Firewall Wizards mailing list archives
ipfw Configuration (Newbie Question)
From: Donald Tyler <dtyler () frazerbilt com>
Date: Mon, 28 Apr 2003 09:23:41 -0500
Hi, I am very new to ipfw and I am having a great deal of trouble getting it configured. Here is my situation: I have a network with a Mac OSX server that is acting as a router. The server has two NICs. [en0] = Connected to the internet (xxx.xxx.xxx.xxx) [en1] = Connected to the LAN (10.0.0.1) LAN IP Range: 10.0.0.0/24 These are the basic questions I need examples for the set up my firewall: 1. The server must allow outgoing requests from my LAN for websites & email. 2. The server must obviously allow the replies to these requests back into the LAN. 3. The server is hosting websites, so must allow anyone access to port 80. 4. The server should allow the administrator (Assume his/her IP is 10.0.0.70) full access to the server via [en1] only. I have managed to get some of this working but need some help. Here is what I have so far and what it allows me to do: # Allow all loopback traffic. IPFW add 1000 allow all from any to any via lo0 # Allow all outgoing from server IPFW add 1000 allow all from me to any out via en1 IPFW add 1000 allow all from me to any out via en0 # Allow access for administrator to all ports IPFW add allow all from 10.0.0.70 to any in via en1 # Deny all other packets IPFW add 65534 deny all from any to any The above configuration lets me access the server from the administrators machine (10.0.0.70), and no other machine as expected. But it does not allow the server to access any services such as web or mail (Presumably because there are no rules to allow the reply back in). Also no one else on the LAN can access anything (Obviously because there are no rules to allow them access to the server.). I know there are lots of rules missing from the above configuration to achieve my requirements. But I dont know the best way to implement them, so I thought it best to just throw away my moronic attempts and start from scratch. I read that rule 65535 can be changed from allow to deny, but ipfw would never let me do it. That is why I had to use rule 65534. Please help a moron in need! Thanks in advance _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- ipfw Configuration (Newbie Question) Donald Tyler (Apr 28)
- <Possible follow-ups>
- re: ipfw Configuration (Newbie Question) Mike Hoskins (Apr 30)
- Re: re: ipfw Configuration (Newbie Question) Barney Wolff (Apr 30)