IPFW Block all ports&connections but allow only this port

[SlovakBeginer]

Hi, i have a problem, i want to block all ports but allow port 25. I trying some rules but not working it. Please, can you help me?
Here is my try:

#!/bin/sh

ipfw -q -f flush
cmd="ipfw add"

$cmd 00010 check-state
$cmd 00020 deny ip from any to any

#SSH
$cmd 11020 allow tcp from any to any dst-port 25 setup keep-state

my solutions block all connections and port 25 still closed.
Thanks and sorry for my bad eng.

 

[Murph]

A few things to note here.

1) SSH is not port 25. SSH is port 22. SMTP is port 25.

2) Move the default deny to the end of the list (65000 is traditional/common). First match wins with a simple IPFW ruleset.

3) What you have is bad practice, as you should always allow basic loopback traffic (your system will never work properly without loopback traffic), and will have problems with IPv6. Configure your system to use /etc/rc.firewall with a custom ruleset, so that you benefit from setup_loopback() and setup_ipv6_mandatory(). Start your own rules at 1000, to leave the low numbers free for the default rules.

4) Consider changing the allow to use from any to me or from me to any, as appropriate. Good firewall rulesets are normally directional for most rules. Additionally, make appropriate use of in, out, and via.

5) You probably at least need to allow DNS through in addition to anything else, otherwise your host will likely exhibit odd behaviour (unless configured not to use DNS and rely on a static /etc/hosts with no Internet name resolution).

If you are still having problems after using the above info, please be specific about exactly what you are doing and what you mean by "not working". Please also tell us the version of FreeBSD, and what you have configured for firewall_* in /etc/rc.conf.

 

[SlovakBeginer]

Thanks for reply.
1) I changed default ssh port to 25, I using only ssh on this server.
2) I changed it.
3) I didn't use IPv6, server is only for me. How to configure it? I have i /etc/rc.conf only

firewall_enable="YES"
firewall_rules="/etc/ipfw.rules"

about firewall (ipfw.rules is my files with rules).
5) I add DNS to my rules.

I still have problem, not working i mean that ipfw blocking all connections (but i can ping server but server can't ping me), ssh is blocked on my port and blocked too on default port. I using FreeBSD 9.2 .
My rules file now:

#!/bin/sh

ipfw -q -f flush
cmd="ipfw add"
inter="em0"
$cmd 1001 check-state

#SSH+ETC
$cmd 1002 allow tcp from any to me dst-port 25 setup keep-state via $inter
$cmd 1004 allow udp from any to any via $inter
$cmd 1005 allow ip from me to me via $inter
$cmd 65001 deny ip from any to any via $inter

Thanks.

 

[SirDice]

1) I changed default ssh port to 25, I using only ssh on this server.

Bad idea. This will result in massive amounts of errors when spammers are going to be looking for a SMTP server. Use 22 or, if you want to change the default port, use a higher number like 2222. At the very least use a port that's not used by something else.

 

[SlovakBeginer]

Ok, I changed it to 2222 but, firewall still blocking this port.

 

[SirDice]

How are you testing this? Are you connecting from somewhere else on the internet? Is it possible your ISP is blocking all incoming connections? Run a tcpdump(1) on the interface and try to connect. Even if your local firewall is not set correctly you would still see packets arriving on the interface. If there's nothing coming in there's something in between the client and the server that's blocking it.

 

[Jeckt]

ipfw -q -f flush

This might not be of concern to you, but if you reload this firewall script while connected via SSH, it will lock you out when the rules are flushed.

$cmd 1005 allow ip from me to me via $inter

When the server sends packets to itself, it almost always uses the loopback and not a network interface, so this is probably not what you want. An easy (fairly liberal) rule is to allow the server for all outgoing connections and keep the state.

ipfw add allow all from me to any keep-state

A helpful way to determine problems is to log problematic rules (or just the last rule). For example:

ipfw add 65000 drop log all from any to any

You can enable logging by setting sysctl net.inet.ip.fw.verbose=1 (permanently in /etc/sysctl.conf). The results should be logged into /var/log/security.