IPFW: 24.6.5.7 An Example NAT and Stateful Ruleset

Kees Plonsz trap1 at jeremino.homeunix.net
Fri May 6 04:43:11 PDT 2005


?????? ???? wrote on Friday 06 May 2005 12:01:

> Hallo! I read article
> (http://freebsd.vinf.ru/doc/en/books/handbook/firewalls-ipfw.html)
> and use your example from "An Example NAT and Stateful Ruleset" part.
> So, when I use this script for ipfw, I can't be able to use internet,
> but if I disable the rules 400, 450 I can use internet.
> 
> I use FreeBSD 4.10, nat, ipfw, squid.
> 
> # Reject & Log all unauthorized incoming connections from the public
> # Internet
> $cmd 400 deny log all from any to any in via $pif
> 
> # Reject & Log all unauthorized out going connections to the public
> # Internet
> $cmd 450 deny log all from any to any out via $pif
> 
> My question is: can I use this script for ipfw without rules 400 and
> 450 or it is a potential threat of security of my system?
> 
> May be we can put me a link to any article about this?
> 
> With a best regards, Ivanov Ilya.

Instead of copying examples to you own system, try to understand
exactly what those rules mean. Read the "man ipfw" page very carefully.
Most examples have too many rules you dont need.
If you want to know about the safety of your system,
let your system be scanned on open and closed ports from outside:

http://jeremino.homeunix.net/portscan.php

-- 
Key-ID = A6581435          E-mail: replace trap1 with kees



More information about the freebsd-questions mailing list