Paul Schmehl wrote:
Well... *ahem*... I put the above script into /etc/ipfw.rules and did "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the server. Did the above script only open those ports to localhost or something? I can go in tonight and fix it from the local computer, but I'd like to know what to do when I get there. I need to have connectivity to said ports from the internet... apparently I don't :-P.----- Original Message ----- From: "SigmaX" <[EMAIL PROTECTED]> To: <freebsd-questions@freebsd.org> Sent: Monday, February 21, 2005 12:01 PM Subject: IPFW config
Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default SSH port, right?)
Then start IPFW with the kernel module (I know how to do this)
fwcmd=/sbin/ipfw myip=x.x.x.x mymask=255.255.255.0
setup_loopback
# Allow icmp
${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via xl0
# Setup dynamic rules ${fwcmd} add check-state ${fwcmd} add deny tcp from any to any via xl0 established
# Allow DNS queries out to the world
${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
${fwcmd} add deny udp from any to any # Allow all outbound traffic
${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
# Allow inbound http, ssh and port 10000 ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state
# Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag via xl0
# Deny everything else ${fwcmd} add deny ip from any to any via xl0
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/
Cheerio,
SigmaX
-- Registered Linux Freak #: 366,862
"If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free."
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
