::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: .ooO Linux/FreeBSD IP Firewalling by jus Ooo. ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
:: ::
:: In FK3 Vortexia described "the poor man's firewall", that is tcp ::
:: wrappers, and how to set them up and use them as basic protection against::
:: unwanted connections. The next step is to make use of Linux's ipfwadm or ::
:: fBSD's ipfw to setup a proper firewall to automatically block out ::
:: potential attackers and keep certain services only available to your LAN ::
:: (i.e. SQUID). ::
:: ::
:: Most generic or standard *nix kernels should have firewalling compiled, ::
:: if not you will get errors when trying to use ipfw/ipfwadm. Just rebuild ::
:: your kernel to include firewalling. ::
:: ::
:: OK, to setup firewall rules under linux "ipfwadm" is used. "man ipfwadm" ::
:: will give some further insight as to what can be done with this tool, ::
:: we're gunna focus on just keeping incoming connections where we want em ::
:: ::
:: Typing ipfwadm -I -l will give you a list of current firewall rules in ::
:: their order, you will most likely have nothing there. Lets try something ::
:: simple first, like block off your ftpd to all but yourself :) ::
:: ::
:: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 21 will disallow all ::
:: connections from anywhere to port 21. Even from 127.0.0.1, so if you ::
:: want to be able to connect to your own ftpd you need to add a rule to ::
:: allow 127.0.0.1 though. If you are on dialup and get a dynamic IP, fill ::
:: in 0.0.0.0/0 in place of "yourip". ::
:: ::
:: Note, if you are working on a machine remotely and firewalling it, you ::
:: could lock yourself out accidently. Then your screwed, so place a rule ::
:: in your firewall to allow connections from a trusted host at all times, ::
:: ie ipfwadm -I -i accept -P ip -S 196.23.2.14 -D yourip. That will allow ::
:: all types of connection to all ports from host 196.23.2.14. Note that it ::
:: is not always good security practice for your firewall to explicity trust::
:: any box! ::
:: ::
:: Remember that the firewall runs down the list of rules until it meets a ::
:: match with any connection attempt, so rule 1 will have preference over ::
:: rule 2, etc. Place your rules accordingly. Lets say you wanted to allow ::
:: access to SQUID on 3128 to only your LAN (which owns 196.34.23.*) but ::
:: not to any else out there. ::
:: ::
:: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 3128 ::
:: ipfwadm -I -i accept -P tcp -S 196.34.23.0/24 -D yourip 3128 ::
:: ::
:: Easy huh? Use -a instead of -i to add a rule at the end of the rules ::
:: chain instead of at the front. ::
:: ::
:: Under fBSD its even simpler using ipfw. "ipfw list" will give you a list ::
:: of currently existing rules. More than likely there is nothing except ::
:: the last rule which allows all traffic through. ipfw allows us to specify::
:: a number for each rule thats created, making it easier to work with ::
:: rules' order of preference. To add a rule like above for the ftpd, type ::
:: ipfw add 1000 deny tcp from any to youripgoeshere 21 That will disallow ::
:: any connections to your ftpd. The "1000" is the rule number, use ipfw ::
:: list to decide an appropriate number, but remember you have all the ::
:: numbers available down to approx 65k :) ::
:: ::
:: Similarily, the SQUID setup as above is done by using a rule to block ::
:: all access to port 3128, an then a rule before that to allow access from ::
:: our subnet. ipfw add 500 deny tcp from any to youripgoeshere 3128 ::
:: disallows all connections, and ipfw add 450 allow tcp from 196.34.23.0/24::
:: to youripgoeshere 3128 will allow connections from our subnet ::
:: 196.34.23.0/24. ::
:: ::
:: RTFM for more. -jus ::
:: ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
