# Rules IPFW



## djunio (Jun 2, 2012)

I have some questions to make the following rules:

*# Allow a client -> my server*

DNS query
SSH
AFP
HTTP and HTTPS

*# Allow my client -> World*

HTTP, HTTPS
DNS query
HTTP and HTTPS
SSH unrestricted

*# Allow the world -> server*

HTTPS
Query DNS
SMTP, IMAP

*# Allow the server to the world:*

All
Limit HTTP bandwidth 1Mbit/s
Narrow band SMTP 512Kbit/s
The remainder is # 512Kbit/s

Thanks!


----------



## DutchDaemon (Jun 2, 2012)

Show us what you already have, and we will comment on your existing rules. Don't expect anyone here to do all the legwork for you.


----------



## djunio (Jun 8, 2012)

Below are the rules. I would like your help to make sure they are correct:

Considerations:
My client: 192.168.1.57
My server: 192.168.1.55

---------------------------------------------------------------
I have some questions to make the following rules:

```
# Allow a client -> my server

    IMAP, POP3 AND SMPT

$fw add allow tcp from 192.168.1.57 to me 143 tcpflags setup

$fw add allow tcp from 192.168.1.57 to me 110 tcpflags setup
$fw add allow tcp from 192.168.1.57 to me 995 tcpflags setup

$fw add allow tcp from 192.168.1.57 to me 25 tcpflags setup

    DNS query

$fw add allow tcp from 192.168.1.57 to me 53
$fw add allow udp from 192.168.1.57 to me 53

    SSH

$fw add allow tcp from 192.168.1.57 to me 22 tcpflags setup
$fw add deny log tcp from any to me 22

    AFP

$fw add allow tcp from 192.168.1.57 to me 548 setup
$fw add allow tcp from 192.168.1.57 to me 427 setup
$fw add allow tcp from 192.168.1.57 to me 548 setup
$fw add allow tcp from 192.168.1.57 to me 427 setup
$fw add allow tcp from 192.168.1.57 to me 548 setup
$fw add allow tcp from 192.168.1.57 to me 427 setup

    HTTP and HTTPS

$fw add allow tcp from 192.168.1.57 to me 80,443 setup

# Allow my client -> World

    HTTP, HTTPS

$fw add allow tcp from 192.168.1.57 to any 80,443 in via en0 \setup keep-state

    DNS query

$fw add allow tcp from 192.168.1.57 to any 53 in via en0 \setup keep-state
$fw add allow udp from 192.168.1.57 to any 53 in via en0 \setup keep-state

    SSH unrestricted

$fw add allow tcp from 192.168.1.57 to any 22 tcpflags setup

# Allow the world -> server

    HTTPS

$fw add allow tcp from any to me 443 in via en2 setup keep-state


    Query DNS

$fw add allow tcp from any to me 53 in via en2 setup keep-state
$fw add allow udp from any to me 53 in via en2 setup keep-state

    SMTP, IMAP

$fw add allow tcp from any to me 25 in via en2 setup keep-state
$fw add allow tcp from any to me 143 in via en2 setup keep-state



# Allow the server to the world:

    All

$fw add allow tcp from me to any

    Limit HTTP bandwidth 1Mbit/s

$fw pipe 1 config bw 1000Kbit/s
$fw add allow pipe 1 tcp from any to me 80 in via en2 setup

    Narrow band SMTP 512Kbit/s

$fw pipe 2 config bw 512Kbit/s
$fw add allow pipe 1 tcp from any to me 25 in via en2

    The remainder is # 512Kbit/s

$fw pipe 3 config bw 512Kbit/s
$fw add allow pipe 1 tcp from any to me in via en2
```

Thanks for the help


----------



## djunio (Jun 11, 2012)

*the rules are correct?*

The above rules are correct? Remembering that I'm using Mac OS Server and a Mac client.

Thanks!


----------



## djunio (Jun 14, 2012)

*The above rules are correct?*

The above rules are correct?


----------

