ipfw rules
Jurjen Middendorp
jurjenm at stack.nl
Thu Dec 21 05:36:50 PST 2006
Ok, i changed my original rules. I'm going to use both the ruleset you recommended
and these ones (not at the same time though :). And see which one gives me the
least trouble.
greetings,
jurjen.
#!/bin/sh
ipfw -q flush
cmd="ipfw -q add"
ks="keep-state"
oif="ath0"
#sort in en out packets
$cmd 1 skipto 15 ip from any to any in recv $oif
$cmd 2 skipto 100 ip from any to any out xmit $oif
#setup the loopback
$cmd 011 allow all from any to any via lo0
$cmd 012 deny all from any to 127.0.0.0/8
$cmd 013 deny ip from 127.0.0.0/8 to any
$cmd 014 allow icmp from any to any
####
# Outgoing (15)
#check state of incoming packets
$cmd 015 check-state
#internet sites:
$cmd 020 allow tcp from me to any 80 out via $oif setup $ks
#allow dns queries
$cmd 025 allow udp from me to any 53 out via $oif $ks
#to stack
$cmd 030 allow all from me to 131.155.0.0/16 via $oif $ks
#e-mail pop
$cmd 040 allow tcp from me to any 110 out via $oif setup $ks
#imap
#$cmd 041 allow tcp from me to any 143 out via $oif setup $ks
#allow ssh
$cmd 050 allow all from me to any 22 out via $oif setup $ks
#https
$cmd 054 allow tcp from me to any 443 out via $oif setup $ks
#gopher
$cmd 055 allow tcp from me to any 70 out via $oif setup $ks
#root can do anything
$cmd 070 allow log all from me to any out via $oif setup $ks uid root
####
# Incoming (100)
#log ACK packets that did'nt match the dynamic ruleset
$cmd 100 deny log all from any to any established in via $oif
#default: deny ip from any to any
More information about the freebsd-questions
mailing list