The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Поиск:  Каталог документации / Документация по FreeBSD / Руководства по FreeBSD на английском

5 The ruleset for the firewall

We are nearly done now. All that remains now is to define the firewall rules and then we can reboot and the firewall should be up and running. I realize that everyone will want something slightly different when it comes to their rulebase. What I have tried to do is write a rulebase that suits most dialup users. You can obviously modify it to your needs by using the following rules as the foundation for your own rulebase. First, let's start with the basics of closed firewalling. What you want to do is deny everything by default and then only open up for the things you really need. Rules should be in the order of allow first and then deny. The premise is that you add the rules for your allows, and then everything else is denied. :)

Now, let's make the dir /etc/firewall. Change into the directory and edit the file fwrules as we specified in rc.conf. Please note that you can change this filename to anything you wish. This guide just gives an example of a filename.

Now, let's look at a sample firewall file, that is commented nicely.

    # Firewall rules
    # Written by Marc Silver (marcs@draenor.org)
    # http://draenor.org/ipfw
    # Freely distributable
    
    
    # Define the firewall command (as in /etc/rc.firewall) for easy
    # reference.  Helps to make it easier to read.
    fwcmd="/sbin/ipfw"
    
    # Force a flushing of the current rules before we reload.
    $fwcmd -f flush
    
    # Divert all packets through the tunnel interface.
    $fwcmd add divert natd all from any to any via tun0
    
    # Allow all data from my network card and localhost.  Make sure you
    # change your network card (mine was fxp0) before you reboot.  :)
    $fwcmd add allow ip from any to any via lo0
    $fwcmd add allow ip from any to any via fxp0
    
    # Allow all connections that I initiate.
    $fwcmd add allow tcp from any to any out xmit tun0 setup
    
    # Once connections are made, allow them to stay open.
    $fwcmd add allow tcp from any to any via tun0 established
    
    # Everyone on the internet is allowed to connect to the following
    # services on the machine.  This example specifically allows connections
    # to ssh and apache.
    $fwcmd add allow tcp from any to any 80 setup
    $fwcmd add allow tcp from any to any 22 setup
    
    # This sends a RESET to all ident packets.
    $fwcmd add reset log tcp from any to any 113 in recv tun0
    
    # Allow outgoing DNS queries ONLY to the specified servers.
    $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
    
    # Allow them back in with the answers...  :)
    $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
    
    # Allow ICMP (for ping and traceroute to work).  You may wish to
    # disallow this, but I feel it suits my needs to keep them in.
    $fwcmd add allow icmp from any to any
    
    # Deny all the rest.
    $fwcmd add deny log ip from any to any

You now have a fully functional firewall that will allow on connections to ports 80 and 22 and will log any other connection attempts. Now, you should be able to safely reboot and your firewall should come up fine. If you find this incorrect in anyway or experience any problems, or have any suggestions to improve this page, please email me.

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру