dialup firewalling
Tony Frank
tfrank at optushome.com.au
Wed Jan 21 06:30:59 PST 2004
Hi Marc,
On Wed, Jan 21, 2004 at 01:26:10PM +0000, Marc Silver wrote:
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
>
> # Divert all packets through the tunnel interface.
> $fwcmd add divert natd all from any to any via tun0
For dialup using user-ppp I prefer to use the ppp built-in nat functionality.
You also probably want some rules upfront for loopback, although the 'me to any'
likely covers it:
>From /etc/rc.firewall:
${fwcmd} add 100 allow all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> # Allow all connections that we initiate, and keep their state,
> # but deny established connections that don't have a dynamic rule.
> $fwcmd add check-state
> $fwcmd add allow ip from me to any keep-state
> $fwcmd add deny tcp from any to any established
> # Allow internet users to connect to the port 22 and 80 on my machine.
> # This example specifically allows connections to the sshd and a
> # webserver.
> $fwcmd add allow tcp from any to me dst-port 22,80 setup keep-state
Looks ok.
> # Allow ICMP packets: remove type 8 if you don't want your host
> # to be pingable.
> $fwcmd add allow icmp from any to any icmptypes 0,3,8,11,12,13,14
I personally have never seen a use for 13 & 14 (timestamp) so would block these also.
Hope it helps,
Tony
More information about the freebsd-ipfw
mailing list