"Fossies" - the Fresh Open Source Software Archive 
Member "sshdfilter-1.5.7/INSTALL.ipfw" (13 Oct 2007, 3358 Bytes) of package /linux/privat/old/sshdfilter-1.5.7.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1 Installing sshdfilter for ipfw can be acheived by changing a few
2 configuration options. This file describes all the differences
3 required for using ipfw instead of iptables, to install sshdfilter
4 you still need to read INSTALL.
5
6 1. Decide what range the dynamically added block rules will occupy. For
7 example, the first tester of ipfw (on MacOSX) had a firewall that looked
8 like this:
9 $ ipfw show
10 02000 0 0 allow ip from any to any via lo*
11 02010 0 0 deny ip from 127.0.0.0/8 to any in
12 02020 0 0 deny ip from any to 127.0.0.0/8 in
13 02030 0 0 deny ip from 224.0.0.0/3 to any in
14 02040 0 0 deny tcp from any to 224.0.0.0/3 in
15 02050 0 0 allow tcp from any to any out
16 02060 0 0 allow tcp from any to any established
17 02070 0 0 allow tcp from any to any dst-port 548 in
18 02080 0 0 allow tcp from any to any dst-port 427 in
19 02090 0 0 allow tcp from any to any dst-port 443 in
20 02100 0 0 allow tcp from any to any dst-port 80 in
21 02110 0 0 allow tcp from any to any dst-port 427 in
22 02120 0 0 allow tcp from any to any dst-port 443 in
23 02130 0 0 allow tcp from any to any dst-port 1521 in
24 02140 0 0 allow tcp from any to any dst-port 3689 in
25 02150 0 0 allow tcp from any to any dst-port 80 in
26 02160 0 0 allow tcp from any to any dst-port 22 in
27 12190 0 0 deny log tcp from any to any
28 20000 0 0 deny log icmp from any to me in icmptypes 8
29 65535 0 0 allow ip from any to any
30
31 This was (probably) the firewall generated by the Mac 'sharing control panel'.
32 It would best to leave this firewall as is and have sshdfilter work around
33 it. Notice rule number 2160 accepts incoming ssh connections, so sshdfilter
34 block rules must appear before this.
35
36 Also notice the rules start at 2000, so we can start our rules at 1000. As this
37 early position will see all traffic, we can add skipto rules so the dynamic
38 block rules are only checked against ssh traffic. Such as:
39 ipfw add 1000 skipto 2000 tcp from any to any not dst-port 22
40 ipfw add 1001 skipto 2000 not tcp from any to any
41
42 2. In /etc/sshdfilterrc, comment out firewalladd/firewalldel commands for iptables
43 and uncomment the ipfw commands. Uncomment and set ipfwmin/ipfwmax to the
44 appropriate range. Using the above ranges this would be:
45 ipfwmin=1002
46 ipfwmax=1999
47
48 Which is a lot of potential rules, more than I have ever seen when using a
49 default USERPOLICY.
50
51 3. If you have a firewall helper program that needs sole access to your firewall,
52 chances are it will disable itself when it sees the additions made by sshdfilter.
53 The script scripts/ipfw.save will save and flush all dynamic rules created by
54 sshdfilter (to /etc/sshdfilter.ipfw), and scripts/ipfw.restore will read that
55 file and restore the block rules. This will let you use your helper.
56
57 Beware, the scripts do not talk to sshdfilter, so there is a small chance that
58 a new block rule will be added between running ipfw.save and ipfw.restore. This
59 will leave sshdfilter and the firewall in different states, and will lead to
60 error messages when non-existant rules are removed.
61
62 You will need to edit scripts/ipfw.save to save the correct range of rules.
63