IPFW How to customize ipfw.rules or pf.conf for only specific ports to be opened?

Y

Ytachi1000

Guest
Hello I'm new on freebsd, and I have a server and I use ipfw and i just want only some ports to be opened, and all remains to be closed.
So I want ONLY this ports: 24000, 24001 24002 24003, 11002 to be opened for everyone. But i just dont know how to customize the ipfw.rules file
I tryed meny options , but in all cases ipfw block any conection, i cant costumized, or well, i just dont know how to customized to have only thats ports open for everyone.
And Those 2 ports: ssh 22, and 3306 mysql,and anyports from server I want to be the only one to acces them,from another work place(other internet).
Only option i found to work that allowed conection in ipfw is:

Code:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw add"
inter="msk0"

#Allow any conection
$cmd 0001 allow ip from any to any out
$cmd 0002 allow ip from any to any in

But as I said, I just want to know how to let only that 5 Ports Opened and the rest to be all used only by me.
I tryed to use pf.conf too , i just want a protection for the server but i dont know exacly what can i use exacly.
I want ipfw or pf protection to make this work I dont know exacly how to do this...
Now i have pf and ipfw servies started, but i want to customized them as i said.
So if you can give me some advices i will be more then gratefull thanks.
 
I forgot to mention that I already try meny of this options like this on ipfw:

Code:
ipfw add 120 allow tcp from any to any 22 in
ipfw add 120 allow tcp from any to any 22 out

But it doesn't open port 22 , in fact is just stay the same deny any conection as default
And i think because default rule 65535

When I run: [ipfw show]
It always show me the last line rule: 65535 deny ip from any to any
Can't that rule be removed or modify or something?
 
Did you take a look at the FreeBSD handbook yet? In specific chapter 30 which explains the provided firewalls?

Reason I ask is because they provide a decent example which you should be able to use as a basis for your own purposes. Still, if IPFW doesn't work for you, then why not just use another firewall?
 
Well as I said , Im new to this domain, and I don't know everything, I know basics but about firewall as i said i have an issue with ipfw protection and I just need a fix or find a way to slove it, If i knewd i didn't ask, but what you mean by "another firewall"?
I still reamin to my first question , that I dont know if it possible, and how to do it, I mean allowing conection only from specific ports, this is what i want to know , or maybe if there are others ways to use another firewall to find how to thx
 
For outgoing connections you can use the "uid" option from ipfw. For example to allow outgoing connections to port 25 only from user postfix:

Code:
ipfw -q add 10041 allow tcp from me to any dst-port 25 uid postfix out via em0 setup keep-state
 
FreeBSD supports 3 firewall types, as also explained in the handbook. IPF, IPFW and PF.

So if one doesn't work for you then it's always possible to apply another. I can well imagine that some could be easier accessible than others. I assumed you knew as much because you mentioned pf.conf in the title.

Personally I find PF to be a lot more accessible than the others, although I also had good results with IPF. Especially because you don't have to muck with rule numbers and all that but can simply concentrate on a "protection sequence" as I'd like to call it.

It also gives you more flexibility (in my opinion anyway).

For example...

Code:
ext_if="em0"
myplace="1.2.3.4"

set skip on lo0

block on $ext_if

pass in quick on $ext_if proto {tcp, udp} from $myplace to any port 22
pass in quick on $ext_if proto {tcp, udp} from $myplace to any port 3306

pass in quick on $ext_if proto tcp from any to any port 24000:24003
pass in quick on $ext_if proto tcp from any to any port 11002
Do note that this is a (crude) example for PF and it's not certain that it'll work.

Which is one of the reasons I mentioned the documentation. Just knowing about a port number isn't enough to set it up in a firewall, you'd also need to know what kind of protocol will be used. In its most basic form tcp or udp (or both of course).

(edit): See also the sockstat(1) command for this. For example # sockstat -4l should tell you more about the ports in use.

Anyway, hope this can help.
 
Back
Top