Ipfw ruleset check
Derrick Ryalls
ryallsd at datasphereweb.com
Wed Feb 18 22:58:25 PST 2004
I have a 4.9 router that I decided I want to have a meaningful firewall
with, so I have modified a copy of rc.firewall and would like someone to
point out if I am doing something monumentally stupid.
I want to allow all from within my network, but only let in a few from
the internet:
DNS
Email/imap-ssl(pop3-ssl in future)
Ssh
WWW
And whatever natd redirects I have (remote desktop mainly). I
definitely want to protect mysqld and only allow it from localhost or
inside network.
Here is what I have come up with so far (kernel built with default to
deny):
setup_loopback
# set these to your network and netmask and ip
net="192.168.1.0"
mask="255.255.255.0"
ip="192.168.1.1"
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow all out the world
${fwcmd} add pass all from ${ip} to any keep-state
# Allow DNS queries out or in the world
${fwcmd} add pass all from any to any 53 keep-state
# Allow email out or in the world
${fwcmd} add pass all from any to any 25 keep-state
# Allow imap-ssl out or in the world
${fwcmd} add pass all from any to any 993 keep-state
# Allow ssh out or in the world
${fwcmd} add pass all from any to any 22 keep-state
# Allow www out or in the world
${fwcmd} add pass all from any to any 80 keep-state
# Allow MSTSC in the world
${fwcmd} add pass all from any to any 5001 keep-state
Any glaring mistakes on my part?
TIA
-Derrick
More information about the freebsd-questions
mailing list