Hosting Provided By

linux-ipsec: Firewall Rules

From: Hutton, Rob <HuttonR(at)plymart.com>
Date: Wed Jan 27 1999 - 08:16:07 EST

I got the following minimum firewall rules to work with FreeSwan. I though they might be a good addition to the docs. Please note that I have ip forwarding turned off by default, and am turning it on at the end of the script, so this must be run before the VPN is brought up. I do this by bringing the VP up in a script that is run just after this one. Both scripts are run as the last two lines of rc.local.

Rob

###############################################
# /etc/rc.d/rc.firewall
# Run from rc.local to institute firewall rules
###############################################

## Inbound Ruleset
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p accept
/sbin/ipfwadm -I -a deny -W eth0 -P icmp
/sbin/ipfwadm -I -a deny -W eth0 -P tcp
/sbin/ipfwadm -I -a accept -b -W eth0 -P udp -S [other end's ip] 500 -D
[this end's ip] 500
/sbin/ipfwadm -I -a deny -W eth0 -P udp

## Outbound ruleset
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p accept
/sbin/ipfwadm -O -a deny -W eth0 -P icmp
/sbin/ipfwadm -O -a deny -W eth0 -P tcp
/sbin/ipfwadm -O -a accept -b -W eth0 -P udp -S [this end's ip] 500 -D
[other end's ip] 500
/sbin/ipfwadm -O -a deny -W eth0 -P udp

## Forwarding ruleset
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p accept

## Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

########################################################

Received on Wed Jan 27 09:25:37 1999

This message: [ Message body ]
Next message: Hutton, Rob: "linux-ipsec: Limit on connections"
Previous message: Ian Calderbank: "linux-ipsec: KLIPS <=> CISCO IOS IPSEC interoperability"
Next in thread: Richard Guy Briggs: "Re: linux-ipsec: Firewall Rules"
Reply: Richard Guy Briggs: "Re: linux-ipsec: Firewall Rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:29 EDT