Firewall rules for servers, UDP
Alex de Kruijff
freebsd at akruijff.dds.nl
Tue Aug 19 21:48:58 PDT 2003
On Tue, Aug 19, 2003 at 09:29:13PM +0200, Alex de Kruijff wrote:
> On Tue, Aug 19, 2003 at 02:31:55PM -0400, Lucas Holt wrote:
> > I want to setup a firewall (ipfw) on my freebsd 4.8 p3 server. The
> > machine runs web, ftp, ssh, dns, smtp, and imap to the outside world.
> > Does anyone have any links to example rules for servers? (I've already
> > looked at the handbook and man file)
> >
> > My problem lies in UDP rules. I think I have TCP figured out. My
> > first attempt blocked off DNS queries from the machine outward. I
> > could query the DNS server, but apps could not do lookups. i figure it
> > has something to do with ports above 1024, but I'm not sure how to
> > define a rule with multi ports in a range, plus I don't know how high
> > to go above 1024. Is this the right action? Ideas on syntax?
These rules apply for both TCP and UPD:
Server use mostly ports below 1024 (fixed)
Clients use normaly ports above 1024 (totaly randum)
>
> First of all if you do:
> 20 allow ip from any to any via lo0
> 30 allow log ip from any to any
>
> and you compiles the verbose option in then you could look in
> /etc/services for packets that where acceptes by rule 30
>
>
>
> I'm assuming you only have one NIC and that it is called xl0.
>
> # Just to make sure you have a connection when something goes wrong.
> 10 allow ip from YOUR_IP to SERVER_IP
> # Connection from server to it self
> 20 allow ip from any to any via lo0
> # Allow DNS
> 30 allow tcp from any 53 to me in
> 31 allow tcp from any to me 53 out
>
> # Allow FTP
> 40 allow tcp from any to me ftp in
> 41 allow tcp from me ftp to any out
> 42 allow tcp from me ftp-data to any out
> 43 allow tcp from any to ftp-data in
>
> # Allow HTTP
> 50 allow tcp from any to me http in
> 51 allow tcp from me http to any out
>
> # Allow SSH
> 60 allow tcp from any to me ssh in
> 61 allow tcp from me ssh to any out
>
> # Allow SMTP
> 70 allow tcp from any to me smtp in
> 71 allow tcp from me smtp to any out
>
> # Allow IMAP
> 80 allow tcp from any to me imap in
> 81 allow tcp from me imap to any out
>
> # Sate firewall check
> 90 check-state
>
> # Allow traffic out (and back in)
> 91 allow tcp from me to any keep-state setup
> 92 allow udp from me to any keep-state
> 93 allow ip from me to any keep-state
>
> # Deny every thing else
> 100 deny log ip from any to any
>
> # Again loggin help you debug if something doesn't work.
>
> --
> Alex
>
> Articles based on solutions that I use:
> http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
--
Alex
Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
More information about the freebsd-questions
mailing list