Re: where am I supposed to put my rc.firewall?

From: Chuck Swiger (cswiger_at_mac.com)
Date: 01/31/04

Next message: Karel J. Bosschaart: "Re: Xheretic - broken pipe???"

Previous message: Harald Schmalzbauer: "Re: "scroll lock" vs "shift page up" keys usage"
Maybe in reply to: Eric F Crist: "where am I supposed to put my rc.firewall?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 31 Jan 2004 15:50:02 -0500
To: "Jack L. Stone" <jacks@sage-american.com>, freebsd-questions <freebsd-questions@freebsd.org>

Jack L. Stone wrote:
> At 02:04 PM 1.31.2004 -0500, Chuck Swiger wrote:
>>####
>># set these to your inside interface network and netmask and ip
>>
>>#define IIF fxp0
>>#define INET 10.1.1.0/24
>>#define IIP 10.1.1.1
>>[ ...OIF info snipped... ]
>>
>># port number ranges
>>#define LOPORTS 1-1023
>>#define HIPORTS 1024-65535

A simple example would be:

# dynamic rules
add check-state
# permit some services inbound...
add pass tcp from any HIPORTS to INET 22,80,143,443,993,3128 setup keep-state
# ...but block most other services (ie, ones with root privs)
add deny tcp from any to INET LOPORTS

For a more complicated example, where PI is a mailserver which performs virus
scanning and spamfiltering, PONG is an internal reader box:

INET ---> [FW1] <--DMZ + Mailserver PI--> [FW2] <--Internal subnet + PONG>

# on FW1:
add pass tcp from PI HIPORTS to any 25
add pass tcp from any 25 to PI HIPORTS established
add pass tcp from any HIPORTS to PI 25
add pass tcp from PI 25 to OIP HIPORTS established
add unreach filter-prohib log tcp from any to INET 25

# on FW2:
# permit SMTP exchange between pi and pong/fw
add pass tcp from PI HIPORTS to PONG 25
add pass tcp from PONG 25 to PI HIPORTS established

add pass tcp from PONG HIPORTS to PI 25
add pass tcp from PI 25 to PONG HIPORTS established
[ ... ]
# track SMTP from inside to outside and block SMTP from outside
add pass log logamount 20 tcp from INET HIPORTS to any 25 setup
add pass tcp from INET HIPORTS to any 25 established
add pass tcp from any 25 to INET HIPORTS established

-- 
-Chuck
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

Next message: Karel J. Bosschaart: "Re: Xheretic - broken pipe???"

Previous message: Harald Schmalzbauer: "Re: "scroll lock" vs "shift page up" keys usage"
Maybe in reply to: Eric F Crist: "where am I supposed to put my rc.firewall?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Bridging Firewall Machine Questions
... or do the dynamic rules get created anyway when bridging? ... instead of doing
"pass tcp from me to ... add pass tcp from PI 25 to any HIPORTS established ...
add pass tcp from PI HIPORTS to PONG 25 setup ... (freebsd-questions)
Re: [fw-wiz] RE: IDS
... If an internal host is trying to reach port 25 on an external host then how do you
suggest that should be detected? ... add pass tcp from PI HIPORTS to PONG 25 setup ...
add pass tcp from PONG 25 to PI HIPORTS established ... (Firewall-Wizards)