Re: Firewall rules for servers, UDP
Lucas Holt wrote: My problem lies in UDP rules. I think I have TCP figured out. My first attempt blocked off DNS queries from the machine outward. I could query the DNS server, but apps could not do lookups. i figure it has something to do with ports above 1024, but I'm not sure how to define a rule with multi ports in a range, plus I don't know how high to go above 1024. Is this the right action? Ideas on syntax? 6-sec% cat fw.codefab.com/CF_firewall # Set variables for network addresses # set these to your inside interface network and netmask and ip #define IIF fxp0 #define INET 12.38.161.0/25 #define IIP 12.38.161.1 # set these to your outside interface network and netmask and ip #define OIF fxp1 #define ONET 12.38.161.128/26 #define OIP 12.38.161.130 #define CFNET 12.38.161.0/24 # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 [ ...anti-spoofing rules and things to block first snipped... ] # UDP traffic # allow DNS,NTP queries out in the world add pass udp from CFNET HIPORTS to any 53,123 add pass udp from any 53,123 to CFNET HIPORTS add pass udp from any 53,123 to any 53,123 # traceroute add pass udp from any HIPORTS to any 33434-33523 # external UDP add pass udp from ONET HIPORTS to INET HIPORTS add pass log udp from any HIPORTS to INET HIPORTS add pass udp from INET HIPORTS to any HIPORTS # log remaining UDP traffic add pass log udp from ONET to INET add pass log udp from INET to ONET add pass log udp from INET to any add unreach filter-prohib log udp from any to any [ ...followed by TCP and ICMP rules... ] -- Utilize this by saving this file to /etc/YOUR_firewall, and adding the following lines to /etc/rc.conf: #firewall_type='/etc/YOUR_firewall' #firewall_flags='-p /usr/bin/cpp' -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Firewall rules for servers, UDP
I want to setup a firewall (ipfw) on my freebsd 4.8 p3 server. The machine runs web, ftp, ssh, dns, smtp, and imap to the outside world. Does anyone have any links to example rules for servers? (I've already looked at the handbook and man file) My problem lies in UDP rules. I think I have TCP figured out. My first attempt blocked off DNS queries from the machine outward. I could query the DNS server, but apps could not do lookups. i figure it has something to do with ports above 1024, but I'm not sure how to define a rule with multi ports in a range, plus I don't know how high to go above 1024. Is this the right action? Ideas on syntax? Lucas Holt [EMAIL PROTECTED] FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging) Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - Albert Einstein (1879-1955) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules for servers, UDP
On Tue, Aug 19, 2003 at 02:31:55PM -0400, Lucas Holt wrote: I want to setup a firewall (ipfw) on my freebsd 4.8 p3 server. The machine runs web, ftp, ssh, dns, smtp, and imap to the outside world. Does anyone have any links to example rules for servers? (I've already looked at the handbook and man file) My problem lies in UDP rules. I think I have TCP figured out. My first attempt blocked off DNS queries from the machine outward. I could query the DNS server, but apps could not do lookups. i figure it has something to do with ports above 1024, but I'm not sure how to define a rule with multi ports in a range, plus I don't know how high to go above 1024. Is this the right action? Ideas on syntax? First of all if you do: 20 allow ip from any to any via lo0 30 allow log ip from any to any and you compiles the verbose option in then you could look in /etc/services for packets that where acceptes by rule 30 I'm assuming you only have one NIC and that it is called xl0. # Just to make sure you have a connection when something goes wrong. 10 allow ip from YOUR_IP to SERVER_IP # Connection from server to it self 20 allow ip from any to any via lo0 # Allow DNS 30 allow tcp from any 53 to me in 31 allow tcp from any to me 53 out # Allow FTP 40 allow tcp from any to me ftp in 41 allow tcp from me ftp to any out 42 allow tcp from me ftp-data to any out 43 allow tcp from any to ftp-data in # Allow HTTP 50 allow tcp from any to me http in 51 allow tcp from me http to any out # Allow SSH 60 allow tcp from any to me ssh in 61 allow tcp from me ssh to any out # Allow SMTP 70 allow tcp from any to me smtp in 71 allow tcp from me smtp to any out # Allow IMAP 80 allow tcp from any to me imap in 81 allow tcp from me imap to any out # Sate firewall check 90 check-state # Allow traffic out (and back in) 91 allow tcp from me to any keep-state setup 92 allow udp from me to any keep-state 93 allow ip from me to any keep-state # Deny every thing else 100 deny log ip from any to any # Again loggin help you debug if something doesn't work. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Firewall rules for servers, UDP
On Tue, Aug 19, 2003 at 09:29:13PM +0200, Alex de Kruijff wrote: On Tue, Aug 19, 2003 at 02:31:55PM -0400, Lucas Holt wrote: I want to setup a firewall (ipfw) on my freebsd 4.8 p3 server. The machine runs web, ftp, ssh, dns, smtp, and imap to the outside world. Does anyone have any links to example rules for servers? (I've already looked at the handbook and man file) My problem lies in UDP rules. I think I have TCP figured out. My first attempt blocked off DNS queries from the machine outward. I could query the DNS server, but apps could not do lookups. i figure it has something to do with ports above 1024, but I'm not sure how to define a rule with multi ports in a range, plus I don't know how high to go above 1024. Is this the right action? Ideas on syntax? These rules apply for both TCP and UPD: Server use mostly ports below 1024 (fixed) Clients use normaly ports above 1024 (totaly randum) First of all if you do: 20 allow ip from any to any via lo0 30 allow log ip from any to any and you compiles the verbose option in then you could look in /etc/services for packets that where acceptes by rule 30 I'm assuming you only have one NIC and that it is called xl0. # Just to make sure you have a connection when something goes wrong. 10 allow ip from YOUR_IP to SERVER_IP # Connection from server to it self 20 allow ip from any to any via lo0 # Allow DNS 30 allow tcp from any 53 to me in 31 allow tcp from any to me 53 out # Allow FTP 40 allow tcp from any to me ftp in 41 allow tcp from me ftp to any out 42 allow tcp from me ftp-data to any out 43 allow tcp from any to ftp-data in # Allow HTTP 50 allow tcp from any to me http in 51 allow tcp from me http to any out # Allow SSH 60 allow tcp from any to me ssh in 61 allow tcp from me ssh to any out # Allow SMTP 70 allow tcp from any to me smtp in 71 allow tcp from me smtp to any out # Allow IMAP 80 allow tcp from any to me imap in 81 allow tcp from me imap to any out # Sate firewall check 90 check-state # Allow traffic out (and back in) 91 allow tcp from me to any keep-state setup 92 allow udp from me to any keep-state 93 allow ip from me to any keep-state # Deny every thing else 100 deny log ip from any to any # Again loggin help you debug if something doesn't work. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]