> > how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall.
> > can i change
> > firewall_type="OPEN" to firewall_type="" and create the entry
> > firewall_script="/etc/ipfw.rules"?
>
> I have that working right now with:
>
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall.local"
>
> ... where /etc/rc.firewall.local contains the customized ipfw commands.
>
> > what i would like to do is block all access to services on the router like
> > httpd, sshd, etc
> > the other think i would like to do is port forward ssh from another machine
> > and allow access of that from an external network.
> > does something like this make sense?
> > thanks,
>
> If you are using NAT then the -redirect_port option to natd will do that (ie.
> forward incoming port 22 connections to an internal machine), which can be
> set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable.  You
> have to create a corresponding ipfw rule to allow the traffic after natd
> rewrites the destination IP to your internal LAN machine, which it looks like
> you have done below, except the "from" would be "any" not "ROUTER_IP".  It
> will be the IP of the outside machine trying to connect to port 22.
>
> I have a similar port forward set up.  Early in the firewall rules allow all
> established TCP connections, and then later allow the setup for the initial
> SSH connection.  10.0.1.2 would be a machine behind the firewall to receive
> SSH connections, and ed0 would be the external internet interface.
>
> in /etc/rc.conf:
> natd_flags="-redirect_port tcp 10.0.1.2:ssh ssh"
>
> in the firewall script:
> ipfw -q flush
> ipfw add 00050 divert natd ip from any to any via ed0
> ipfw add 00100 allow tcp from any to any via ed0 established
> <more rules here>
> ipfw add 01000 allow tcp from any to 10.0.1.2 ssh setup
> <more rules here>
> ipfw add 65530 deny log ip from any to any
>
> I winged this so forgive any errors, but it's based on what I have working,
> including a rule to deny and log everything by default at the bottom.
>
[snip]


Jeff,

you must have your firewall_type set to the default then in rc.conf or
/etc/defaults/rc.conf. does you setup not run the standard rc.firewall file in
/etc?

does this rule allow any access to the outside network?
ipfw add 00100 allow tcp from any to any via ed0 established

thanks,

brian

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to