---

Hej

Nu har jeg fået sat nogle regler op. Jeg er dog i tvivl om det er optimalt.
Er der nogen der kan se dem igennem og se om de skulle være ok?

Jeg er især i tvivl om hvad IP fragmenter er, og om jeg burde bruge den der
keep-state funktion andre steder.

Her kommer listen:

#!/bin/sh

# Sti til ipfw
fwcmd="/sbin/ipfw"

# Hjemme server
hjemme="192.168.0.6"

# Flush alle regler
${fwcmd} -f flush

# Firewall regler
${fwcmd} add 1 allow tcp from any to any established

# Loopback - sidste 2 imod fake
${fwcmd} add 1000 allow ip from any to any via lo0
${fwcmd} add 1001 deny all from any to 127.0.0.0/8
${fwcmd} add 1002 deny all from 127.0.0.0/8 to any

# DNS
${fwcmd} add 2000 allow udp from me to 212.242.40.3 53
${fwcmd} add 2001 allow udp from 212.242.40.3 53 to me

# HTTP
${fwcmd} add 3000 allow tcp from any to any 80 setup

# FTP
${fwcmd} add 4000 allow tcp from me 20 to any setup
${fwcmd} add 4001 allow tcp from any to me 21 setup

# POP3
${fwcmd} add 5000 allow tcp from any to any 110 setup

# IMAP
${fwcmd} add 6000 allow tcp from any to any 143 setup

# SMTP
${fwcmd} add 7000 allow tcp from any to any 25 setup

# SSH
${fwcmd} add 8000 allow tcp from ${hjemme} to me ssh setup

# Allow the following icmp: echo reply (0) destination unreachable (3)
# source quench (4) echo request (8) time-to-live exceeded (11)
# IP header bad (12)
${fwcmd} add 9000 allow icmp from any to any icmptype 0,3,4,8,11,12

# Allow IP fragments to pass through
${fwcmd} add 10000 allow all from any to any frag

# Log resten
${fwcmd} add 60000 deny log ip from any to any

/ morten