Jump to content
  • 0
Sign in to follow this  
Yiv

IPFW Help

Question

Hello dear community,

 

because I'm in worry to exclude myself from my server, I wanted to ask you to check my rules:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# ssh
$IPF 90 allow tcp from any to any 22 in
$IPF 100 allow tcp from any to any 22 out

# ports used by server
$IPF 110 allow tcp from any to any 13001 in
$IPF 120 allow tcp from any to any 13001 out
$IPF 130 allow tcp from any to any 11002 in
$IPF 140 allow tcp from any to any 11002 out
$IPF 150 allow tcp from any to any 13099 in
$IPF 160 allow tcp from any to any 13099 out

And I want you to ask how I can manage that my webserver can use port 3306?

 

Regards

Share this post


Link to post

2 answers to this question

Recommended Posts

  • 0

Hello dear community,

 

because I'm in worry to exclude myself from my server, I wanted to ask you to check my rules:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# ssh
$IPF 90 allow tcp from any to any 22 in
$IPF 100 allow tcp from any to any 22 out

# ports used by server
$IPF 110 allow tcp from any to any 13001 in
$IPF 120 allow tcp from any to any 13001 out
$IPF 130 allow tcp from any to any 11002 in
$IPF 140 allow tcp from any to any 11002 out
$IPF 150 allow tcp from any to any 13099 in
$IPF 160 allow tcp from any to any 13099 out

And I want you to ask how I can manage that my webserver can use port 3306?

 

Regards

 

The rules should work the way you have them.

But unless your server is to act as a router, you don't need to use "any to any" in rules like #70, #80+

 

If you add keep-state to all rules, you can even replace the allow in #60 with deny to catch some spoofed ACK packets.

You should however note that ipfw's state table can (much like pf's state table) become full, which will take your server offline.

The max. number of state table entries can be changed with the

net.inet.ip.fw.dyn_max

sysctl.

 

My version of your ruleset would look like the following:

IPF="ipfw -q add"
ipfw -q -f flush

# Loopback interface
$IPF 10 allow all from any to any via lo0
$IPF 10 deny all from any to 127.0.0.0/8
$IPF 10 deny all from 127.0.0.0/8 to any

# As noted above, this can be changed.
# You can either get rid of the state table completely, which will require you to open ports like 53 (DNS) for returning traffic
# or you can change all rules to use the state table.
# The third option is to just keep it as-is, which will probably be the best if you don't want to bother with all this.
$IPF 50 check-state
$IPF 55 deny tcp from any to any frag
$IPF 60 allow tcp from any to me established
$IPF 65 allow all from me to any out keep-state

# Allow incoming ICMP (ping etc.) packets
# Outgoing ones are already handled by #65
$IPF 100 allow icmp from any to me

# Open SSH to general public
$IPF 110 allow tcp from any to me 22

# Whitelist
# 172.19.22.167 can only access the mysql port
# 10.33.184.22 can access everything
$IPF 150 allow all from 172.19.22.167 to me 3306
$IPF 151 allow all from 10.33.184.22 to me

# Opens the game port range 13000-14000
# Obviously your dbcache and p2p ports shouldn't be part of this range
$IPF 200 allow tcp from any to me 13000-14000

If you're afraid of locking yourself out, try using

/usr/share/examples/ipfw/change_rules.sh

to edit your ruleset.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.