Date: Wed, 21 Jan 2004 21:29:28 +0100 To: bsd-dk@bsd-dk.dk From: Jimi Joergensen <none@jimi--joergensen.net.lh.bsd-dk.dk> Subject: Re: Sidder og roder med noget firewall
Hej Hasse,
At 21:06 21-01-2004, you wrote:
>$fwcmd add divert natd all from any to any via tun0
Jeg gætter på at tun0 er outside..
>$fwcmd add allow ip from any to any via lo0
>$fwcmd add allow ip from any to any via rl0
Det her 2 er helt sikker på gale veje, du åbner jo her for alt..
>$fwcmd add allow tcp from any to any out xmit tun0 setup
>$fwcmd add allow tcp from any to any via tun0 established
Jow jow..
>$fwcmd add allow tcp from any to any 80 setup keep-state
>$fwcmd add allow tcp from any to any 22 setup keep-state
>$fwcmd add allow tcp from any to any 25 setup keep-state
>$fwcmd add allow tcp from any to any 110 setup keep-state
Jeg tror ikke du behøver keep-state på de her fire, men jeg tror heller ikke det gør nogen forskel..
># MySQL
>/sbin/ipfw add 1002 accept tcp from 127.0.0.1 to any 3306
>/sbin/ipfw add 1003 accept udp from 127.0.0.1 to any 3306
>/sbin/ipfw add 1002 accept tcp from 69.93.111.26 to any 3306
>/sbin/ipfw add 1003 accept udp from 69.93.111.26 to any 3306
>/sbin/ipfw add 2000 deny tcp from any to any 3306
>/sbin/ipfw add 2001 deny udp from any to any 3306
Jeg tror ikke de 2 sidste er nødvendige, regel 65535 deny'er jo alt, så jeg tror såmend ikke det gør meget forskel om de er der eller ej (og IPFW er vist nok "default deny")..
>$fwcmd add reset log tcp from any to any 113 in recv tun0
>$fwcmd add 65435 allow icmp from any to any
>$fwcmd add 65435 deny log ip from any to any
/Jimi
- Undetectable errors are infinite in variety,
in contrast to detectable errors, which by definition are limited...
This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:35 CET