protect a single interface with IPFW ?
krad
kraduk at gmail.com
Wed Jan 12 15:03:43 UTC 2011
On 12 January 2011 15:01, krad <kraduk at gmail.com> wrote:
>
>
> On 12 January 2011 14:47, Frank Bonnet <f.bonnet at esiee.fr> wrote:
>
>> Hello
>>
>> is it possible to protect a single interface with IPFW
>> my server has only one interface and I want to
>> allow only SSH LDAP LDAPS
>>
>> thanks for any examples
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>
>
> something likes this
>
> add pass all from any to any via lo0
> add pass tcp from w.x.y.z to any 22 in via $int keep-state
> add pass tcp from w.x.y.z to any 389 in via $int keep-state
> add deny ip from any to any
>
> or for pf (better in my opinion)
>
> table <sshhosts> const { hosta, hostb, ... }
> table <ldaphosts> const { hosta, hostb, ... }
>
> set skip on lo0
>
> block any from any
> pass in quick proto tcp from <sshhosts> to any port ssh synproxy state
> pass in quick proto tcp from <ldaphosts> to any port ldap synproxy state
>
>
>
whops forgot the all important lines. Without these you box itself cant
intiate connections to the outside world
ipfw add before the deny
add pass all from any to any out via $int keep-state
and for pf, add at the end
pass out from any to any keep state
More information about the freebsd-questions
mailing list