Freebsd firewall

Freebsd firewall

Postby stephen » Fri Mar 20, 2009 6:54 am

Reference
http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/

Added this to /etc/rc.conf
Code: Select all
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_logging="YES"

I store my firewall rules in
/usr/local/etc/ipfw.rules

Code: Select all
IPF="ipfw -q add"

ipfw -q -f flush

# testing allow sjk
$IPF 1 allow all from 222.222.222.187 to any in
$IPF 2 allow all from 222.222.222.42  to any in
$IPF 3 allow all from 222.222.222.187 to any out
$IPF 4 allow all from 222.222.222.42  to any out


#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 111 allow tcp from any to any 21 out
$IPF 112 allow tcp from any to any 20 in
$IPF 113 allow tcp from any to any 20 out

# sjk block attachers
$IPF 121 deny tcp from 211.78.162.171 to any 22 in
$IPF 122 deny tcp from 202.146.0.0/16 to any 22 in
$IPF 123 deny tcp from 213.202.0.0/16 to any 22 in
$IPF 124 deny tcp from 61.16.0.0/16 to any 22 in
$IPF 125 deny tcp from 218.56.0.0/16 to any 22 in
$IPF 126 deny tcp from 122.224.0.0/16 to any 22 in
$IPF 127 deny tcp from 58.68.0.0/16 to any 22 in
$IPF 128 deny tcp from 201.17.0.0/16 to any 22 in



$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

# ssl smtps
$IPF 220 allow tcp from any to any 465 in
$IPF 221 allow tcp from any to any 465 out
$IPF 222 allow tcp from any to any 587 in
$IPF 223 allow tcp from any to any 587 out
$IPF 224 allow tcp from any to any 143 in
$IPF 225 allow tcp from any to any 143 out

# pop3s
$IPF 230 allow tcp from any to any 995 in
$IPF 231 allow tcp from any to any 995 out
$IPF 232 allow tcp from any to any 110 in
$IPF 233 allow tcp from any to any 110 out

# https
$IPF 240 allow tcp from any to any 443 in
$IPF 241 allow tcp from any to any 443 out

# allow from xxx while testing
$IPF 310 allow tcp from 222.222.222.187 to any in
$IPF 311 allow tcp from 222.222.222.187 to any out

# allow from server.xxxx.com.au while testing
$IPF 320 allow tcp from 222.222.222.42 to any in
$IPF 321 allow tcp from 222.222.222.42 to any out

# deny who and rlogin
$IPF 400 deny tcp  from any to any 513
$IPF 401 deny udp  from any to any 513
# NetBIOS datagram
$IPF 402 deny udp  from any to any 138
$IPF 403 deny tcp  from any to any 137
$IPF 404 deny udp  from any to any 137




# deny and log everything
$IPF 500 deny log all from any to any




To start the firewall
sh /usr/local/etc/ipfw.rules
stephen
 
Posts: 507
Joined: Thu Feb 09, 2006 9:37 am
Location: Brisbane

Return to Linux Server Configuration Notes

Who is online

Users browsing this forum: No registered users and 2 guests

cron