no keep-state and and unpredictable ssh connections
Darren
darren at dazdaz.org
Fri Jul 25 16:39:18 PDT 2003
Hello freebsd-ipfw,
I'm not using keep-state and yet ssh'ing into my FreeBSD 4.8-STABLE
box does'nt happen every attempt, more like 1 attempt in every 15!
Incoming ssh connection work fine when firewall is disabled.
My ips obviously changed. This is my rc.firewall script.
Greatly appreciate some guidance, i've read some docs, but am missing
something.
#!/bin/sh
fwcmd="/sbin/ipfw"
myip="11.11.203.114"
bcast="11.11.203.119"
network="11.11.203.112/29"
dns_server="158.152.1.43"
# Run this if you want to run it multiple times
# echo y | sudo ipfw flush zero resetlog
# Reset all rules in case script run multiple times
echo y | ${fwcmd} flush zero resetlog
${fwcmd} add allow log all from any to any via lo0
# Allow ourself
${fwcmd} add allow log tcp from ${myip} to $myip{} in recv xl0
# Allow our netblock
${fwcmd} add allow log tcp from ${mynetwork} to any in recv xl0
# Allow broadcasts
${fwcmd} add allow log tcp from ${myip} to ${bcast} in recv xl0
# Allow INCOMING ssh and HTTP from anywhere on the internet
${fwcmd} add allow log tcp from 0.0.0.0 to ${myip} 22,80 in recv xl0
# Allow DNS client lookups
${fwcmd} add allow udp from ${myip} to ${dns_server} 53 in recv xl0
${fwcmd} add allow udp from ${dns_server} 53 to ${my_ip} in recv xl0
################################
# Block RFC 1918 networks
################################
${fwcmd} add deny all from 0.0.0.0/7 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 1.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 2.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 5.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 10.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 23.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 27.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 31.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 67.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 68.0.0.0/6 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 72.0.0.0/5 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 80.0.0.0/4 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 96.0.0.0/3 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 127.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 128.0.0.0/16 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 128.66.0.0/16 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 169.254.0.0/16 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 172.16.0.0/12 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 191.255.0.0/16 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 192.0.0.0/16 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 192.168.0.0/16 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 197.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 201.0.0.0/8 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 204.152.64.0/23 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 224.0.0.0/3 to 0.0.0.0 in recv xl0
${fwcmd} add deny all from 240.0.0.0/8 to 0.0.0.0 in recv xl0
# disable icmp
${fwcmd} add deny log icmp from any to any in recv xl0
${fwcmd} add deny log all from any to any recv xl0
# End of rc.firewall
--
Best regards,
Darren mailto:darren at dazdaz.org
More information about the freebsd-ipfw
mailing list