IPFW rules for FreeBSD?

Hey Guys,

My FreeBSD server got hacked and I would like to finally configure a IPFW firewall. I've got it install and enabled ok, but I just confused by the rules to configure the firewall.

Basically I was hoping that someone could send me some simple & easy to understand IPFW rules that will only enable the ports for WWW, DNS, SMTP, POP3, SSH2, and SNMPD. And have all the other ports denied.

Any help would be greatly appreciated.

Regards,

Dan

Reply to
Pipman
Loading thread data ...

Also remember you NEED some ICMPs for flow control etc. You also NEED to allow anything via the loopback interface. I sent you a script I use...

Michael

Reply to
Michael Pelletier

Hi Dan, have a look to /etc/rc.firewall, configuration 'simple' is near what you are looking for.

Regards, Alex.

Reply to
Alex Chauvin

This is what I've got so far. I took what you gave me and combined it with some other examples that people sent me, as well as the online examples too. Please let me know what you think, and if I'm missing anything important as to what I was originally trying to go for.

################################################# # IPFW Firewall Commands ################################################# cmd="ipfw -q add" #set rules command prefix ipfw -q -f flush #flush all previous rules

################################################# # Allow Loopback and Deny Loopback Spoofing ################################################# $cmd allow all from any to any via lo0 #allow all localhost traffic $cmd deny all from any to 127.0.0.0/8 #deny any other routed traffic to loopback $cmd deny all from 127.0.0.0/8 to any #deny any other routed traffic from loopback $cmd deny tcp from any to any frag #deny any tcp fragments

################################################# # Stateful Rules ################################################# $cmd check-state #check if packet matches any dynamic rules $cmd allow tcp from any to any established #allow TCP through if setup succeeded $cmd allow all from any to any out keep-state #allow outgoing traffic $cmd allow icmp from any to any #allow ICMP traffic

################################################# # Incoming/Outgoing Services ################################################# $cmd allow tcp from any to any 22 setup keep-state #allow SSH/SFTP $cmd allow tcp from any to any 25 setup keep-state #allow SMTP $cmd allow tcp from any to any 53 setup keep-state #allow DNS $cmd allow udp from any to any 53 keep-state #allow DNS (udp) $cmd allow tcp from any to any 80 setup keep-state #allow WWW $cmd allow tcp from any to any 110 setup keep-state #allow POP3 $cmd allow udp from any to any 161 keep-state #allow SNMPD $cmd allow udp from any to any 27015 keep-state #allow Half-Life

################################################# # Deny and Log ################################################# $cmd deny log all from any to any #deny and log everything else

Reply to
Pipman

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.