IPFW Help

[Yiv 316]

Hello dear community,

 

because I'm in worry to exclude myself from my server, I wanted to ask you to check my rules:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# ssh
$IPF 90 allow tcp from any to any 22 in
$IPF 100 allow tcp from any to any 22 out

# ports used by server
$IPF 110 allow tcp from any to any 13001 in
$IPF 120 allow tcp from any to any 13001 out
$IPF 130 allow tcp from any to any 11002 in
$IPF 140 allow tcp from any to any 11002 out
$IPF 150 allow tcp from any to any 13099 in
$IPF 160 allow tcp from any to any 13099 out

And I want you to ask how I can manage that my webserver can use port 3306?

 

Regards

[Shogun 4477]

I suggest you use pf, it's more straightforward.

 

http://metin2dev.org/board/topic/51-pf-sample-config/

[Tim 20]

Hello dear community,

 

because I'm in worry to exclude myself from my server, I wanted to ask you to check my rules:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# ssh
$IPF 90 allow tcp from any to any 22 in
$IPF 100 allow tcp from any to any 22 out

# ports used by server
$IPF 110 allow tcp from any to any 13001 in
$IPF 120 allow tcp from any to any 13001 out
$IPF 130 allow tcp from any to any 11002 in
$IPF 140 allow tcp from any to any 11002 out
$IPF 150 allow tcp from any to any 13099 in
$IPF 160 allow tcp from any to any 13099 out

And I want you to ask how I can manage that my webserver can use port 3306?

 

Regards

 

The rules should work the way you have them.

But unless your server is to act as a router, you don't need to use "any to any" in rules like #70, #80+

 

If you add keep-state to all rules, you can even replace the allow in #60 with deny to catch some spoofed ACK packets.

You should however note that ipfw's state table can (much like pf's state table) become full, which will take your server offline.

The max. number of state table entries can be changed with the

net.inet.ip.fw.dyn_max

sysctl.

 

My version of your ruleset would look like the following:

IPF="ipfw -q add"
ipfw -q -f flush

# Loopback interface
$IPF 10 allow all from any to any via lo0
$IPF 10 deny all from any to 127.0.0.0/8
$IPF 10 deny all from 127.0.0.0/8 to any

# As noted above, this can be changed.
# You can either get rid of the state table completely, which will require you to open ports like 53 (DNS) for returning traffic
# or you can change all rules to use the state table.
# The third option is to just keep it as-is, which will probably be the best if you don't want to bother with all this.
$IPF 50 check-state
$IPF 55 deny tcp from any to any frag
$IPF 60 allow tcp from any to me established
$IPF 65 allow all from me to any out keep-state

# Allow incoming ICMP (ping etc.) packets
# Outgoing ones are already handled by #65
$IPF 100 allow icmp from any to me

# Open SSH to general public
$IPF 110 allow tcp from any to me 22

# Whitelist
# 172.19.22.167 can only access the mysql port
# 10.33.184.22 can access everything
$IPF 150 allow all from 172.19.22.167 to me 3306
$IPF 151 allow all from 10.33.184.22 to me

# Opens the game port range 13000-14000
# Obviously your dbcache and p2p ports shouldn't be part of this range
$IPF 200 allow tcp from any to me 13000-14000

If you're afraid of locking yourself out, try using

/usr/share/examples/ipfw/change_rules.sh

to edit your ruleset.