

divzero

Jul 26 2004, 06:56 PM

I had to comment out rule 925, other than that it worked fine for me. I copied straight from your post into a new file on my server at home and did sh /etc/rc.firewall /etc/rc.firewall.rules

I was not denied ssh access or anything else.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.