LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 02-17-2004, 09:13 PM   #1
ryancoolest
Member
 
Registered: Jan 2004
Location: Pinas
Distribution: Mandrake
Posts: 152

Rep: Reputation: 30
IPFW rules


Hi Guys,

I finish recompile the kernel and the default rules id deny ip from any to any...

I add this rules :

ipfw add pass ip from 192.168.1.250(mybox) to 192.168.1.253(FBSD box)

this should accept all the packets from my box right...?

but it didn't get in using ssh... any adieas...?

I Have a FreeeBSD 5.2 Box i want it to Allow only for DNS notting else...

Where can I find sample firewall script for FreeBSD?

Thanks,

Ryan
 
Old 02-17-2004, 11:45 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
What's the output of
# ipfw show
?

If your rule is after the deny all rule, it won't be matched. You need to make sure you add it before any deny rules. Oh, also you're only allow the IP datagrams TO your machine, but not FROM your machine. The responses are getting blocked going back out.

I think you need to add " setup keep-state" to the end of your rule.
 
Old 02-18-2004, 02:31 AM   #3
ryancoolest
Member
 
Registered: Jan 2004
Location: Pinas
Distribution: Mandrake
Posts: 152

Original Poster
Rep: Reputation: 30
65000 0 0 allow ip from 192.168.1.254 to 192.168.1.253 setup
65535 30 3024 deny ip from any to any

I can Access my box if I use allow ip from any to any...
 
Old 02-18-2004, 02:49 AM   #4
ryancoolest
Member
 
Registered: Jan 2004
Location: Pinas
Distribution: Mandrake
Posts: 152

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by ryancoolest
65000 0 0 allow ip from 192.168.1.254 to 192.168.1.253 setup
65535 30 3024 deny ip from any to any

I can Access my box if I use allow ip from any to any...
I wanna access my box using ssh...

ipfw allow ip from 192.168.1.254 to 192.168.1.253 22 setup

65000 103 4944 allow ip from 192.168.1.254 to 192.168.1.253 setup
65110 0 0 allow ip from 192.168.1.254 to 192.168.1.253 dst-port 22 setup
65535 271 25860 deny ip from any to any

Still can't get through ....


Any suggestion ?

Last edited by ryancoolest; 02-18-2004 at 02:53 AM.
 
Old 02-18-2004, 10:55 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well for one thing you're still not using "keep-state" Using "setup" will only allow SYN packets. When you "allow ip any any" that allows it to send traffic in both directions, as I said in my first post right now you're only allowing datagrams IN, you aren't allowing the responses OUT.

I think these are the only two lines you need (starting fresh, after a flush)

ipfw add check-state
ipfw add allow ip from 192.168.1.254 to 192.168.1.253 setup keep-state

That should do it. Personally, I think ipfw is almost as bizarre as iptables and I hate it. I found PF in OpenBSD to be much easier to use. IPF in FreeBSD and NetBSD is very similar to PF (actually I think PF is a fork of IPF?).
 
Old 02-19-2004, 01:03 AM   #6
ryancoolest
Member
 
Registered: Jan 2004
Location: Pinas
Distribution: Mandrake
Posts: 152

Original Poster
Rep: Reputation: 30
Smile

Quote:
Originally posted by chort
Well for one thing you're still not using "keep-state" Using "setup" will only allow SYN packets. When you "allow ip any any" that allows it to send traffic in both directions, as I said in my first post right now you're only allowing datagrams IN, you aren't allowing the responses OUT.

I think these are the only two lines you need (starting fresh, after a flush)


That should do it. Personally, I think ipfw is almost as bizarre as iptables and I hate it. I found PF in OpenBSD to be much easier to use. IPF in FreeBSD and NetBSD is very similar to PF (actually I think PF is a fork of IPF?).
CHORT it work... Thank you very much... Your a BSD guru... Setup is for out and keep-state for in right?

If i setup my to be a web server and mail .. can i use this rules...

ipfw add allow ip from any to 192.168.83.253 80 setup keep-state
ipfw add allow ip from any to 192.168.83.253 110 setup keep-state
ipfw add allow ip from any to 192.168.83.253 25 setup keep-state

lets assume that 192.168.83.253 is a public IP.. this rules are secure right... N If this IP exist on the net Sorry i have no intention of anything...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
portforwarding using ipfw thar Linux - Networking 1 08-15-2005 05:38 PM
IPFW rules for blocking ftp ????? Atrocity *BSD 1 06-22-2004 09:45 AM
Ipfw advances stateful rules and natd J_Szucs Linux - Networking 0 05-05-2003 01:41 PM
Ipfw rule J_Szucs *BSD 1 05-03-2003 08:29 PM
Viruses, ipchains, dynamic rules, rules with regular expressions marktaff Linux - Security 2 09-25-2001 04:01 AM


All times are GMT -5. The time now is 10:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration