Re: IPFW: Blocking me out. How to debug?

Fri, 04 Jan 2008 07:18:01 -0800 

I don't think that below shall ever replace this: 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
---

#1. i suggest you should really consider moving check-state earlier so 
legitimate packets get in asap.
#2. its never too late to start using tables
#/sbin/ipfw table 1 flush
#/sbin/ipfw table 1 add 0.0.0.0/8
#/sbin/ipfw table 1 add 1.0.0.0/8
#/sbin/ipfw table 1 add 2.0.0.0/8
#/sbin/ipfw table 1 add 10.0.0.0/8
#/sbin/ipfw table 1 add 127.0.0.0/8
#/sbin/ipfw table 1 add 169.254.0.0/16
#/sbin/ipfw table 1 add 192.0.2.0/24
#/sbin/ipfw table 1 add 192.168.0.0/16
#/sbin/ipfw table 1 add 172.16.0.0/12
#/sbin/ipfw table 1 add 192.88.99.0/24

#/sbin/ipfw table 1 add 198.18.0.0/15

#/sbin/ipfw table 1 add 224.0.0.0/3

#/sbin/ipfw table 1 add 240.0.0.0/4

add allow all from any to any via lo0

#3. all the hosts above are listed in a single rule:

add deny ip from any to any not antispoof in

add check-state

add deny log all from table\(1\) to any in
add deny log all from any to table\(1\) out

#no comments below

add allow tcp from any to me in established
add allow tcp from me to any out established

add deny log ip from any to any frag
add count icmp from any to any icmptypes 8 in
add allow icmp from any to any icmptypes 0,8,3,11
add allow udp from any to any 33434-34458 in
add allow udp from any 33434-34458 to any out
add allow udp from me to any 53 out keep-state
add allow udp from any to me 53 in keep-state 
add allow tcp from any to me ssh setup
add allow tcp from me to any ssh setup
add allow tcp from any to me http setup
add allow tcp from me to any http setup
add allow tcp from any to me https setup
add allow tcp from me to any https setup
add allow tcp from any to me dst-port 8443 in setup
add allow tcp from any to me pop3 in setup
add allow tcp from any to me pop3s in setup
add allow tcp from any to me smtp in setup
add allow tcp from me to any smtp out setup
add allow tcp from any to me smtps in setup
add allow tcp from me to any smtps out setup
add allow tcp from any to me imap in setup
add allow tcp from any to me imaps in setup
add allow tcp from any to me ftp in setup
add allow tcp from me to any ftp out setup
add allow tcp from any to me ftp\-data in setup
add allow tcp from any ftp\-data to me setup out
add allow tcp from any to me 49152-65535 in setup
add allow tcp from any to me ftps in setup
add allow tcp from me to any ftps out setup
add allow udp from me ntp to 128.252.19.1 ntp out
add allow udp from 128.252.19.1 ntp to me ntp in
add allow tcp from me to any out setup uid root
add allow tcp from me to 64.131.90.31 dst-port 5224 out setup
add deny log udp from any to me in
add deny log udp from any to me out
add deny log udp from me to any in
add deny log udp from me to any out
add deny log tcp from any to me in
add deny log tcp from any to me out
add deny log tcp from me to any in
add deny log tcp from me to any out
add deny log all from any to any



      
____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to