IPFW rules
Hi Guys,
I finish recompile the kernel and the default rules id deny ip from any to any... I add this rules : ipfw add pass ip from 192.168.1.250(mybox) to 192.168.1.253(FBSD box) this should accept all the packets from my box right...? but it didn't get in using ssh... any adieas...? I Have a FreeeBSD 5.2 Box i want it to Allow only for DNS notting else... Where can I find sample firewall script for FreeBSD? Thanks, Ryan |
What's the output of
# ipfw show ? If your rule is after the deny all rule, it won't be matched. You need to make sure you add it before any deny rules. Oh, also you're only allow the IP datagrams TO your machine, but not FROM your machine. The responses are getting blocked going back out. I think you need to add " setup keep-state" to the end of your rule. |
65000 0 0 allow ip from 192.168.1.254 to 192.168.1.253 setup
65535 30 3024 deny ip from any to any I can Access my box if I use allow ip from any to any... |
Quote:
ipfw allow ip from 192.168.1.254 to 192.168.1.253 22 setup 65000 103 4944 allow ip from 192.168.1.254 to 192.168.1.253 setup 65110 0 0 allow ip from 192.168.1.254 to 192.168.1.253 dst-port 22 setup 65535 271 25860 deny ip from any to any Still can't get through .... Any suggestion ? |
Well for one thing you're still not using "keep-state" Using "setup" will only allow SYN packets. When you "allow ip any any" that allows it to send traffic in both directions, as I said in my first post right now you're only allowing datagrams IN, you aren't allowing the responses OUT.
I think these are the only two lines you need (starting fresh, after a flush) ipfw add check-state ipfw add allow ip from 192.168.1.254 to 192.168.1.253 setup keep-state That should do it. Personally, I think ipfw is almost as bizarre as iptables and I hate it. I found PF in OpenBSD to be much easier to use. IPF in FreeBSD and NetBSD is very similar to PF (actually I think PF is a fork of IPF?). |
Quote:
If i setup my to be a web server and mail .. can i use this rules... ipfw add allow ip from any to 192.168.83.253 80 setup keep-state ipfw add allow ip from any to 192.168.83.253 110 setup keep-state ipfw add allow ip from any to 192.168.83.253 25 setup keep-state lets assume that 192.168.83.253 is a public IP.. this rules are secure right... N If this IP exist on the net Sorry i have no intention of anything... :D |
All times are GMT -5. The time now is 08:14 AM. |