New IPFW Setup.
Grant Peel
gpeel at thenetnow.com
Wed Dec 29 04:02:30 PST 2004
Good morning all,
Appologies for sending to both lists, I am hoping to root out the IPFW gurus
!
Hope everyone had a Merry Christmas....
I have recentory activated ipfw on 5 of my productive server. All servers
are Apache, Exim or Sendmail, MySQL, vm-pop3d, ProFTPD enabled. All serves
have multiple domains and UNIX users, though, by default, we do not supply
shell accounts.
Here is the ruleset I currently use on all the servers. I would like nothing
more than to tighten them up a bit, if possible, considering the environment
they are used in (Internet).
Please feel free to browse and send me any comments, critiques you may have
on the ruleset below.
00010 allow ip from any to any via lo0
00020 allow ip from any to any via fxp1 # LAN access ... Is behind a
managed switch, VLAN setup.
00030 check-state
00040 allow tcp from N.N.N.N to me 22 keep-state setup # Allow me in via
ssh ... I hope!
00050 allow ip from any to 192.168.0.6 # An nfs mount
00060 allow ip from 192.168.0.6 to any
00070 allow icmp from any to any icmptype 0,3,4,8,11,12
00100 allow ip from any to any keep-state out
00110 allow tcp from any to any 20,21 keep-state setup
00120 allow tcp from any to any 25,110 keep-state setup
00130 allow tcp from any to any 53 keep-state setup
00140 allow udp from any to any 53 keep-state
00150 allow tcp from any to any 80,110,443 keep-state setup
00160 allow tcp from any to any 10000,20000 keep-state setup # Webmin and
Usermin.
00170 allow tcp from any to any 1024-65534 in setup # ftp ports. Seems
to negate alot of the firewall ???
65534 deny log ip from any to any
65535 deny ip from any to any
Of special concern to me is line 170 ... added to allow ftp. Any ideas here?
-Grant
More information about the freebsd-ipfw
mailing list