IPFW Firewall Question
Mel
fbsd.questions at rachie.is-a-geek.net
Mon Dec 8 07:34:09 PST 2008
On Friday 05 December 2008 20:29:40 G magicman wrote:
> I have tried this it did not work and the Co-Lo people are convinced that
> sshd and sendmail need to be run out of inetd.conf for this to work.
That wouldn't explain sshd being linked against libwrap. Did you comment:
# The rules here work on a "First match wins" basis.
ALL : ALL : allow
> As i said i am used to BSDI and the Finnish SSHD
Hehe, I remember having libwrap as backup, cause the firewall's
pre-in/pre-out/in/out concepts were confusing at times.
Anyway, I'll give you a pf example, maybe someone with ipfw skills will pick
it up and translate, or you can kldload pf and use that ;)
<Assuming 7.0 or higher, so that keep state is implicit>
===============
openports="{ 11, 21, 22, 23, 25, 37, 42, 43, 53, 63, 69, 70, 80, 101, 109,
110, 115, 119, 123, 143, 443, 4321, 50001 }"
table <trusted> persist { 209.131.0.0/16, 66.65.0.0/16, 71.173.96.0/19, \
71.173.128.0/17, blabla }
table <spammers> persist file "/etc/pf/spammers.table"
ext_if="bge0" # External interface
# Rules, last match wins
block in all
pass in from <trusted> to any
pass in on $ext_if proto {tcp, udp} from any to ($ext_if) port $openports
block in on $ext_if from <spammers> to any port 25
==============
The file /etc/pf/spammers.table can then be filled with one CIDR per line,
easy to maintain/fail and possible to have the file maintained by grok or
alike automation scripts. The file is only read on start up, but the table
can be maintained 'live', using pfctl -T commands.
Hope this helps.
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
More information about the freebsd-questions
mailing list