bumbler
March 9th, 2004, 14:03
Okay, running FreeBSD 4.9 (I fixed the monitor issue, BTW). I have recently moved to the recommended firewall ruleset in the bundled article on dialup firewalling. I haven't a clue for the most part, so I need to know which to change. Here's the firewall rules:
[code:1:80045fcbc2]
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
${fwcmd} -f flush
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established
# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny tcp from me to any out via lo0
$fwcmd add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Enable ICMP: remove type 8 if you don't want your host to be pingable
${fwcmd} add allow icmp from any to any icmptypes 0,3,11,12,13,14
# Deny all the rest.
${fwcmd} add drop log ip from any to any
[/code:1:80045fcbc2]
Here's the problem: since I connect via really old phone lines, I have trouble with DNS timeouts. I want to lengthen the timeout variable, but I don't know where in my rules it should be. All I can understand is something about "keepstate lifetime" needed in at least on place.
Bumbler
[code:1:80045fcbc2]
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"
# Force a flushing of the current rules before we reload.
${fwcmd} -f flush
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established
# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny tcp from me to any out via lo0
$fwcmd add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Enable ICMP: remove type 8 if you don't want your host to be pingable
${fwcmd} add allow icmp from any to any icmptypes 0,3,11,12,13,14
# Deny all the rest.
${fwcmd} add drop log ip from any to any
[/code:1:80045fcbc2]
Here's the problem: since I connect via really old phone lines, I have trouble with DNS timeouts. I want to lengthen the timeout variable, but I don't know where in my rules it should be. All I can understand is something about "keepstate lifetime" needed in at least on place.
Bumbler