G magicman wrote:
> 1.  I need help to reconfigure my firewall on the server using BSD's ipfw

What part do you need to reconfigure?

> 2. short of a reboot how do you start stop and restart the  firewall

Very, very carefully. Until I gained some extensive experience with
IPFW, I would wrap the firewall restart within a sleep/undo of some sort.

That said, now I use table(s) and set(s), so I can update rules without
having to restart the firewall entirely. Below is an example, that also
will guide you in answering your next two questions. The man page and
Google will explain how to use tables and sets.

To answer your question however, depending on where your firewall script
is, simply execute it at the command line, like this:

# /etc/ipfw.rules &

> Here is what i want :
> 
> 1. i want all ports open to the ipaddresses in line 4 "clearaddresses"
> 2. I want to be able to control access to port 25 sendmail to be able to deny
>       whole "A" "B" and "C" addresses

#!/bin/sh

flush="/sbin/ipfw -q flush"
cmd="/sbin/ipfw add"
table="/sbin/ipfw table"

$flush

# Tables

# Client/infrastructure IPs for allowing access

$table 1 add 208.70.104.0/21
$table 1 add 64.39.160.0/19
$table 1 add 67.158.64.0/20
#...etc

# SMTP ALLOWED OUTBOUND TABLE

$table 2 add 208.70.104.202/32
$table 2 add 208.70.104.203/32
$table 2 add 208.70.104.205/32
#...etc

# Block all inbound and outbound traffic for certain sites
# ...review periodically to see if they are still valid

$table 3 add 91.203.4.146/32    # phishing

# set 3 = specific deny/allow by ids
# set 4 = SSH access
# set 29 = for counting/testing traffic patterns
# set 30 = forwarding


# SET 3

# SQL
$cmd 20000 set 3 deny all from any to any 1433,1434
# NetBIOS
$cmd 20100 set 3 allow tcp from 208.70.104.0/24 to 208.70.104.0/24
135,139,445,593 keep-state
$cmd 20105 set 3 allow udp from 208.70.104.0/24 to 208.70.104.0/24
135,139,445,593
$cmd 20110 set 3 deny all from any to any 135,139,445,593

# SET 4

$cmd 40000 set 4 allow tcp from "table(1)" to any 22 keep-state
$cmd 40005 set 4 deny tcp from any to any 22

# SET 29

#$cmd 59000 set 29 count log logamount 100 tcp from any to any

# SET 30

$cmd 60000 set 30 fwd 208.70.104.3,53 all from any to 209.167.16.10 53
$cmd 60005 set 30 fwd 208.70.106.59,53 all from any to 209.167.16.30 53

$cmd 64998 deny all from "table(3)" to any
$cmd 64999 deny all from any to "table(3)"

### end dummy ruleset

...if you want specific rule examples, just let me know.

The above does pretty much what you want it to do. I've purposely left
it up to you to do some further research. Tweaking a non-forgiving
firewall remotely is not something you want to learn the hard way.

The benefit of tables is that you can have one rule, but manually
add/remove specific addresses or prefixes on the fly without having to
reload the rule.

With sets, you can disable an entire block of rules, modify it, and
reload it without restarting IPFW, therefore destroying your existing
established rules.

Steve
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to