protect a single interface with IPFW ?

[Frank Bonnet]

Thanks a lot !


On 01/12/2011 04:03 PM, krad wrote:
> On 12 January 2011 15:01, krad<kraduk at gmail.com>  wrote:
>
>>
>> On 12 January 2011 14:47, Frank Bonnet<f.bonnet at esiee.fr>  wrote:
>>
>>> Hello
>>>
>>> is it possible to protect a single interface with IPFW
>>> my server has only one interface and I want to
>>> allow only SSH LDAP LDAPS
>>>
>>> thanks for any examples
>>>
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>>
>>
>> something likes this
>>
>> add pass all from any to any via lo0
>> add pass tcp from w.x.y.z to any 22 in via $int keep-state
>> add pass tcp from w.x.y.z to any 389 in via $int keep-state
>> add deny ip from any to any
>>
>> or for pf (better in my opinion)
>>
>> table<sshhosts>  const { hosta, hostb, ... }
>> table<ldaphosts>  const { hosta, hostb, ... }
>>
>> set skip on lo0
>>
>> block any from any
>> pass in quick proto tcp from<sshhosts>  to any port ssh synproxy state
>> pass in quick proto tcp from<ldaphosts>  to any port ldap synproxy state
>>
>>
>>
> whops forgot the all important lines. Without these you box itself cant
> intiate connections to the outside world
>
> ipfw add before the deny
>
> add pass all from any to any out via $int keep-state
>
> and for pf, add at the end
>
> pass out from any to any keep state
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"


-- 

Frank BONNET

01.45.92.66.17

Service des Moyens Informatique Generaux

ESIEE PARIS
Cité Descartes / BP 99
93162 NOISY-LE-GRAND Cedex
http://www.esiee.fr <http://www.esiee.fr/>