IPFW Ruleset Help

bryan cassidy linux_kinda_guy at yahoo.com
Tue Jun 1 00:38:18 PDT 2004 

Hello. Running FreeBSD 4.10. After I reboot with my
new ipfw.rules I can't load any webpages. I didn't try
by IP address cause I can't remember any off top at
the moment. Here is my following setup

In my kernel I have

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPSTEALTH

In my rc.conf I have

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="OPEN"
firewall_quiet="NO"
firewall_logging_enable="YES"

icmp_drop_redirect="YES"
log_in_vain="YES"
tcp_drop_sysfin="YES"
tcp_restrict_rst="YES"

In my /etc/ipfw.rules I have

add 00300 deny log tcp from any to any 515 in recv xl0
add 00301 deny tcp from any to any 7101 in recv xl0
add 00302 deny log tcp from any to any 6000 in recv
xl0
add 00303 allow log tcp from any to any 113 inr ecv
xl0 setup

# DNS

add 00310 allow tcp from 205.152.133.254 to any in
recv xl0
add 00311 allow tcp from 205.152.132.235 to any in
recv xl0

add 00320 allow udp from 205.152.133.254 53 to any in
recv xl0
add 00321 allow udp from 205.152.132.235 53 to any in
recv xl0

# Deny Below port 1000

add 00399 deny log tcp from any to any 0-1000 in recv
xl0 setup

# Ntpdate

add 00403 allow udp from 123 to any 123 in recv xl0

# Deny UDP connections

add 00499 deny log udp from any to any in recv xl0

# Log netbus ( haha )

add 00500 deny log tcp from any to any 12345 in recv
xl0
add 00501 deny log tcp from any to any 20034 in recv
xl0

# Let my ISP ping me!

add 00600 allow icmp from 205.152.133.254 to any in
recv xl0
add 00601 allow icmp from 205.152.132.235 to any in
recv xl0

# Log ICMP echos and dest

add 00610 allow log icmp from any to any in recv xl0
icmptype 3
add 00610 allow log icmp from any to any in recv xl0
icmptype 8


First. Things I will be running. I will be running
Apache+PHP later on when I get my box more secure but
for now I will be running Postfox for my MTA, I want
to be able to send and recieve e-mails and any other
*basic* things everyone would want on a everyday basis
ya know? If I left out anything that would be helpful
please let me know and I will post it to the list.

Thanks in advance.


	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

More information about the freebsd-questions mailing list