I have a fbsd box that runs its own firewall.. and tonight I learned my
lesson about trying to configure it remotely :)

Anyways, I'm trying to find some better documentation. The manpage says
nothing about what options it can take in this example:

00903 allow igmp from any to any
00904 allow udp from any to any dst-port 520

I found out that I can allow igmp becuse I just tried it and it
worked... and as you can see on the next line, I'm allowing RIP by the
port because "allow rip" doesn't work. I have not been able to find a
list of commands that it can take, so I was hoping someone had a link :)

I converted to stateful filtering. If anyone sees anything wrong with my
config, I'd be grateful for some feedback. Basically, I'm trying to
allow anything out of this box, and allow anything in below port 1024,
with the few exceptions show below.

00100 allow ip from any to any via lo0
00200 deny ip from any to
00300 deny ip from to any
00800 check-state
00900 allow ip from any to any out xmit fxp0 keep-state
00901 allow ip from any to any via fxp0 established
00902 allow pim from any to any
00903 allow igmp from any to any
00904 allow udp from any to any dst-port 520
01001 allow icmp from any to any
01002 allow ip from any to any in dst-port 1-1024 keep-state
01003 allow ip from my.block.0.0/16 to any dst-port 2049
07000 deny tcp from any to any dst-port 6001
08000 deny udp from any to any dst-port 1985
30000 deny log ip from any to any

One weirdness that really drove me crazy was when I tried to keep my
allow rule in place like this:

[ normal rules go here, without the 30000 deny ]
60000 allow log ip from any to any keep-state

My purpose was to log anything that actually hit that rule, and try to
figure out what I wasn't covering above (before actually using the
'deny' rule). I put the keep-state on there so I could see what was
happening with `ipfw -d show`. BAD idea :) It seems the check-state
will skip all other rules and first look for any limit or keep-state
rules? Very odd. When I removed the keep-state, it started working as
I'd hoped, and rule 60000 was never hit. I really don't fully understand
what was happening there. IP filter on my home firewall seemed much
simpler for some reason.

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to