IPFW How to customize ipfw.rules or pf.conf for only specific ports to be opened?

Ytachi1000

New Member


Messages: 3

Hello I'm new on freebsd, and I have a server and I use ipfw and i just want only some ports to be opened, and all remains to be closed.
So I want ONLY this ports: 24000, 24001 24002 24003, 11002 to be opened for everyone. But i just dont know how to customize the ipfw.rules file
I tryed meny options , but in all cases ipfw block any conection, i cant costumized, or well, i just dont know how to customized to have only thats ports open for everyone.
And Those 2 ports: ssh 22, and 3306 mysql,and anyports from server I want to be the only one to acces them,from another work place(other internet).
Only option i found to work that allowed conection in ipfw is:

Code:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw add"
inter="msk0"

#Allow any conection
$cmd 0001 allow ip from any to any out
$cmd 0002 allow ip from any to any in
But as I said, I just want to know how to let only that 5 Ports Opened and the rest to be all used only by me.
I tryed to use pf.conf too , i just want a protection for the server but i dont know exacly what can i use exacly.
I want ipfw or pf protection to make this work I dont know exacly how to do this...
Now i have pf and ipfw servies started, but i want to customized them as i said.
So if you can give me some advices i will be more then gratefull thanks.
 
OP
OP
Y

Ytachi1000

New Member


Messages: 3

I forgot to mention that I already try meny of this options like this on ipfw:

Code:
ipfw add 120 allow tcp from any to any 22 in
ipfw add 120 allow tcp from any to any 22 out
But it doesn't open port 22 , in fact is just stay the same deny any conection as default
And i think because default rule 65535

When I run: [ipfw show]
It always show me the last line rule: 65535 deny ip from any to any
Can't that rule be removed or modify or something?
 

ShelLuser

Son of Beastie

Reaction score: 1,669
Messages: 3,512

Did you take a look at the FreeBSD handbook yet? In specific chapter 30 which explains the provided firewalls?

Reason I ask is because they provide a decent example which you should be able to use as a basis for your own purposes. Still, if IPFW doesn't work for you, then why not just use another firewall?
 
OP
OP
Y

Ytachi1000

New Member


Messages: 3

Well as I said , Im new to this domain, and I don't know everything, I know basics but about firewall as i said i have an issue with ipfw protection and I just need a fix or find a way to slove it, If i knewd i didn't ask, but what you mean by "another firewall"?
I still reamin to my first question , that I dont know if it possible, and how to do it, I mean allowing conection only from specific ports, this is what i want to know , or maybe if there are others ways to use another firewall to find how to thx
 

CyberCr33p

Active Member

Reaction score: 11
Messages: 147

For outgoing connections you can use the "uid" option from ipfw. For example to allow outgoing connections to port 25 only from user postfix:

Code:
ipfw -q add 10041 allow tcp from me to any dst-port 25 uid postfix out via em0 setup keep-state
 

ShelLuser

Son of Beastie

Reaction score: 1,669
Messages: 3,512

FreeBSD supports 3 firewall types, as also explained in the handbook. IPF, IPFW and PF.

So if one doesn't work for you then it's always possible to apply another. I can well imagine that some could be easier accessible than others. I assumed you knew as much because you mentioned pf.conf in the title.

Personally I find PF to be a lot more accessible than the others, although I also had good results with IPF. Especially because you don't have to muck with rule numbers and all that but can simply concentrate on a "protection sequence" as I'd like to call it.

It also gives you more flexibility (in my opinion anyway).

For example...

Code:
ext_if="em0"
myplace="1.2.3.4"

set skip on lo0

block on $ext_if

pass in quick on $ext_if proto {tcp, udp} from $myplace to any port 22
pass in quick on $ext_if proto {tcp, udp} from $myplace to any port 3306

pass in quick on $ext_if proto tcp from any to any port 24000:24003
pass in quick on $ext_if proto tcp from any to any port 11002
Do note that this is a (crude) example for PF and it's not certain that it'll work.

Which is one of the reasons I mentioned the documentation. Just knowing about a port number isn't enough to set it up in a firewall, you'd also need to know what kind of protocol will be used. In its most basic form tcp or udp (or both of course).

(edit): See also the sockstat(1) command for this. For example # sockstat -4l should tell you more about the ports in use.

Anyway, hope this can help.
 
Top