IPFW rules

ryancoolest · 02-17-2004, 09:13 PM

Hi Guys,

I finish recompile the kernel and the default rules id deny ip from any to any...

I add this rules :

ipfw add pass ip from 192.168.1.250(mybox) to 192.168.1.253(FBSD box)

this should accept all the packets from my box right...?

but it didn't get in using ssh... any adieas...?

I Have a FreeeBSD 5.2 Box i want it to Allow only for DNS notting else...

Where can I find sample firewall script for FreeBSD?

Thanks,

Ryan

chort · 02-17-2004, 11:45 PM

What's the output of
# ipfw show
?

If your rule is after the deny all rule, it won't be matched. You need to make sure you add it before any deny rules. Oh, also you're only allow the IP datagrams TO your machine, but not FROM your machine. The responses are getting blocked going back out.

I think you need to add " setup keep-state" to the end of your rule.

ryancoolest · 02-18-2004, 02:31 AM

65000 0 0 allow ip from 192.168.1.254 to 192.168.1.253 setup
65535 30 3024 deny ip from any to any

I can Access my box if I use allow ip from any to any...

ryancoolest · 02-18-2004, 02:49 AM

Quote:

Originally posted by ryancoolest
65000 0 0 allow ip from 192.168.1.254 to 192.168.1.253 setup
65535 30 3024 deny ip from any to any

I can Access my box if I use allow ip from any to any...

I wanna access my box using ssh...

ipfw allow ip from 192.168.1.254 to 192.168.1.253 22 setup

65000 103 4944 allow ip from 192.168.1.254 to 192.168.1.253 setup
65110 0 0 allow ip from 192.168.1.254 to 192.168.1.253 dst-port 22 setup
65535 271 25860 deny ip from any to any

Still can't get through ....

Any suggestion ?

chort · 02-18-2004, 10:55 AM

Well for one thing you're still not using "keep-state" Using "setup" will only allow SYN packets. When you "allow ip any any" that allows it to send traffic in both directions, as I said in my first post right now you're only allowing datagrams IN, you aren't allowing the responses OUT.

I think these are the only two lines you need (starting fresh, after a flush)

ipfw add check-state
ipfw add allow ip from 192.168.1.254 to 192.168.1.253 setup keep-state

That should do it. Personally, I think ipfw is almost as bizarre as iptables and I hate it. I found PF in OpenBSD to be much easier to use. IPF in FreeBSD and NetBSD is very similar to PF (actually I think PF is a fork of IPF?).

ryancoolest · 02-19-2004, 01:03 AM

Quote:

Originally posted by chort
Well for one thing you're still not using "keep-state" Using "setup" will only allow SYN packets. When you "allow ip any any" that allows it to send traffic in both directions, as I said in my first post right now you're only allowing datagrams IN, you aren't allowing the responses OUT.

I think these are the only two lines you need (starting fresh, after a flush)

That should do it. Personally, I think ipfw is almost as bizarre as iptables and I hate it. I found PF in OpenBSD to be much easier to use. IPF in FreeBSD and NetBSD is very similar to PF (actually I think PF is a fork of IPF?).

CHORT it work... Thank you very much... Your a BSD guru... Setup is for out and keep-state for in right?

If i setup my to be a web server and mail .. can i use this rules...

ipfw add allow ip from any to 192.168.83.253 80 setup keep-state
ipfw add allow ip from any to 192.168.83.253 110 setup keep-state
ipfw add allow ip from any to 192.168.83.253 25 setup keep-state

lets assume that 192.168.83.253 is a public IP.. this rules are secure right... N If this IP exist on the net Sorry i have no intention of anything...