On 12 January 2011 15:01, krad <[email protected]> wrote: > > > On 12 January 2011 14:47, Frank Bonnet <[email protected]> wrote: > >> Hello >> >> is it possible to protect a single interface with IPFW >> my server has only one interface and I want to >> allow only SSH LDAP LDAPS >> >> thanks for any examples >> >> _______________________________________________ >> [email protected] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> [email protected]" >> > > > something likes this > > add pass all from any to any via lo0 > add pass tcp from w.x.y.z to any 22 in via $int keep-state > add pass tcp from w.x.y.z to any 389 in via $int keep-state > add deny ip from any to any > > or for pf (better in my opinion) > > table <sshhosts> const { hosta, hostb, ... } > table <ldaphosts> const { hosta, hostb, ... } > > set skip on lo0 > > block any from any > pass in quick proto tcp from <sshhosts> to any port ssh synproxy state > pass in quick proto tcp from <ldaphosts> to any port ldap synproxy state > > >
whops forgot the all important lines. Without these you box itself cant intiate connections to the outside world ipfw add before the deny add pass all from any to any out via $int keep-state and for pf, add at the end pass out from any to any keep state _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
