Firewall Wizards mailing list archives

ipfw Configuration (Newbie Question)

From: Donald Tyler <dtyler () frazerbilt com>
Date: Mon, 28 Apr 2003 09:23:41 -0500

Hi,
 
I am very new to ipfw and I am having a great deal of trouble getting it
configured. Here is my situation:
 
I have a network with a Mac OSX server that is acting as a router.
 
The server has two NICs.
[en0] = Connected to the internet            (xxx.xxx.xxx.xxx)
[en1] = Connected to the LAN                 (10.0.0.1)
 
LAN IP Range:   10.0.0.0/24
 
These are the basic questions I need examples for the set up my firewall:
 
1. The server must allow outgoing requests from my LAN for websites & email.
2. The server must obviously allow the replies to these requests back into
the LAN.
3. The server is hosting websites, so must allow anyone access to port 80.
4. The server should allow the administrator (Assume his/her IP is
10.0.0.70) full access to the server via [en1] only.
 
I have managed to get some of this working but need some help. Here is what
I have so far and what it allows me to do:
 
# Allow all loopback traffic.
IPFW add 1000 allow all from any to any via lo0
 
# Allow all outgoing from server
IPFW add 1000 allow all from me to any out via en1
IPFW add 1000 allow all from me to any out via en0
 
# Allow access for administrator to all ports
IPFW add allow all from 10.0.0.70 to any in via en1
 
# Deny all other packets
IPFW add 65534 deny all from any to any 
 
The above configuration lets me access the server from the administrators
machine (10.0.0.70), and no other machine as expected. But it does not allow
the server to access any services such as web or mail (Presumably because
there are no rules to allow the reply back in). Also no one else on the LAN
can access anything (Obviously because there are no rules to allow them
access to the server.).
 
I know there are lots of rules missing from the above configuration to
achieve my requirements. But I dont know the best way to implement them, so
I thought it best to just throw away my moronic attempts and start from
scratch.
 
I read that rule 65535 can be changed from allow to deny, but ipfw would
never let me do it. That is why I had to use rule 65534.
 
Please help a moron in need!
 
Thanks in advance
 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

ipfw Configuration (Newbie Question) Donald Tyler (Apr 28)
- <Possible follow-ups>
- re: ipfw Configuration (Newbie Question) Mike Hoskins (Apr 30)
  - Re: re: ipfw Configuration (Newbie Question) Barney Wolff (Apr 30)