This is my ipfw.rules. :e
1. I don't know why I can't ping out?
2. Can I change "from any to any" to "from me to any" (like 01600)to enhance the security?
From ipfw (8):
I think I can change "from any to any" to "from me to any" with rules via my nic excepting that related with lo0.
I am not sure.
3. whether need add other rules to support the other device (fwe0, plip0 and fwip0)?
This is my ifconfig command output:
Code:
################################################################################
# delete all rules
ipfw -q -f flush
# variable declaration
nic="re0"
dns1="+"
dns2="+"
dhcp="192.168.1.1"
cmd="ipfw -q add "
ks="keep-state"
################################################################################
# loopback
$cmd 00100 allow all from any to any via lo0
$cmd 00200 check-state
################################################################################
$cmd 00300 allow tcp from any to $dns1 53 out via $nic setup $ks
$cmd 00400 allow udp from any to $dns2 53 out via $nic $ks
$cmd 00500 allow tcp from any to $dns1 53 out via $nic setup $ks
$cmd 00600 allow udp from any to $dns2 53 out via $nic $ks
$cmd 00700 allow udp from any to $dhcp 67 out via $nic $ks
################################################################################
# www
$cmd 00800 allow tcp from any to any 80 out via $nic setup $ks
# secure www
$cmd 00920 allow tcp from any to any 443 out via $nic setup $ks
# email
$cmd 01000 allow tcp from any to any 587 out via $nic setup $ks
$cmd 01100 allow tcp from any to any 995 out via $nic setup $ks
# ftp
$cmd 01200 allow tcp from any to any 21 out via $nic setup $ks
$cmd 01300 allow tcp from any to any 1024-65535 out via $nic setup $ks
# irc
$cmd 01400 allow tcp from any to any 7000 out via $nic setup $ks
# ntp
$cmd 01500 allow udp from any to any 123 out via $nic $ks
# csup
[B]$cmd 01600 allow tcp from me to any out via $nic setup $ks uid root[/B]
# ping
[B]$cmd 01700 allow icmp from any to any out via $nic setup $ks[/B]
################################################################################
1. I don't know why I can't ping out?
Code:
> ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
> ping `hostname`
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.034 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.033 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.040 ms
^C
--- localhost ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.033/0.038/0.041/0.003 ms
2. Can I change "from any to any" to "from me to any" (like 01600)to enhance the security?
From ipfw (8):
any matches any IP address.
me matches any IP address configured on an interface in the system.
I think I can change "from any to any" to "from me to any" with rules via my nic excepting that related with lo0.
I am not sure.
3. whether need add other rules to support the other device (fwe0, plip0 and fwip0)?
This is my ifconfig command output:
Code:
> ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:1f:d0:d8:8c:07
inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ea:ae:00:1f:d0
ch 1 dma -1
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
lladdr 0.ea.ae.2a.0.0.1f.d0.a.2.ff.fe.0.0.0.0
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000