Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: FreeBSD IPFW Rules clarification please...
Special Forums Cybersecurity FreeBSD IPFW Rules clarification please... Post 70414 by DanUK on Thursday 28th of April 2005 01:51:54 PM
Old 04-28-2005
FreeBSD IPFW Rules clarification please...
Hello.

I hope you can help me please.
We are about to bring a few servers online which will be hosting different things...

For one server, it will be hosting a HTTPd, and just wanted to know whether these rules are correct that I have?

To ensure the right interfaces etc, here's a copy of my 'ifconfig' output:

Code:
$ ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet our.public.ip.here netmask 0xfffffff0 broadcast our.broadcast.i[
        inet6 xxxxx prefixlen 64 scopeid 0x1
        ether 00:02:b3:b8:cd:7b
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fwe0: flags=108802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        ether 02:0f:ea:1b:34:bf
        ch 1 dma -1
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        ether 00:0f:ea:a1:33:1b
        media: Ethernet autoselect (10baseT/UTP)
        status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
$

The interface our public Internet Ethernet card is on is: fxp0

The rules:

Code:
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference.  Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established

# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny  tcp from me to any out via lo0
$fwcmd add allow ip  from me to any out via lo0 keep-state

# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny  tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
$fwcmd add allow all from 192.168.0.0/24 to any

# Everyone on the Internet is allowed to connect to the following
# services on the machine.  This example specifically allows connections
# to sshd and a webserver.
$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to me 80 setup

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any

# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add allow icmp from any to any icmptypes 0,3,11,12,13,14

# Deny all the rest.
$fwcmd add deny log ip from any to any

Many thanks!
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

fBSD nat ipfw

i am running nat on my freeBSD and web/ftp server. The rule allow ip from any to any must always be? or how? if i accept all packets to go on my ep0 which diverts all to my intranet it doesnt help, must the rule allow ip from any to any always be ? even if many rules are between divert rule and... (3 Replies)
Discussion started by: hachik
3 Replies

2. Cybersecurity

ipfw directives and order of precidence...

Is there a general rule I can apply when examining/editing ipfw entries? Also, does each new entry have to have a unique rule number? And, I think I can write a script to block code red infected machines (though I'm not sure it would do more than slim down my web server error message log),... (0 Replies)
Discussion started by: [MA]Flying_Meat
0 Replies

3. BSD

ipfw slow ssh and ftp connections

just as the title says. thanks. #General Rule Sets /sbin/ipfw add 0300 check-state /sbin/ipfw add 0301 deny tcp from any to any in established /sbin/ipfw add 0302 pass tcp from any to any out setup keep-state /sbin/ipfw add 0303 pass udp from any to any out #SSH FTP /sbin/ipfw add 0400... (11 Replies)
Discussion started by: dwildgoose
11 Replies

4. UNIX for Dummies Questions & Answers

Need help with IPFW.. Please...

Hi folks, I am a Mac User, and have little knowledge on IPFW. I have a set up at home where my computer (with 2 ethernet cards and static IP adresses) serves Internet to my family's computers. I have already a script that will run automatically at login and called from Cron at certain... (2 Replies)
Discussion started by: fundidor
2 Replies

5. Cybersecurity

ipfw - dynamic rules and multiple IP addresses with outgoing packets

Here's the problem: Some email-service providers (like Google) have more than one server and distribute the load such that, e.g. the incoming mail server imap.gmail.com is assigned to more than one IP-address. With stateful rules, the ipfw firewall correctly allows outgoing packages to one of... (1 Reply)
Discussion started by: steffen
1 Replies

6. BSD

Using several pipes in ipfw (dummynet)

Hi! I've already posted this on the freebsd-questions mailing list, but I thought I could try it here too. I'm using FreeBSD 7.0 with IPFW DUMMYNET enabled. I've got a problem with creating a ruleset, which allows me to limit the overall bandwidth of a link and afterwards pass the packets... (0 Replies)
Discussion started by: xenator
0 Replies

7. UNIX for Advanced & Expert Users

ipfw and dhcp

Hello, I have a little problem with my server configuration. So: I have two PC's with DHCP enable and both of them have two NIC's. PC1 - le0 ADSL PC1 - le1 192.168.10.1 PC2 - le0 192.168.10.10 PC2 - le1 192.168.20.1 One NIC on PC1 is connected to ADSL, another one have IP address... (3 Replies)
Discussion started by: mrowcp
3 Replies

8. Cybersecurity

pass syntax iptables to ipfw

Hello, excuse my English. Please could tell me how I can pass this syntax for iptables to ipfw. iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name thor --rdest -j ACCEPT iptables -A INPUT -p tcp -m tcp --tcp-flag RST RST -m state --state ESTABLISHED -m recent... (0 Replies)
Discussion started by: dot357
0 Replies

9. Shell Programming and Scripting

Help, SSH /ipfw block script

Hello, This is an SSH Block hammer script using ipfw, that I have modified for my own use. It is for a freenas 7.2 box which is FreeBSD based. The script works, but if there is more then one hammer attack per day, my issue is the script reads the first five instances of refused or invalid... (2 Replies)
Discussion started by: dpreviti
2 Replies

10. OS X (Apple)

How to enable ipfw.log?

Under Mountain Lion, I want logs from ipfw sent to ipfw.log instead of dumped in system.log I've tried to figure out how OSX handles logs, but... after going back and forth between a syslog.conf which does little if anything, a newsyslog.conf that seems to only handle rotation, an asl.conf that... (3 Replies)
Discussion started by: jnojr
3 Replies

LEARN ABOUT OPENSOLARIS

ftpservers

ftpservers(4)							   File Formats 						     ftpservers(4)

NAME

       ftpservers - FTP Server virtual hosting configuration file

SYNOPSIS

       /etc/ftpd/ftpservers

DESCRIPTION

       The  ftpservers file is used to configure complete virtual hosting. In contrast to limited virtual hosting, complete virtual hosting allows
       separate configuration files to be specified for each virtual host.

       The set of configuration files for each virtual host are placed in their own directory. The ftpservers file associates the address of  each
       virtual host with the directory its configuration files are stored in. The virtual host configuration files must be named:

       ftpaccess	 Virtual host's access file

       ftpusers 	 Restricts the accounts that can use the virtual host

       ftpgroups	 Virtual hosts enhanced group access file

       ftphosts 	 Allow or deny usernames access to the virtual host

       ftpconversions	 Customize conversions available from the virtual host

       You  do not need to put every file in each virtual host directory. If you want a virtual host to use the master copy of a file, then do not
       include it in the virtual host directory. If the file is not included, the master copy from the /etc/ftpd directory will be used.

       The file names must match exactly. If you misspell any of  them or name them differently, the server will not find  them,  and  the  server
       will use the master copy instead.

       The ftpaddhost utility is an administrative tool to configure virtual hosts. See ftpaddhost(1M).

   File Format
       There are two fields to each entry in the ftpservers file:

	 address   directory-containing-configuration-files

       For example:

	 10.196.145.10	  /etc/ftpd/virtual-ftpd/10.196.145.10
	 10.196.145.200   /etc/ftpd//virtual-ftpd/10.196.145.200
	 some.domain	  INTERNAL

       When  an  FTP client connects to the FTP Server, in.ftpd(1M) tries to match the IP address to which the FTP client connected with one found
       in the ftpservers file.

       The address can be an IPv4 or IPv6 address, or a hostname.

       If a match is found, The FTP server uses any configuration files found in the associated directory.

       If a match is not found,  or an invalid directory path is encountered,  the default paths to the configuration files are used. The  use	of
       INTERNAL in the example above fails the check for a specific directory, and the master configuration files will be used.

       Either  the  actual IP address or a specific hostname can be used to specify the virtual host. It is better to specify the actual IP of the
       virtual host, as it reduces the need for a domain lookup and eliminates DNS security related naming issues, for example:

	 10.196.145.20	   /etc/ftpd/config/faqs.org/
	 ftp.some.domain   /etc/ftpd/config/faqs.org/

       Lines that begin with a # sign are treated as comment lines and are ignored.

FILES

       /etc/ftpd/ftpservers

ATTRIBUTES

       See attributes(5)  for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWftpr			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |External			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ftpaddhost(1M), in.ftpd(1M), ftpaccess(4), ftpconversions(4), ftpgroups(4), ftphosts(4), ftpusers(4), attributes(5)

SunOS 5.11							    1 May 2003							     ftpservers(4)
All times are GMT -4. The time now is 01:31 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy