protect a single interface with IPFW ?

krad kraduk at gmail.com
Wed Jan 12 15:03:43 UTC 2011


On 12 January 2011 15:01, krad <kraduk at gmail.com> wrote:

>
>
> On 12 January 2011 14:47, Frank Bonnet <f.bonnet at esiee.fr> wrote:
>
>> Hello
>>
>> is it possible to protect a single interface with IPFW
>> my server has only one interface and I want to
>> allow only SSH LDAP LDAPS
>>
>> thanks for any examples
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>
>
> something likes this
>
> add pass all from any to any via lo0
> add pass tcp from w.x.y.z to any 22 in via $int keep-state
> add pass tcp from w.x.y.z to any 389 in via $int keep-state
> add deny ip from any to any
>
> or for pf (better in my opinion)
>
> table <sshhosts> const { hosta, hostb, ... }
> table <ldaphosts> const { hosta, hostb, ... }
>
> set skip on lo0
>
> block any from any
> pass in quick proto tcp from <sshhosts> to any port ssh synproxy state
> pass in quick proto tcp from <ldaphosts> to any port ldap synproxy state
>
>
>

whops forgot the all important lines. Without these you box itself cant
intiate connections to the outside world

ipfw add before the deny

add pass all from any to any out via $int keep-state

and for pf, add at the end

pass out from any to any keep state


More information about the freebsd-questions mailing list