IPFW ruleset not working... advice? WAS Re: Running
processes...
Eric F Crist
ecrist at adtechintegrated.com
Sat Feb 14 11:15:19 PST 2004
On Saturday 14 February 2004 12:58 pm, Erik Trulsson wrote:
> On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote:
> > Hello all,
> >
> > I've got the following ruleset, but I can't ssh into my server anymore.
> > What did I miss?
>
> You missed allowing IP packets going from your server to the outside.
> You only allow packets from the outside to you.
>
> I also think you might have misplaced the port numbers.
> As it is you allow connections *from* port 25 (etc.) on the outside to
> any port on your machine. I believe you want it the other way around
> (i.e. allowing connections *to* port 25 on your machine from anywhere on
> the outside.)
>
> > grog# ipfw show
> > 00100 0 0 allow ip from any to any via lo0
> > 00200 0 0 deny ip from any to 127.0.0.0/8
> > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > 00400 7 1562 allow ip from 1.2.3.4/29 to me
> > 00500 0 0 allow ip from any 22 to me
> > 00600 0 0 allow ip from any 21 to me
> > 00700 0 0 allow ip from any 25 to me
> > 00800 0 0 allow ip from any 80 to me
> > 00900 0 0 allow ip from any 443 to me
> > 01000 0 0 allow ip from any 110 to me
> > 01100 0 0 allow ip from any 53 to me
> > 01200 0 0 allow ip from any 6667 to me
> > 01300 0 0 allow ip from any 6668 to me
> > 01400 0 0 deny ip from not 1.2.3.4/29 8080 to me
> > 65535 101 13960 deny ip from any to any
> >
> > Thanks.
> >
> > --
> > Eric F Crist
> > AdTech Integrated Systems, Inc
> > (612) 998-3588
Hey, thanks! I changed all the rules so they read:
allow ip from any to me <port>
and added the rule:
allow ip from me to any at rule 50
All seems to work now! Does anyone have any suggestions on how to make this
system even tighter? Thanks.
--
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040214/30ac73c2/attachment.bin
More information about the freebsd-questions
mailing list