IPFW rules
Oliver Fromme
olli at lurza.secnetix.de
Tue Aug 22 13:05:41 UTC 2006
SigmaX asdf wrote:
> I'm trying to setup IPFW to block all ports except those I specify.
> For starters I'm just opening SSH.
>
> # ipfw list
> 00050 divert 8668 ip4 from any to any via rl0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00301 allow log tcp from any to any dst-port 22
> 00399 deny ip from any to any
> 65000 allow ip from any to any
> 65535 deny ip from any to any
>
> Traffic is still blocked on port 22 -- I can't login via SSH. What am
> I doing wrong, and what rule should I be using to allow SSH in and
> through?
TCP connections are always 2-way (i.e. they require both
ingoing and outgoing packets). But your rules allow only
one way. There are three possibilities:
(1) Sdd a rule "allow log tcp from any to any src-port 22"
(not very efficient, but works).
(2) Add "setup" to the dst-port 22 rule and add a rule
that allows established connections.
(3) Use "keep-state".
See the ipfw(8) manual page for details. You should also
read a good book on TCP/IP and packet filter configuration.
By the way, you probably should also allow name server
traffic (port 53, UDP and TCP) and ICMP packets.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"That's what I love about GUIs: They make simple tasks easier,
and complex tasks impossible."
-- John William Chambless
More information about the freebsd-stable
mailing list