Re: reply

From: Alexandr Kovalenko (never@nevermind.kiev.ua)
Date: 05/16/02


Date: Thu, 16 May 2002 21:20:57 +0300
From: Alexandr Kovalenko <never@nevermind.kiev.ua>
To: mohammad mirzaeenasir <hezare3@hotmail.com>

Hello, mohammad mirzaeenasir!

On Thu, May 16, 2002 at 12:23:52PM +0000, you wrote:

> hi,
> thanks for your reply.I installed a transparent proxy on my machine with
> "ipfw" rules.everything is ok and i tested it.but someone told me that
> if you set your "kernel_secure_level = NO" , all kind of tcp connection
> will ignore by kernel and for example in the case of telneting it ,
> it will reply "connection timed out". and i checked it , he was quit
> right.i did so(kernel_secure_level=NO) but when i telnet my unix box, it
> will reply me "connection refused".
> now, plz help me to find out more.

It depends on how will you access your machine. If you're accessing via
ssh, you should add sshd_enable="YES" to your /etc/rc.conf. Now you
should determine which ports do you need to be open. For your case it
will be 22 (ssh), 3128 (squid). So you can allow only those ports with
ipfw add allow tcp from any to any 22 in recv ed0
ipfw add allow tcp from any 22 to any out xmit ed0
ipfw add allow tcp from any to any 3128 in recv ed0
ipfw add allow tcp from any 3128 to any out xmit ed0

and finally deny all other packets:
ipfw deny ip from any to any

P.S. securelevel has nothing to do with firewall.

-- 
NEVE-RIPE
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: forwarding as a gateway, logging certain traffic
    ... ipfw add 1 log tcp from any to me 25 setup ... why not set up ipfw on the FreeBSD ... ipfw add 5 allow tcp from any to me 25 setup ...
    (freebsd-questions)
  • Re: ipfw question
    ... # Pass and log all incoming ftp-data connections. ... ipfw add allow log tcp from any 20 to any in setup keep-state ... This way only the packets related to one of the states will pass ...
    (freebsd-questions)
  • FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw
    ... based on an old version of ipfw and does not contain as many features. ... Due to overloading of the TCP reserved flags field, ipfw and ip6fw ... incorrectly treat all TCP packets with the ECE flag set as being part ...
    (FreeBSD-Security)
  • FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw [REVISED]
    ... included in FreeBSD 4.0 and above. ... based on an old version of ipfw and does not contain as many features. ... Due to overloading of the TCP reserved flags field, ... incorrectly treat all TCP packets with the ECE flag set as being part ...
    (FreeBSD-Security)
  • Re[2]: reply
    ... AK> ipfw add allow tcp from any 22 to any out xmit ed0 ... AK> ipfw add allow tcp from any to any 3128 in recv ed0 ... AK> P.S. securelevel has nothing to do with firewall. ...
    (FreeBSD-Security)