IPFW config

[Chris Hodgins]

SigmaX wrote:

> Heya;
> I have a FreeBSD 5.3 server that I access over SSH. I followed the
> handbook guide to loading the ipfw kernel module to setup a firewall. I
> made the mistake the other day of loading the firewall, which defaults
> to block all, and rebooting, so I couldn't get into the system again
> (Had to drive in and fix it :-P). Anyway, what I need to know is how to
> edit the ruleset manually BEFORE enabling the firewall. I need to set
> the rules, then load the kernel module, not vise versa. I've never
> dealt with ipfw without webmin, so I need some explicit answers :-).
> What I need to do its this:
>
> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
> SSH port, right?)
> Then start IPFW with the kernel module (I know how to do this)
>
> Thanx,
> SigmaX
>

You can put your rules in /etc/rc.firewall. This is executed at startup.

See rc(8) and rc.conf(5).

Chris

[Simon Barner]

> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default

> SSH port, right?)

Nope, it's 22.

> Then start IPFW with the kernel module (I know how to do this)

Have you already read
[url]http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html?[/url]

It describes how to enable ipfw in rc.conf, and how to specify a
firewall script that loads the rules during the boot process.

Suppose, your fw script is /etc/ipfw.rules. Then the following should
(no warranty, of course ;-) load your rules without a reboot:

# kldload ipfw.ko && sh /etc/ipfw.rules

Simon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCGNioCkn+/eutqCoRAqcLAKCKbqciZbYfXIKv/gC9Sz5HoWSPgQCgsX9w
3tHHhCnEGN4ntAZVZ8mdGTI=
=X5z6
-----END PGP SIGNATURE-----

[Christian Hiris]

On Monday 21 February 2005 19:01:19, SigmaX wrote:
[...]

> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
> SSH port, right?)

The default shh port is 22, port 23 is assigned to telnet. You can find the
list of default port assignments in /etc/services.

Cheers,
ch

--
Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and [url]http://pgp.mit.edu[/url]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCGN2s09WjGjvKU74RAhkTAJ9XKq3ZNzH/0xvp67Ts+xkl0b/0TwCcD/HB
hQBw4ZO5ZuBB40y1XLcgZD8=
=3k1J
-----END PGP SIGNATURE-----

[Paul Schmehl]

----- Original Message -----
From: "SigmaX" <scottclansman@cwazy.co.uk>
To: <freebsd-questions@freebsd.org>
Sent: Monday, February 21, 2005 12:01 PM
Subject: IPFW config

>
> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
> SSH port, right?)
> Then start IPFW with the kernel module (I know how to do this)
>

fwcmd=/sbin/ipfw
myip=x.x.x.x
mymask=255.255.255.0

setup_loopback

# Allow icmp
${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via xl0

# Setup dynamic rules
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any via xl0 established

# Allow DNS queries out to the world
${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
${fwcmd} add deny udp from any to any

# Allow all outbound traffic
${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state

# Allow inbound http, ssh and port 10000
${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state
${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state
${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag via xl0

# Deny everything else
${fwcmd} add deny ip from any to any via xl0

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
[url]http://www.utdallas.edu/[/url]

[Paul Schmehl]

----- Original Message -----
From: "SigmaX" <scottclansman@cwazy.co.uk>
To: <freebsd-questions@freebsd.org>
Cc: "Paul Schmehl" <pauls@utdallas.edu>
Sent: Monday, February 21, 2005 8:14 PM
Subject: Re: IPFW config

>

> Well... *ahem*... I put the above script into /etc/ipfw.rules and did
> "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the
> server.

Geez, I thought you learned from the first time....

>
>Did the above script only open those ports to localhost or
> something?

It was meant to be an example for you to work from. It's taken from a
working example that I use on several servers, altered to meet the
requirements you gave in your post.

First of all, you should *never* work on a firewall config remotely.
Secondly, the expectation is that you will take information give here and
use it with a grain of salt.

Try this. Sitting at the console in front of the computer, enable the
firewall:
% ipfw enable firewall
This will block all access to the computer.
Now type this at the command line:
% ipfw add allow tcp from any to (type in the computer's IP address here)
ssh
Now ssh to some other computer that you have access to and back to this
computer and see if you don't get in. (Note that the assumption is that you
have not yet configured /etc/hosts.allow to deny access from the computer
you're ssh'ing back to this computer from.)

Look at the /etc/rc.firewall script. Read man ipfw carefully. Don't forget
that you must enable the firewall in the /etc/rc.conf file, but you must
*also* define what *type* of firewall it is.

Here's an example:
firewall_enable="YES"
firewall_logging_enable="YES"
firewall_quiet="NO"
firewall_script="/etc/rc.firewall"
firewall_type="CLIENT"

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
[url]http://www.utdallas.edu/[/url]

[SigmaX]

Heya;
I have a FreeBSD 5.3 server that I access over SSH. I followed the
handbook guide to loading the ipfw kernel module to setup a firewall. I
made the mistake the other day of loading the firewall, which defaults
to block all, and rebooting, so I couldn't get into the system again
(Had to drive in and fix it :-P). Anyway, what I need to know is how to
edit the ruleset manually BEFORE enabling the firewall. I need to set
the rules, then load the kernel module, not vise versa. I've never
dealt with ipfw without webmin, so I need some explicit answers :-).
What I need to do its this:

Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
SSH port, right?)
Then start IPFW with the kernel module (I know how to do this)

Thanx,
SigmaX

--
Registered Linux Freak #: 366,862

"If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free."

[SigmaX]

Paul Schmehl wrote:

> ----- Original Message ----- From: "SigmaX" <scottclansman@cwazy.co.uk>
> To: <freebsd-questions@freebsd.org>
> Sent: Monday, February 21, 2005 12:01 PM
> Subject: IPFW config
>

>>
>> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the
>> default SSH port, right?)
>> Then start IPFW with the kernel module (I know how to do this)
>>

> fwcmd=/sbin/ipfw
> myip=x.x.x.x
> mymask=255.255.255.0
>
> setup_loopback
>
> # Allow icmp
> ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via
> xl0
>
> # Setup dynamic rules
> ${fwcmd} add check-state
> ${fwcmd} add deny tcp from any to any via xl0 established
>
> # Allow DNS queries out to the world
> ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
> ${fwcmd} add deny udp from any to any
> # Allow all outbound traffic
> ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
>
> # Allow inbound http, ssh and port 10000
> ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state
> ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state
> ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag via xl0
>
> # Deny everything else
> ${fwcmd} add deny ip from any to any via xl0
>
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> [url]http://www.utdallas.edu/[/url]
>

Well... *ahem*... I put the above script into /etc/ipfw.rules and did
"kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the
server. Did the above script only open those ports to localhost or
something? I can go in tonight and fix it from the local computer, but
I'd like to know what to do when I get there. I need to have
connectivity to said ports from the internet... apparently I don't :-P.
Cheerio,
SigmaX

--
Registered Linux Freak #: 366,862

"If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free."

[Petre Bandac]

[url]http://www.kgb.ro/Ipfw-HOWTO[/url]


On Mon, 21 Feb 2005 20:14:35 -0600 Anno Domini, the honourable SigmaX
wrote using one of his keyboards:

> Paul Schmehl wrote:
>

> > ----- Original Message ----- From: "SigmaX"

<scottclansman@cwazy.co.uk>

> > To: <freebsd-questions@freebsd.org>
> > Sent: Monday, February 21, 2005 12:01 PM
> > Subject: IPFW config
> >

> >>
> >> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the
> >> default SSH port, right?)
> >> Then start IPFW with the kernel module (I know how to do this)
> >>

> > fwcmd=/sbin/ipfw
> > myip=x.x.x.x
> > mymask=255.255.255.0
> >
> > setup_loopback
> >
> > # Allow icmp
> > ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14

via

> > xl0
> >
> > # Setup dynamic rules
> > ${fwcmd} add check-state
> > ${fwcmd} add deny tcp from any to any via xl0 established
> >
> > # Allow DNS queries out to the world
> > ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
> > ${fwcmd} add deny udp from any to any
> > # Allow all outbound traffic
> > ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
> >
> > # Allow inbound http, ssh and port 10000
> > ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup

keep-state

> > ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup

keep-state

> > ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup

keep-state

> >
> > # Allow IP fragments to pass through
> > ${fwcmd} add pass all from any to any frag via xl0
> >
> > # Deny everything else
> > ${fwcmd} add deny ip from any to any via xl0
> >
> > Paul Schmehl (pauls@utdallas.edu)
> > Adjunct Information Security Officer
> > University of Texas at Dallas
> > AVIEN Founding Member
> > [url]http://www.utdallas.edu/[/url]
> >

> Well... *ahem*... I put the above script into /etc/ipfw.rules and did

> "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the
> server. Did the above script only open those ports to localhost or
> something? I can go in tonight and fix it from the local computer,

but

> I'd like to know what to do when I get there. I need to have
> connectivity to said ports from the internet... apparently I don't

:-P.

> Cheerio,
> SigmaX
>
> --
> Registered Linux Freak #: 366,862
>
> "If you think of MS-DOS as mono, and Windows as stereo, then Linux is

Dolby Pro-Logic Surround Sound with Bass Boost and all the music is
free."

>
> _______________________________________________
> [email]freebsd-questions@freebsd.org[/email] mailing list
> [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
> To unsubscribe, send any mail to

"freebsd-questions-unsubscribe@freebsd.org"


--
Login: petre Name: Petre Bandac
Directory: /home/petre Shell: /usr/local/bin/zsh
On since Mon Feb 21 09:52 (EET) on ttyv0, idle 1 day 4:04 (messages off)
On since Mon Feb 21 10:50 (EET) on ttyv2, idle 1 day 4:03 (messages off)
Last login Tue Feb 22 00:14 (EET) on ttyp5 from 82-77-40-105.br
New mail received Mon May 24 19:09 2004 (EEST)
Unread since Tue Feb 17 12:31 2004 (EET)
No Plan.