IPFW ruleset not working... advice? WAS Re: Running processes...

Eric F Crist ecrist at adtechintegrated.com
Sat Feb 14 11:15:19 PST 2004 

On Saturday 14 February 2004 12:58 pm, Erik Trulsson wrote:
> On Sat, Feb 14, 2004 at 12:47:01PM -0600, Eric F Crist wrote:
> > Hello all,
> >
> > I've got the following ruleset, but I can't ssh into my server anymore. 
> > What did I miss?
>
> You missed allowing IP packets going from your server to the outside.
> You only allow packets from the outside to you.
>
> I also think you might have misplaced the port numbers.
> As it is you allow connections *from* port 25 (etc.) on the outside to
> any port on your machine. I believe you want it the other way around
> (i.e. allowing connections *to* port 25 on your machine from anywhere on
> the outside.)
>
> > grog# ipfw show
> > 00100   0     0 allow ip from any to any via lo0
> > 00200   0     0 deny ip from any to 127.0.0.0/8
> > 00300   0     0 deny ip from 127.0.0.0/8 to any
> > 00400   7  1562 allow ip from 1.2.3.4/29 to me
> > 00500   0     0 allow ip from any 22 to me
> > 00600   0     0 allow ip from any 21 to me
> > 00700   0     0 allow ip from any 25 to me
> > 00800   0     0 allow ip from any 80 to me
> > 00900   0     0 allow ip from any 443 to me
> > 01000   0     0 allow ip from any 110 to me
> > 01100   0     0 allow ip from any 53 to me
> > 01200   0     0 allow ip from any 6667 to me
> > 01300   0     0 allow ip from any 6668 to me
> > 01400   0     0 deny ip from not 1.2.3.4/29 8080 to me
> > 65535 101 13960 deny ip from any to any
> >
> > Thanks.
> >
> > --
> > Eric F Crist
> > AdTech Integrated Systems, Inc
> > (612) 998-3588

Hey, thanks!  I changed all the rules so they read:

allow ip from any to me <port>

and added the rule:

allow ip from me to any at rule 50

All seems to work now!  Does anyone have any suggestions on how to make this 
system even tighter?  Thanks.
-- 
Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040214/30ac73c2/attachment.bin

More information about the freebsd-questions mailing list