FreeBSD IPFW Rules clarification please...

DanUK · #1 (**permalink**) 04-28-2005

Hello.

I hope you can help me please.
We are about to bring a few servers online which will be hosting different things...

For one server, it will be hosting a HTTPd, and just wanted to know whether these rules are correct that I have?

To ensure the right interfaces etc, here's a copy of my 'ifconfig' output:

Code:

$ ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet our.public.ip.here netmask 0xfffffff0 broadcast our.broadcast.i[
        inet6 xxxxx prefixlen 64 scopeid 0x1
        ether 00:02:b3:b8:cd:7b
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fwe0: flags=108802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        ether 02:0f:ea:1b:34:bf
        ch 1 dma -1
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        ether 00:0f:ea:a1:33:1b
        media: Ethernet autoselect (10baseT/UTP)
        status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
$

The interface our public Internet Ethernet card is on is: fxp0

The rules:

Code:

# Define the firewall command (as in /etc/rc.firewall) for easy
# reference.  Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established

# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny  tcp from me to any out via lo0
$fwcmd add allow ip  from me to any out via lo0 keep-state

# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny  tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
$fwcmd add allow all from 192.168.0.0/24 to any

# Everyone on the Internet is allowed to connect to the following
# services on the machine.  This example specifically allows connections
# to sshd and a webserver.
$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to me 80 setup

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any

# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add allow icmp from any to any icmptypes 0,3,11,12,13,14

# Deny all the rest.
$fwcmd add deny log ip from any to any

Many thanks!

amsct · #2 (**permalink**) 08-13-2008

In the first part, you use statefull inspection:
$fwcmd add check-state
$fwcmd add deny tcp from any to any established

but then, in the last part:
$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to me 80 setup

I would make it:
$fwcmd add allow tcp from any to me 80 setup keep-state

and remove
$fwcmd add allow tcp from any to any established

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Need clarification	ravi.sadani19	Shell Programming and Scripting	2	04-13-2007 01:55 AM
Need help with IPFW.. Please...	fundidor	UNIX for Dummies Questions & Answers	2	10-10-2005 07:23 PM
ipfw slow ssh and ftp connections	dwildgoose	BSD	11	05-18-2005 05:00 PM
ipfw directives and order of precidence...	[MA]Flying_Meat	Security	0	03-12-2004 12:39 AM
fBSD nat ipfw	hachik	UNIX for Dummies Questions & Answers	3	06-07-2002 03:20 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:


	Powered by