On 6/22/05, James <[EMAIL PROTECTED]> wrote: > Hi! I used freebsd version 4.11 and Im new on ipfirewall (ipfw). > I've been started reading ipfw this month and my mind getting > something confused. I read handbook on IPFW and still Im dont > understand, not a whole but I understand little. > > This is my network diagram: > ---------- > ISP > DSL Modem > DSL Router > (a)FBSD SERVER(b) > > TWO-PC-CLIENTS > ---------- > > My `FBSD SERVER` has two ethernet. (a)vr0 (192.168.0.2 | > 255.255.255.0) and (b)rl0 (172.16.20.1 | 255.255.255.0).. My > `TWO-PC-CLIENTS` have an IP Address of 172.16.20.11 and > 172.16.20.12.. Now I had been successfully setup and configure > NATD to share the Internet Connection sharing to the > TWO-PC-CLIENTS that was I followed from > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html > .. > > Now I want to test how ipfw works and if it is effectively work > on my fbsd box to block such TWO-PC-CLIENTS from ssh, browsing, > and etc.. But I was failed and it doesnt work to block the port > 22, 80 and still the TWO-PC-CLIENTS can browse and SSH on my > fbsd box. here is my rc.conf, natd.conf and rules.firewall file > from > > http://www.rootshell.be/~jam3s/file.txt > > My question is, how can i block ports 22 and 80 so that the > TWO-PC-CLIENTS and other I wanted to block/deny will work? I do > reading rc.firewall and dont understand it very well :).. I hope > anyone could help me... If you have a nice tutorial for the > basic ipfw commands that much easy to understand, just tell me > :).. > > thanks in advanced.. > > james >
Take a look on my example rules and change them as needed. # /etc/rc.conf firewall_enable="YES" firewall_type="/etc/ipfw.rules" # /etc/rc.conf - end # /etc/ipfw.rules # nat add divert natd ip from any to any via vr0 # allow all via loopback interface and antispoof 127.0.0.1 add allow all from any to any via lo0 add deny ip from 127.0.0.0/8 to any add deny ip from any to 127.0.0.0/8 # some icmp rules for external interface (vr0) add allow icmp from any to any in via vr0 icmptypes 0,3,11 add allow icmp from any to any out via vr0 icmptypes 8 # some icmp fules for internal network (rl0) all allow icmp from any to any via rl0 icmptypes 0,3,8,11 # stateful rules for freebsd box add allow tcp from me to any setup keep-state add allow udp from me to any keep-state # # 'me' expands automaticly to any ip running on the FreeBSD box # in your case 192.168.0.2 and 172.16.20.1 so you do not have # to write two rules for them # # here we can put rules to allow local and/or external clients # to access the FreeBSD box # for example a dns server on port 53 'udp' for local clients # add allow udp from any to me 53 via rl0 keep-state # # deny everyone from accessing my FreeBSD box add deny all from any to me # deny local clients (rl0) from accessing port 80 and 22 add deny tcp from any to any 80,22 via rl0 # # I am not sure how to statefull filter rules for # clients behind nat (local network) so you might # just use firewalls on the clients and pass all on FreeBSD # rules for local network add allow tcp from any to any via rl0 add allow udp from any to any via rl0 # deny everything else (if allready not default) add deny all from any to any # /etc/ipfw.rules - end Check man ipfw for more information. And one last point, I started to use PF so things mixup for me from time to time. So wait for others to review the rules and advice or modify -- Kind regards Abu Khaled _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
