protect a single interface with IPFW ?

2011-01-13 Thread four . harrisons 
Hello

is it possible to protect a single interface with IPFW
my server has only one interface and I want to
allow only SSH LDAP LDAPS

thanks for any examples

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

protect a single interface with IPFW ?

2011-01-12 Thread Frank Bonnet 

Hello

is it possible to protect a single interface with IPFW
my server has only one interface and I want to
allow only SSH LDAP LDAPS

thanks for any examples

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: protect a single interface with IPFW ?

2011-01-12 Thread krad 
On 12 January 2011 14:47, Frank Bonnet f.bon...@esiee.fr wrote:

 Hello

 is it possible to protect a single interface with IPFW
 my server has only one interface and I want to
 allow only SSH LDAP LDAPS

 thanks for any examples

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org



something likes this

add pass all from any to any via lo0
add pass tcp from w.x.y.z to any 22 in via $int keep-state
add pass tcp from w.x.y.z to any 389 in via $int keep-state
add deny ip from any to any

or for pf (better in my opinion)

table sshhosts const { hosta, hostb, ... }
table ldaphosts const { hosta, hostb, ... }

set skip on lo0

block any from any
pass in quick proto tcp from sshhosts to any port ssh synproxy state
pass in quick proto tcp from ldaphosts to any port ldap synproxy state
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: protect a single interface with IPFW ?

2011-01-12 Thread krad 
On 12 January 2011 15:01, krad kra...@gmail.com wrote:



 On 12 January 2011 14:47, Frank Bonnet f.bon...@esiee.fr wrote:

 Hello

 is it possible to protect a single interface with IPFW
 my server has only one interface and I want to
 allow only SSH LDAP LDAPS

 thanks for any examples

 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org



 something likes this

 add pass all from any to any via lo0
 add pass tcp from w.x.y.z to any 22 in via $int keep-state
 add pass tcp from w.x.y.z to any 389 in via $int keep-state
 add deny ip from any to any

 or for pf (better in my opinion)

 table sshhosts const { hosta, hostb, ... }
 table ldaphosts const { hosta, hostb, ... }

 set skip on lo0

 block any from any
 pass in quick proto tcp from sshhosts to any port ssh synproxy state
 pass in quick proto tcp from ldaphosts to any port ldap synproxy state




whops forgot the all important lines. Without these you box itself cant
intiate connections to the outside world

ipfw add before the deny

add pass all from any to any out via $int keep-state

and for pf, add at the end

pass out from any to any keep state
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: protect a single interface with IPFW ?

2011-01-12 Thread Frank Bonnet 

Thanks a lot !


On 01/12/2011 04:03 PM, krad wrote:

On 12 January 2011 15:01, kradkra...@gmail.com  wrote:



On 12 January 2011 14:47, Frank Bonnetf.bon...@esiee.fr  wrote:


Hello

is it possible to protect a single interface with IPFW
my server has only one interface and I want to
allow only SSH LDAP LDAPS

thanks for any examples

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
freebsd-questions-unsubscr...@freebsd.org



something likes this

add pass all from any to any via lo0
add pass tcp from w.x.y.z to any 22 in via $int keep-state
add pass tcp from w.x.y.z to any 389 in via $int keep-state
add deny ip from any to any

or for pf (better in my opinion)

tablesshhosts  const { hosta, hostb, ... }
tableldaphosts  const { hosta, hostb, ... }

set skip on lo0

block any from any
pass in quick proto tcp fromsshhosts  to any port ssh synproxy state
pass in quick proto tcp fromldaphosts  to any port ldap synproxy state




whops forgot the all important lines. Without these you box itself cant
intiate connections to the outside world

ipfw add before the deny

add pass all from any to any out via $int keep-state

and for pf, add at the end

pass out from any to any keep state
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org



--

Frank BONNET

01.45.92.66.17

Service des Moyens Informatique Generaux

ESIEE PARIS
Cité Descartes / BP 99
93162 NOISY-LE-GRAND Cedex
http://www.esiee.fr http://www.esiee.fr/

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org