Re: IPFW config
SigmaX [EMAIL PROTECTED]:
I have a FreeBSD 5.3 server that I access over SSH. I followed the
handbook guide to loading the ipfw kernel module to setup a firewall. I
made the mistake the other day of loading the firewall, which defaults
to block all, and rebooting, so I couldn't get into the system again
(Had to drive in and fix it :-P). Anyway, what I need to know is how to
/usr/share/examples/ipfw/change_rules.sh:
# Change ipfw(8) rules with safety guarantees for remote operation
#
# Invoke this script to edit ${firewall_script}. It will call ${EDITOR},
# or vi(1) if the environment variable is not set, for you to edit
# ${firewall_script}, ask for confirmation, and then run
# ${firewall_script}. You can then examine the output of ipfw list and
# confirm whether you want the new version or not.
#
# If no answer is received in 30 seconds, the previous
# ${firewall_script} is run, restoring the old rules (this assumes ipfw
# flush is present in it).
Jeff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW config
http://www.kgb.ro/Ipfw-HOWTO
On Mon, 21 Feb 2005 20:14:35 -0600 Anno Domini, the honourable SigmaX
wrote using one of his keyboards:
Paul Schmehl wrote:
- Original Message - From: SigmaX
[EMAIL PROTECTED]
To: freebsd-questions@freebsd.org
Sent: Monday, February 21, 2005 12:01 PM
Subject: IPFW config
Set IPFW to allow traffic on ports 80, 1, and 23 (That's the
default SSH port, right?)
Then start IPFW with the kernel module (I know how to do this)
fwcmd=/sbin/ipfw
myip=x.x.x.x
mymask=255.255.255.0
setup_loopback
# Allow icmp
${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14
via
xl0
# Setup dynamic rules
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any via xl0 established
# Allow DNS queries out to the world
${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
${fwcmd} add deny udp from any to any
# Allow all outbound traffic
${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
# Allow inbound http, ssh and port 1
${fwcmd} add allow tcp from any to ${myip} http via xl0 setup
keep-state
${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup
keep-state
${fwcmd} add allow tcp from any to ${myip} 1 via xl0 setup
keep-state
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag via xl0
# Deny everything else
${fwcmd} add deny ip from any to any via xl0
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
Well... *ahem*... I put the above script into /etc/ipfw.rules and did
kldload ipfw.ko sh /etc/ipfw.rules. I lost connectivity to the
server. Did the above script only open those ports to localhost or
something? I can go in tonight and fix it from the local computer,
but
I'd like to know what to do when I get there. I need to have
connectivity to said ports from the internet... apparently I don't
:-P.
Cheerio,
SigmaX
--
Registered Linux Freak #: 366,862
If you think of MS-DOS as mono, and Windows as stereo, then Linux is
Dolby Pro-Logic Surround Sound with Bass Boost and all the music is
free.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
--
Login: petreName: Petre Bandac
Directory: /home/petre Shell: /usr/local/bin/zsh
On since Mon Feb 21 09:52 (EET) on ttyv0, idle 1 day 4:04 (messages off)
On since Mon Feb 21 10:50 (EET) on ttyv2, idle 1 day 4:03 (messages off)
Last login Tue Feb 22 00:14 (EET) on ttyp5 from 82-77-40-105.br
New mail received Mon May 24 19:09 2004 (EEST)
Unread since Tue Feb 17 12:31 2004 (EET)
No Plan.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW config
Heya; I have a FreeBSD 5.3 server that I access over SSH. I followed the handbook guide to loading the ipfw kernel module to setup a firewall. I made the mistake the other day of loading the firewall, which defaults to block all, and rebooting, so I couldn't get into the system again (Had to drive in and fix it :-P). Anyway, what I need to know is how to edit the ruleset manually BEFORE enabling the firewall. I need to set the rules, then load the kernel module, not vise versa. I've never dealt with ipfw without webmin, so I need some explicit answers :-). What I need to do its this: Set IPFW to allow traffic on ports 80, 1, and 23 (That's the default SSH port, right?) Then start IPFW with the kernel module (I know how to do this) Thanx, SigmaX -- Registered Linux Freak #: 366,862 If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW config
SigmaX wrote: Heya; I have a FreeBSD 5.3 server that I access over SSH. I followed the handbook guide to loading the ipfw kernel module to setup a firewall. I made the mistake the other day of loading the firewall, which defaults to block all, and rebooting, so I couldn't get into the system again (Had to drive in and fix it :-P). Anyway, what I need to know is how to edit the ruleset manually BEFORE enabling the firewall. I need to set the rules, then load the kernel module, not vise versa. I've never dealt with ipfw without webmin, so I need some explicit answers :-). What I need to do its this: Set IPFW to allow traffic on ports 80, 1, and 23 (That's the default SSH port, right?) Then start IPFW with the kernel module (I know how to do this) Thanx, SigmaX You can put your rules in /etc/rc.firewall. This is executed at startup. See rc(8) and rc.conf(5). Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW config
Set IPFW to allow traffic on ports 80, 1, and 23 (That's the default SSH port, right?) Nope, it's 22. Then start IPFW with the kernel module (I know how to do this) Have you already read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html? It describes how to enable ipfw in rc.conf, and how to specify a firewall script that loads the rules during the boot process. Suppose, your fw script is /etc/ipfw.rules. Then the following should (no warranty, of course ;-) load your rules without a reboot: # kldload ipfw.ko sh /etc/ipfw.rules Simon pgpyvIBVFEWrp.pgp Description: PGP signature
Re: IPFW config
On Monday 21 February 2005 19:01:19, SigmaX wrote: [...] Set IPFW to allow traffic on ports 80, 1, and 23 (That's the default SSH port, right?) The default shh port is 22, port 23 is assigned to telnet. You can find the list of default port assignments in /etc/services. Cheers, ch -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu pgpgfM8ue6Fgm.pgp Description: PGP signature
Re: IPFW config
- Original Message -
From: SigmaX [EMAIL PROTECTED]
To: freebsd-questions@freebsd.org
Sent: Monday, February 21, 2005 12:01 PM
Subject: IPFW config
Set IPFW to allow traffic on ports 80, 1, and 23 (That's the default
SSH port, right?)
Then start IPFW with the kernel module (I know how to do this)
fwcmd=/sbin/ipfw
myip=x.x.x.x
mymask=255.255.255.0
setup_loopback
# Allow icmp
${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via xl0
# Setup dynamic rules
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any via xl0 established
# Allow DNS queries out to the world
${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
${fwcmd} add deny udp from any to any
# Allow all outbound traffic
${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
# Allow inbound http, ssh and port 1
${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state
${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state
${fwcmd} add allow tcp from any to ${myip} 1 via xl0 setup keep-state
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag via xl0
# Deny everything else
${fwcmd} add deny ip from any to any via xl0
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW config
Paul Schmehl wrote:
- Original Message - From: SigmaX [EMAIL PROTECTED]
To: freebsd-questions@freebsd.org
Sent: Monday, February 21, 2005 12:01 PM
Subject: IPFW config
Set IPFW to allow traffic on ports 80, 1, and 23 (That's the
default SSH port, right?)
Then start IPFW with the kernel module (I know how to do this)
fwcmd=/sbin/ipfw
myip=x.x.x.x
mymask=255.255.255.0
setup_loopback
# Allow icmp
${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via
xl0
# Setup dynamic rules
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any via xl0 established
# Allow DNS queries out to the world
${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
${fwcmd} add deny udp from any to any
# Allow all outbound traffic
${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
# Allow inbound http, ssh and port 1
${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state
${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state
${fwcmd} add allow tcp from any to ${myip} 1 via xl0 setup keep-state
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag via xl0
# Deny everything else
${fwcmd} add deny ip from any to any via xl0
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
Well... *ahem*... I put the above script into /etc/ipfw.rules and did
kldload ipfw.ko sh /etc/ipfw.rules. I lost connectivity to the
server. Did the above script only open those ports to localhost or
something? I can go in tonight and fix it from the local computer, but
I'd like to know what to do when I get there. I need to have
connectivity to said ports from the internet... apparently I don't :-P.
Cheerio,
SigmaX
--
Registered Linux Freak #: 366,862
If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby
Pro-Logic Surround Sound with Bass Boost and all the music is free.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
