Hello.
I hope you can help me please.
We are about to bring a few servers online which will be hosting different things...
For one server, it will be hosting a HTTPd, and just wanted to know whether these rules are correct that I have?
To ensure the right interfaces etc, here's a copy of my 'ifconfig' output:
$ ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet our.public.ip.here netmask 0xfffffff0 broadcast our.broadcast.i[
inet6 xxxxx prefixlen 64 scopeid 0x1
ether 00:02:b3:b8:cd:7b
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fwe0: flags=108802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 02:0f:ea:1b:34:bf
ch 1 dma -1
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 00:0f:ea:a1:33:1b
media: Ethernet autoselect (10baseT/UTP)
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
$
The interface our public Internet Ethernet card is on is: fxp0
The rules:
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established
# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny tcp from me to any out via lo0
$fwcmd add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
$fwcmd add allow all from 192.168.0.0/24 to any
# Everyone on the Internet is allowed to connect to the following
# services on the machine. This example specifically allows connections
# to sshd and a webserver.
$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to me 80 setup
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add allow icmp from any to any icmptypes 0,3,11,12,13,14
# Deny all the rest.
$fwcmd add deny log ip from any to any
Many thanks!