On 2004-06-01 00:38, bryan cassidy <[EMAIL PROTECTED]> wrote: > Hello. Running FreeBSD 4.10. After I reboot with my new ipfw.rules I > can't load any webpages. I didn't try by IP address cause I can't > remember any off top at the moment. Here is my following setup
Looking at the mangled rules, that your mailer has awfully mutilated, I can't see any rule for allowing port 80 connections. No web surfing for you then :P But let's see what you're getting out of your firewall ruleset. [-- Cleaned up ruleset --] > add 00300 deny log tcp from any to any 515 in recv xl0 > add 00301 deny tcp from any to any 7101 in recv xl0 > add 00302 deny log tcp from any to any 6000 in recv xl0 > add 00303 allow log tcp from any to any 113 in recv xl0 setup > # --- DNS > add 00310 allow tcp from 126.96.36.199 to any in recv xl0 > add 00311 allow tcp from 188.8.131.52 to any in recv xl0 > add 00320 allow udp from 184.108.40.206 53 to any in recv xl0 > add 00321 allow udp from 220.127.116.11 53 to any in recv xl0 > # --- deny below port 1000 > add 00399 deny log tcp from any to any 0-1000 in recv xl0 setup This should probably be 1024, if you want to protect all the "privileged" port numbers. > # --- ntpdate > add 00403 allow udp from 123 to any 123 in recv xl0 > # --- deny UDP connections > add 00499 deny log udp from any to any in recv xl0 Why? Let the default firewall rule (block all from any to any) catch these too. Special deny rules aren't really necessary here, unless you really want to pessimize everything and all other protocols (by forcing them to be checked against yet another rule that they won't match with) just to get faster UDP connection drops of lots of stuff that you don't need anyway (you've already taken care of DNS, which is about the only thing that UDP is useful for these days for me). > # --- Log netbus ( haha ) > add 00500 deny log tcp from any to any 12345 in recv xl0 > add 00501 deny log tcp from any to any 20034 in recv xl0 > # --- Let my ISP ping me! > add 00600 allow icmp from 18.104.22.168 to any in recv xl0 > add 00601 allow icmp from 22.214.171.124 to any in recv xl0 > # --- Log ICMP echos and dest > add 00610 allow log icmp from any to any in recv xl0 icmptype 3 > add 00610 allow log icmp from any to any in recv xl0 icmptype 8 Note, BTW, that you are mixing allow and deny rules in the same firewall. It's a good idea to pick one of the following styles of filtering and stick with it: open firewall ------------- This allows everything except what is explicitly denied. The general look of the ruleset is something like this: block this block that block another allow all the rest closed firewall --------------- This blocks everything, except what is explicitly allowed. It looks like this: allow this allow that allow another block all the rest A short sample firewall of this style, one that I used to have on my dialup workstation at home when I still used ipfw can be seen here: http://students.ceid.upatras.gr/~keramida/ipfw/dialup.ipfw > First. Things I will be running. I will be running Apache+PHP later on > when I get my box more secure The question you should ask yourself when you're writing those rulesets is... "Do you want these to be visible to the world?" > but for now I will be running Postfox for my MTA, It's Postfix, thanks :) > I want to be able to send and recieve e-mails and any other *basic* > things everyone would want on a everyday basis ya know? Just make sure you don't block any "outgoing" connection. That should take care of most protocols. Only FTP and DCC sends on IRC will need special care to work on your "closed" sort of firewall, but that's for another post to discuss if you're still interested. - Giorgos _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"