setting up ipfw
Jamie
jamie at gnulife.org
Wed Jul 2 09:24:07 PDT 2003
On Tue, 1 Jul 2003, Kevin Kinsey, DaleCo, S.P. wrote:
> CORRECTION:
>
> That last rule I quoted is actually:
>
> 00050 allow tcp from any to my.ip.ad.res 22 setup
> ^^
> Makes it work much better for SSH...
>
Well, I finally met with success this morning. The box is up to the
point where I can start playing around with rulesets. I was able to get
things rolling with the config Kevin sent, but I had to add a couple of
udp entries for port 53 like David suggested as ssh has to resolve the IP
before it allows connections to port 22.
Thanks for the help.
- Jamie
> ----- Original Message -----
> From: "Kevin Kinsey, DaleCo, S.P." <kdk at daleco.biz>
> To: "Jamie" <jamie at gnulife.org>; <freebsd-questions at freebsd.org>
> Sent: Tuesday, July 01, 2003 8:29 PM
> Subject: Re: setting up ipfw
>
>
> > From: "Jamie" <jamie at gnulife.org>
> > To: <freebsd-questions at freebsd.org>
> > Sent: Tuesday, July 01, 2003 8:01 PM
> > Subject: setting up ipfw
> >
> >
> > > I am having a very difficult time setting up ipfw on a 4.8
> > > installation. Was wondering if anyone might be able to shed some
> > light on
> > > this.
> > >
> > > I followed the directions in the handbook, and I compiled a
> new
> > kernel
> > > with these options, ( am going for a deny all by default, open
> > services
> > > as necessary philosophy):
> > >
> > > options IPFIREWALL
> > > options IPFIREWALL_VERBOSE
> > > options IPFIREWALL_VERBOSE_LIMIT=10
> > >
> > > Upon rebooting, I was unable to access the machine from
> > anywhere, which
> > > is fine, because I have console access.
> > >
> > > Output of ifconfig -a looks like this:
> > >
> > > ifconfig -a
> > > fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > > inet 200.88.54.93 netmask 0xffffff00 broadcast
> > 200.88.54.255
> > > inet6 fe80::203:47ff:fe77:8169%fxp0 prefixlen 64 scopeid
> > 0x1
> > > ether 00:03:47:77:81:69
> > > media: Ethernet autoselect (100baseTX <full-duplex>)
> > > status: active
> > > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> > > inet6 ::1 prefixlen 128
> > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
> > > inet 127.0.0.1 netmask 0xff000000
> > > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> > > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> > > faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
> > >
> > > the name of the machine is power.bar.com
> > >
> > >
> > > I want to ssh in from another machine: foo.bar.com with IP
> > address
> > > 200.88.34.12.
> > >
> > >
> > >
> > > This is the rule I am adding:
> > >
> > >
> > > ipfw add allow tcp from 200.88.34.12 to power.bar.com 22
> > >
> > >
> > > It tells me it can't resolve power.bar.com!
> > >
> > > So, I try:
> > >
> > > ipfw add allow tcp from 200.88.34.12 to 200.88.54.93 22
> > >
> > > It accepts the rule, but I still cannot connect from
> > foo.bar.com.
> > >
> > > Anyone have any ideas?
> >
> > Are you allowing ip OUT from 200.88.54.93?
> >
> > Please post output of "ipfw show" (not that it's
> > not implicit, I guess...) and describe your network
> > topography.
> >
> > FWIW, here's my top few rules:
> >
> > 00010 allow ip from my.ip.ad.dres to any out
> > 00020 deny log logamount 20 ip from any to any out
> > 00030 allow tcp from any to any established
> > 00040 allow ip from any to any frag
> > 00050 allow tcp from any to my.ip.ad.res setup
> >
> > Kevin Kinsey
> > DaleCo, S.P.
> >
> >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> >
>
>
>
"A friend is someone who lets you have total freedom to be yourself."
More information about the freebsd-questions
mailing list