> > how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall.
> > can i change
> > firewall_type="OPEN" to firewall_type="" and create the entry
> > firewall_script="/etc/ipfw.rules"?
> I have that working right now with:
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall.local"
> ... where /etc/rc.firewall.local contains the customized ipfw commands.
> > what i would like to do is block all access to services on the router like
> > httpd, sshd, etc
> > the other think i would like to do is port forward ssh from another machine
> > and allow access of that from an external network.
> > does something like this make sense?
> > thanks,
> If you are using NAT then the -redirect_port option to natd will do that (ie.
> forward incoming port 22 connections to an internal machine), which can be
> set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable.  You
> have to create a corresponding ipfw rule to allow the traffic after natd
> rewrites the destination IP to your internal LAN machine, which it looks like
> you have done below, except the "from" would be "any" not "ROUTER_IP".  It
> will be the IP of the outside machine trying to connect to port 22.
> I have a similar port forward set up.  Early in the firewall rules allow all
> established TCP connections, and then later allow the setup for the initial
> SSH connection. would be a machine behind the firewall to receive
> SSH connections, and ed0 would be the external internet interface.
> in /etc/rc.conf:
> natd_flags="-redirect_port tcp ssh"
> in the firewall script:
> ipfw -q flush
> ipfw add 00050 divert natd ip from any to any via ed0
> ipfw add 00100 allow tcp from any to any via ed0 established
> <more rules here>
> ipfw add 01000 allow tcp from any to ssh setup
> <more rules here>
> ipfw add 65530 deny log ip from any to any
> I winged this so forgive any errors, but it's based on what I have working,
> including a rule to deny and log everything by default at the bottom.


you must have your firewall_type set to the default then in rc.conf or
/etc/defaults/rc.conf. does you setup not run the standard rc.firewall file in

does this rule allow any access to the outside network?
ipfw add 00100 allow tcp from any to any via ed0 established



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to