[buug] BSD4.6 Firewall ?>&^*%$ :-)

Fri Jul 19 15:10:33 PDT 2002

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm using IPFilter on FreeBSD.. however the rules are easy in both..
You might consider IPFilter if you like this rule syntax (they're both
capable however)..

# No need to fill the state table with traffic that is already granted
a round
# trip.
pass out quick on fxp0 proto tcp/udp from any to 192.168.0.0/16
pass out quick on fxp0 proto icmp from any to 192.168.0.0/16

# Allow incoming traffic internally on a trusted protocol (TCP) and
# allow all UDP inbound from internal addresses pending the appropriate
# filtering on the upstream routers
pass in quick on fxp0 proto tcp/udp from 192.168.0.0/16 to any

# Allow ICMP in from internal addresses as well.  Also insecure pending
# the appropriate filtering on the upstream routers.
pass in quick on fxp0 proto icmp from 192.168.0.0/16 to any

# Pass out all other outbound traffic so that we can actually do useful
stuff :)
pass out quick on fxp0 proto tcp from any to any flags S keep state
pass out quick on fxp0 proto udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state

# Added for BUUG email :).. An example of allowing an inbound port in
IPFilter
pass in quick on fxp0 proto tcp from any to any port = 22

# Block everything else.
block return-rst in log quick on fxp0 proto tcp from any to any
block return-icmp(port-unreach) in log quick on fxp0 proto udp from any
to any
block in log quick on fxp0 all

- -----Original Message-----
From: Greg S. Robinson [mailto:greg at xmldesigners.com]
Sent: Friday, July 19, 2002 2:57 PM
To: Buug at weak.org
Subject: [buug] BSD4.6 Firewall ?>&^*%$ :-)

All:

After "mastering" the Linux method of IPchains, I seem to be having a
problem getting my BSD system properly set up.

I've multihoned it, and /default rc.config points to "simple" in
rc.firewall.

I can't seem to get ssh punched through, after that is solved I need to
permit http, ntp, 143, 993 (IMAP), etc.

My line looks like this:
${fwcmd} add pass tcp from ${oip} 22

Anyone willing to send a snippet of their entries I can follow?

Thanks

Greg

"Never underestimate the ability of people to develop strange
interpretations of anything you write, say, or do."
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Greg Robinson - XMLDesigners.com

mQGiBDyjiVMRBAD6txYzArjC27mJ66EWoxh4M5alHRwpLVK+/galdgT9KujEDR+H
E7ATqWxKleDW0cIu/ByfyfpRUPxPaXpgf30RsXNcjXzITvp9mr0swTABGNqUcMVO
0U/tDQydlUXpToUnSCEx+7jmrJd8ROAXCV2LRSWTzoRXlO9zcGCP5LbEiQCg/ww5
IIpunI9y5CadNnU5FPey8z8D/iSQ3dqCJ/hc5VfLk6A7gcxsWNRfyVQDHS8i+OpV
blKiwLtAtuiFq2VJXshyulKMzflrAy70xeQtQGw4DbblHT758c4rC///ta3zEBky
YhIIIXzuxLZMwF6hN/rG7WFuG/RWjjnJ1jy9LAxKlkjXdj1TVIBt7/fAsu+t9gdY
N7q6A/9z4mIsbJ0XxCT5QpwFYlkR3dqNI/szu5c0V+D1/tBjBahrgIDGqOfQ5WYg
E1xe0OdkeY7uTbisd6vqd11+Dk1Bv6L4vAv3SkYZprv7jLFtiz5o087BLbrsAp/a
X3HYcYxttQvUri3V7dpn1L5LhxpTS66pbvcqHjMlhJwnIT9pX7QoR3JlZyBTLiBS
b2JpbnNvbiA8Z3JlZ0B4bWxkZXNpZ25lcnMuY29tPokAWAQQEQIAGAUCPKOJUwgL
AwkIBwIBCgIZAQUbAwAAAAAKCRCskBxV8Ucsfbx1AJ9jRDNt+LD7GxGKuqMaTsX6
bcoCKQCgjNRubsumGR1B8S0Bik4MiQ95kGq5Ag0EPKOJVBAIAPZCV7cIfwgXcqK6
1qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXp
F9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2R
XscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMc
fFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGN
fISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7D
VekyCzsAAgIH/0irLdTQdL7A379RN2wvcDKSyuiFzysA86x/T/QDTF2/gdZfb4Za
JWvUX6xiOlZwccr8sFIjuitXY3SqYmeBeoVXtng5l1By2y36XdFD3lgaXD4anCAD
aTV5jsF4ScGSREHScYN8fZbeBjz7TjJqExEOE+a2UXZEhZR70QGKpiOi4xwCP9Lx
rqU6rIDnq00kxW7w4ePZRFf+C7moL994nQb+PSOHHczXllo/1uW6Xkub1PW8mOpT
2elZ7eUwBZJfa8m/dssEslq7VyuSxGF8/TeAW4BpER8zIB127db1oK4YDvrPRURU
MzfyenToTWGiP5CNbRwNhqLB1tg/ycTdlCaJAEwEGBECAAwFAjyjiVQFGwwAAAAA
CgkQrJAcVfFHLH0ppQCeP+0QRyI+0SycFDDcjWNuyUqYnvYAoOXtUQw/XGgfAQS7
TosjpJcIy74t
=mzBs
- -----END PGP PUBLIC KEY BLOCK-----

_______________________________________________
Buug mailing list
Buug at weak.org
http://www.weak.org/mailman/listinfo/buug

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPTiOZzKUHizV76d/EQJUwgCgrrMArTq3NMMTen0HzywY9OrpbZ0AnicN
RGaMS9Fxa72nmYLgK7Bz4DyF
=PzfL
-----END PGP SIGNATURE-----