Marwan Sultan disturbed my sleep to write:
I compiled ipfw to accept by default.
This is my ipfw list:
00050 divert 8668 ip from any to any via rl0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 allow ip from any to any
Hm...this may not be a big deal, but is there any reason you're putting
the divert rule before the rules dealing with lo0/127.0.0.0/8? The
default FreeBSD open firewall ruleset usually puts the divert rule after
-- this would be rule 400 in your example.
a) lets say I want to deny everything except a range of IPs
starting from 192.168.1.1 to 192.168.1.50.
what rule set should be? how to set range of IPs? to pass
and deny rest of the C class. FreeBSD Doc's doesnot cover this?
or i didnot see.!
man ipfw(8) will help you. Depending on the version of ipfw (I forget
when this syntax was added), you may be able to do this:
ipfw allow all from 192.168.1.{1,50} to any
ipfw deny all from any to any
As for which rule it should be...typically what I do is write down
my firewall rules in a separate file, try to make sure that they make
sense (allow rules before deny rules, for example), then try them
out...always making sure that I have some way into the machine if I'm
working remotely! Usually you can let ipfw take care of assigning rule
numbers, unless you've got something fairly special going on.
b) If i want to deny everything except ip 192.168.1.5 as follow
00400 allow all from 192.168.1.5 to any
01000 deny all from any to any.
when ipfw reads the rules and pass by 00400 then comes to 01000
then it denies even the 192.168.1.5, althou i put this rule before the
deny ? what im missing? how should i pass 1 ip and deny all?
I'm not sure why that would happen, but you can find out. If you change
that deny rule to a deny-and-log rule, like this:
ipfw deny log all from any to any
you can then run tail -f /var/log/security and see what packets are
being caught by the deny rule. You can also run ipfw show, which
will show you how many packets/bytes are being caught by which rules.
Again, read the man page for ipfw.
Off the top of my head, I suspect you're allowing traffic out, but not
back in -- you haven't listed a rule that would allow replies to TCP
traffic back in, or DNS queries. Denying either of these would make it
look like nothing is working. Try this:
allow tcp from 192.168.1.5 to any
allow udp from 192.168.1.5 to any keep-state
check-state
allow tcp from any to any established
deny all from any to any
c) If I want rule 00400 to expire in 9PM and be active in 8AM.(EXAMPLE)
how do we do that? is it by set a cron job to delete and add
the ipfw rule? or there is something to do from the ipfw it self?
As far as I know, you can only do this with a cron job. Test carefully,
though -- it's frighteningly easy to lock yourself out while doing this
sort of thing. I speak from bitter experience. :-)
D) Last Q: IF I restart the box all the rules will be reset,
and comes to default. which is reasonable.
How to keep it everytime I restart?
do i create a file somewhere, and i tell my rc.conf for it?
what the rc.conf line should be? and file format?
man rc.conf(5) will show you firewall options. What I usually do is
write my own and keep it in a separate file -- I find rc.firewall too
confusing when trying to customize it. But have a look at
/etc/rc.firewall and the simple option -- it probably does a lot of
what you want.
Question out of subject,
How i can do something thro cronjob to make the box Email me the
log of firewall everyday on certain time, lets say 9PM ?
Well, you could just have a script that would, say, grep for today's
date in your firewall logs and email that. Another thing you could
consider doing, though, is signing up at dshield.org and using one of
their clients to parse your logs. Dshield collects firewall information
from volunteers around the world, and uses it to alert people to new
or fast-moving threats. It's an excellent idea, and a lot of help to
security people. I use ipfw2dshield to parse and mail my logs, and as a
bonus I get a copy of the email myself to see if there's anything
interesting.
Hope that helps!
Hugh
--
Saint Aardvark the Carpeted
[EMAIL PROTECTED]
Because the plural of Anecdote is Myth.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
