Professional Web Applications Themes
  1. #1

    Default Re: IPFW config

    SigmaX wrote:
    > Heya;
    > I have a FreeBSD 5.3 server that I access over SSH. I followed the
    > handbook guide to loading the ipfw kernel module to setup a firewall. I
    > made the mistake the other day of loading the firewall, which defaults
    > to block all, and rebooting, so I couldn't get into the system again
    > (Had to drive in and fix it :-P). Anyway, what I need to know is how to
    > edit the ruleset manually BEFORE enabling the firewall. I need to set
    > the rules, then load the kernel module, not vise versa. I've never
    > dealt with ipfw without webmin, so I need some explicit answers :-).
    > What I need to do its this:
    >
    > Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
    > SSH port, right?)
    > Then start IPFW with the kernel module (I know how to do this)
    >
    > Thanx,
    > SigmaX
    >
    You can put your rules in /etc/rc.firewall. This is executed at startup.

    See rc(8) and rc.conf(5).

    Chris
    Chris Hodgins Guest

  2. #2

    Default Re: IPFW config

    > Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
    > SSH port, right?)
    Nope, it's 22.
    > Then start IPFW with the kernel module (I know how to do this)
    Have you already read
    [url]http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html?[/url]

    It describes how to enable ipfw in rc.conf, and how to specify a
    firewall script that loads the rules during the boot process.

    Suppose, your fw script is /etc/ipfw.rules. Then the following should
    (no warranty, of course ;-) load your rules without a reboot:

    # kldload ipfw.ko && sh /etc/ipfw.rules

    Simon

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)

    iD8DBQFCGNioCkn+/eutqCoRAqcLAKCKbqciZbYfXIKv/gC9Sz5HoWSPgQCgsX9w
    3tHHhCnEGN4ntAZVZ8mdGTI=
    =X5z6
    -----END PGP SIGNATURE-----

    Simon Barner Guest

  3. #3

    Default Re: IPFW config

    On Monday 21 February 2005 19:01:19, SigmaX wrote:
    [...]
    > Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
    > SSH port, right?)
    The default shh port is 22, port 23 is assigned to telnet. You can find the
    list of default port assignments in /etc/services.

    Cheers,
    ch

    --
    Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE
    OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and [url]http://pgp.mit.edu[/url]

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)

    iD8DBQBCGN2s09WjGjvKU74RAhkTAJ9XKq3ZNzH/0xvp67Ts+xkl0b/0TwCcD/HB
    hQBw4ZO5ZuBB40y1XLcgZD8=
    =3k1J
    -----END PGP SIGNATURE-----

    Christian Hiris Guest

  4. #4

    Default Re: IPFW config

    ----- Original Message -----
    From: "SigmaX" <scottclansman@cwazy.co.uk>
    To: <freebsd-questions@freebsd.org>
    Sent: Monday, February 21, 2005 12:01 PM
    Subject: IPFW config
    >
    > Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
    > SSH port, right?)
    > Then start IPFW with the kernel module (I know how to do this)
    >
    fwcmd=/sbin/ipfw
    myip=x.x.x.x
    mymask=255.255.255.0

    setup_loopback

    # Allow icmp
    ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via xl0

    # Setup dynamic rules
    ${fwcmd} add check-state
    ${fwcmd} add deny tcp from any to any via xl0 established

    # Allow DNS queries out to the world
    ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
    ${fwcmd} add deny udp from any to any

    # Allow all outbound traffic
    ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state

    # Allow inbound http, ssh and port 10000
    ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state
    ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state
    ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state

    # Allow IP fragments to pass through
    ${fwcmd} add pass all from any to any frag via xl0

    # Deny everything else
    ${fwcmd} add deny ip from any to any via xl0

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    University of Texas at Dallas
    AVIEN Founding Member
    [url]http://www.utdallas.edu/[/url]
    Paul Schmehl Guest

  5. #5

    Default Re: IPFW config

    ----- Original Message -----
    From: "SigmaX" <scottclansman@cwazy.co.uk>
    To: <freebsd-questions@freebsd.org>
    Cc: "Paul Schmehl" <pauls@utdallas.edu>
    Sent: Monday, February 21, 2005 8:14 PM
    Subject: Re: IPFW config
    >
    > Well... *ahem*... I put the above script into /etc/ipfw.rules and did
    > "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the
    > server.
    Geez, I thought you learned from the first time....
    >
    >Did the above script only open those ports to localhost or
    > something?
    It was meant to be an example for you to work from. It's taken from a
    working example that I use on several servers, altered to meet the
    requirements you gave in your post.

    First of all, you should *never* work on a firewall config remotely.
    Secondly, the expectation is that you will take information give here and
    use it with a grain of salt.

    Try this. Sitting at the console in front of the computer, enable the
    firewall:
    % ipfw enable firewall
    This will block all access to the computer.
    Now type this at the command line:
    % ipfw add allow tcp from any to (type in the computer's IP address here)
    ssh
    Now ssh to some other computer that you have access to and back to this
    computer and see if you don't get in. (Note that the assumption is that you
    have not yet configured /etc/hosts.allow to deny access from the computer
    you're ssh'ing back to this computer from.)

    Look at the /etc/rc.firewall script. Read man ipfw carefully. Don't forget
    that you must enable the firewall in the /etc/rc.conf file, but you must
    *also* define what *type* of firewall it is.

    Here's an example:
    firewall_enable="YES"
    firewall_logging_enable="YES"
    firewall_quiet="NO"
    firewall_script="/etc/rc.firewall"
    firewall_type="CLIENT"

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    University of Texas at Dallas
    AVIEN Founding Member
    [url]http://www.utdallas.edu/[/url]

    Paul Schmehl Guest

  6. #6

    Default IPFW config

    Heya;
    I have a FreeBSD 5.3 server that I access over SSH. I followed the
    handbook guide to loading the ipfw kernel module to setup a firewall. I
    made the mistake the other day of loading the firewall, which defaults
    to block all, and rebooting, so I couldn't get into the system again
    (Had to drive in and fix it :-P). Anyway, what I need to know is how to
    edit the ruleset manually BEFORE enabling the firewall. I need to set
    the rules, then load the kernel module, not vise versa. I've never
    dealt with ipfw without webmin, so I need some explicit answers :-).
    What I need to do its this:

    Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the default
    SSH port, right?)
    Then start IPFW with the kernel module (I know how to do this)

    Thanx,
    SigmaX

    --
    Registered Linux Freak #: 366,862

    "If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free."

    SigmaX Guest

  7. #7

    Default Re: IPFW config

    Paul Schmehl wrote:
    > ----- Original Message ----- From: "SigmaX" <scottclansman@cwazy.co.uk>
    > To: <freebsd-questions@freebsd.org>
    > Sent: Monday, February 21, 2005 12:01 PM
    > Subject: IPFW config
    >
    >>
    >> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the
    >> default SSH port, right?)
    >> Then start IPFW with the kernel module (I know how to do this)
    >>
    > fwcmd=/sbin/ipfw
    > myip=x.x.x.x
    > mymask=255.255.255.0
    >
    > setup_loopback
    >
    > # Allow icmp
    > ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14 via
    > xl0
    >
    > # Setup dynamic rules
    > ${fwcmd} add check-state
    > ${fwcmd} add deny tcp from any to any via xl0 established
    >
    > # Allow DNS queries out to the world
    > ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
    > ${fwcmd} add deny udp from any to any
    > # Allow all outbound traffic
    > ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
    >
    > # Allow inbound http, ssh and port 10000
    > ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup keep-state
    > ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup keep-state
    > ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup keep-state
    >
    > # Allow IP fragments to pass through
    > ${fwcmd} add pass all from any to any frag via xl0
    >
    > # Deny everything else
    > ${fwcmd} add deny ip from any to any via xl0
    >
    > Paul Schmehl (pauls@utdallas.edu)
    > Adjunct Information Security Officer
    > University of Texas at Dallas
    > AVIEN Founding Member
    > [url]http://www.utdallas.edu/[/url]
    >
    Well... *ahem*... I put the above script into /etc/ipfw.rules and did
    "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the
    server. Did the above script only open those ports to localhost or
    something? I can go in tonight and fix it from the local computer, but
    I'd like to know what to do when I get there. I need to have
    connectivity to said ports from the internet... apparently I don't :-P.
    Cheerio,
    SigmaX

    --
    Registered Linux Freak #: 366,862

    "If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby Pro-Logic Surround Sound with Bass Boost and all the music is free."

    SigmaX Guest

  8. #8

    Default Re: IPFW config

    [url]http://www.kgb.ro/Ipfw-HOWTO[/url]


    On Mon, 21 Feb 2005 20:14:35 -0600 Anno Domini, the honourable SigmaX
    wrote using one of his keyboards:

    > Paul Schmehl wrote:
    >
    > > ----- Original Message ----- From: "SigmaX"
    <scottclansman@cwazy.co.uk>
    > > To: <freebsd-questions@freebsd.org>
    > > Sent: Monday, February 21, 2005 12:01 PM
    > > Subject: IPFW config
    > >
    > >>
    > >> Set IPFW to allow traffic on ports 80, 10000, and 23 (That's the
    > >> default SSH port, right?)
    > >> Then start IPFW with the kernel module (I know how to do this)
    > >>
    > > fwcmd=/sbin/ipfw
    > > myip=x.x.x.x
    > > mymask=255.255.255.0
    > >
    > > setup_loopback
    > >
    > > # Allow icmp
    > > ${FWCMD} add pass icmp from any to any icmptypes 0,3,8,11,12,13,14
    via
    > > xl0
    > >
    > > # Setup dynamic rules
    > > ${fwcmd} add check-state
    > > ${fwcmd} add deny tcp from any to any via xl0 established
    > >
    > > # Allow DNS queries out to the world
    > > ${fwcmd} add allow udp from ${ip} to any via xl0 keep-state
    > > ${fwcmd} add deny udp from any to any
    > > # Allow all outbound traffic
    > > ${fwcmd} add allow ip from ${myip} to any via xl0 setup keep-state
    > >
    > > # Allow inbound http, ssh and port 10000
    > > ${fwcmd} add allow tcp from any to ${myip} http via xl0 setup
    keep-state
    > > ${fwcmd} add allow tcp from any to ${myip} ssh via xl0 setup
    keep-state
    > > ${fwcmd} add allow tcp from any to ${myip} 10000 via xl0 setup
    keep-state
    > >
    > > # Allow IP fragments to pass through
    > > ${fwcmd} add pass all from any to any frag via xl0
    > >
    > > # Deny everything else
    > > ${fwcmd} add deny ip from any to any via xl0
    > >
    > > Paul Schmehl (pauls@utdallas.edu)
    > > Adjunct Information Security Officer
    > > University of Texas at Dallas
    > > AVIEN Founding Member
    > > [url]http://www.utdallas.edu/[/url]
    > >
    > Well... *ahem*... I put the above script into /etc/ipfw.rules and did
    > "kldload ipfw.ko && sh /etc/ipfw.rules". I lost connectivity to the
    > server. Did the above script only open those ports to localhost or
    > something? I can go in tonight and fix it from the local computer,
    but
    > I'd like to know what to do when I get there. I need to have
    > connectivity to said ports from the internet... apparently I don't
    :-P.
    > Cheerio,
    > SigmaX
    >
    > --
    > Registered Linux Freak #: 366,862
    >
    > "If you think of MS-DOS as mono, and Windows as stereo, then Linux is
    Dolby Pro-Logic Surround Sound with Bass Boost and all the music is
    free."
    >
    > _______________________________________________
    > [email]freebsd-questions@freebsd.org[/email] mailing list
    > [url]http://lists.freebsd.org/mailman/listinfo/freebsd-questions[/url]
    > To unsubscribe, send any mail to
    "freebsd-questions-unsubscribe@freebsd.org"


    --
    Login: petre Name: Petre Bandac
    Directory: /home/petre Shell: /usr/local/bin/zsh
    On since Mon Feb 21 09:52 (EET) on ttyv0, idle 1 day 4:04 (messages off)
    On since Mon Feb 21 10:50 (EET) on ttyv2, idle 1 day 4:03 (messages off)
    Last login Tue Feb 22 00:14 (EET) on ttyp5 from 82-77-40-105.br
    New mail received Mon May 24 19:09 2004 (EEST)
    Unread since Tue Feb 17 12:31 2004 (EET)
    No Plan.
    Petre Bandac Guest

  9. #9

    Default Re: IPFW config

    SigmaX <co.uk>: 

    /usr/share/examples/ipfw/change_rules.sh:
    # Change ipfw(8) rules with safety guarantees for remote operation
    #
    # Invoke this script to edit ${firewall_script}. It will call ${EDITOR},
    # or vi(1) if the environment variable is not set, for you to edit
    # ${firewall_script}, ask for confirmation, and then run
    # ${firewall_script}. You can then examine the output of ipfw list and
    # confirm whether you want the new version or not.
    #
    # If no answer is received in 30 seconds, the previous
    # ${firewall_script} is run, restoring the old rules (this assumes ipfw
    # flush is present in it).

    Jeff

    Jeff Guest

Similar Threads

  1. ipfw and nmap
    By sn1tch in forum FreeBSD
    Replies: 4
    Last Post: March 15th, 12:29 PM
  2. Question about ipfw, natd and port forwarding.
    By Deling Ren in forum FreeBSD
    Replies: 2
    Last Post: March 6th, 07:07 PM
  3. ipfw altq support howto
    By RdBSD in forum FreeBSD
    Replies: 0
    Last Post: February 23rd, 07:08 AM
  4. ipfw fwd problem - FreeBSD 5.3
    By Aragon Gouveia in forum FreeBSD
    Replies: 0
    Last Post: February 21st, 02:36 PM
  5. transperant proxy using IPFW on MacOS X ?
    By Jigar Rasalawala in forum Mac Programming
    Replies: 0
    Last Post: July 17th, 06:09 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139