IPFW Rules

Dave Peacock davejpeacock at btinternet.com
Fri May 10 21:48:17 BST 2002


Hi people,

I am looking for help please from someone with more IPFW clue than me. I am
one of the lucky people to receive an ADSL line lately and have setup my
NAT/firewall.

I am having trouble, I am sure I have got my rules incorrect. If I turn this
ruleset on, my local machines can NAT through and get to the internet, but
they cannot log on to the firewall with SSH or connect to FTP.
Also, I cannot connect to SSH from external sites either, I need this
functionality.

Any help would be gratefully received. I have read the man page, and am not
sure where I am going wrong, unless it's an order of rules thing maybe?

I am running 4.4 (tracking security).

My ruleset is as follows:

# Flush the ruleset to ensure it's clean
/sbin/ipfw -f flush

# Divert all traffic thru' tun0
/sbin/ipfw add divert natd all from any to any via tun0

# Allow all data from my network card and localhost.
/sbin/ipfw add allow all from any to any via lo0
/sbin/ipfw add allow all from any to any via xe0

# Allow all connections that I initiate.
/sbin/ipfw add allow all from any to any out xmit tun0 setup

# Once connections are made, allow them to stay open.
/sbin/ipfw add allow all from any to any via tun0 established

# Everyone on the internet is allowed to connect to the following ports
/sbin/ipfw add allow tcp from any to any 22 setup
/sbin/ipfw add allow tcp from any to any 80 setup

# This sends a RESET to all ident packets.
/sbin/ipfw add reset log tcp from any to any 113 in recv tun0

# Allow outgoing DNS queries ONLY to the specified servers.
/sbin/ipfw add allow udp from any to 213.120.62.100 53 out xmit tun0

# Allow them back in with the answers...  :)
/sbin/ipfw add allow udp from 213.120.62.100 53 to any in recv tun0

# Allow ICMP (for ping and traceroute to work).
/sbin/ipfw add allow icmp from any to any

# Deny all the rest.
/sbin/ipfw add deny log all from any to any





More information about the Ukfreebsd mailing list