IPFW config

Paul Schmehl pauls at utdallas.edu
Mon Feb 21 03:56:48 GMT 2005

----- Original Message ----- 
From: "SigmaX" <scottclansman at cwazy.co.uk>
To: <freebsd-questions at freebsd.org>
Cc: "Paul Schmehl" <pauls at utdallas.edu>
Sent: Monday, February 21, 2005 8:14 PM
Subject: Re: IPFW config

> Well... *ahem*...  I put the above script into /etc/ipfw.rules and did 
> "kldload ipfw.ko && sh /etc/ipfw.rules".  I lost connectivity to the 
> server.

Geez, I thought you learned from the first time....
  >Did the above script only open those ports to localhost or
> something?

It was meant to be an example for you to work from.  It's taken from a 
working example that I use on several servers, altered to meet the 
requirements you gave in your post.

First of all, you should *never* work on a firewall config remotely. 
Secondly, the expectation is that you will take information give here and 
use it with a grain of salt.

Try this.  Sitting at the console in front of the computer, enable the 
% ipfw enable firewall
This will block all access to the computer.
Now type this at the command line:
% ipfw add allow tcp from any to (type in the computer's IP address here) 
Now ssh to some other computer that you have access to and back to this 
computer and see if you don't get in.  (Note that the assumption is that you 
have not yet configured /etc/hosts.allow to deny access from the computer 
you're ssh'ing back to this computer from.)

Look at the /etc/rc.firewall script.  Read man ipfw carefully.  Don't forget 
that you must enable the firewall in the /etc/rc.conf file, but you must 
*also* define what *type* of firewall it is.

Here's an example:

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the freebsd-questions mailing list