# Confusion with IPFW



## Gogeden (Feb 23, 2014)

Hey all,

I've been dorking around with IPFW for the past few days on my FreeNAS box and I'm having some trouble with the syntax for it.
I want to allow access to the server via the LAN but do not want any contact to the server from the Internet what so ever.

I've been using this:

`ipfw add allow ip from me to 10.21.1.0`
`ipfw add allow tcp from me to 10.21.1.0`
`ipfw add deny ip from me to any`
`ipfw add deny tcp from me to any`

I'm pretty sure I'm shooting myself in the foot with those last two.  How do I deny outside access to the server and only let access to it via my LAN? I really only use SSH to access the box and would like to keep it that way as well as the webGUI which I access via a custom port of 5177. So essentially, I would like SSH and webGUI access (via 5177)  on my LAN.

I hope I elaborated well enough.
If not, chew my ass out 
Was having some weird activity to the server the other night so that's why I'm doing this 

Thanks for your time!


----------



## qsecofr (Feb 25, 2014)

Which hosts are which?  
Server interfaces directly with your ISP, or does the FreeNAS?
I'm assuming your firewall runs on the host that interfaces directly with your ISP.

Sounds to me from your post as if "me" is the server, it runs the firewall, and interfaces with your ISP.  And sounds like 10.21.1.0 is FreeNAS which sits inside your private net.


```
# the syntax is sh
# where $oif = the interface on server through which packets go to/from the ISP
# per the manpage, protocol "ip" includes all packets, tcp, udp, icmp, etc
$ipfw -q add allow tcp from me to 10.21.1.0 ssh out not via $oif 
$ipfw -q add allow tcp from 10.21.1.0 ssh to me in not via $oif
$ipfw -q add allow tcp from me to 10.21.1.0 5177 out not via $oif 
$ipfw -q add allow tcp from 10.21.1.0 5177 to me in not via $oif
$ipfw -q add deny all from any to 10.21.1.0
```


----------



## Gogeden (Feb 28, 2014)

qsecofr said:
			
		

> Which hosts are which?
> Server interfaces directly with your ISP, or does the FreeNAS?
> I'm assuming your firewall runs on the host that interfaces directly with your ISP.
> 
> ...



Sorry for the late reply and thank you for the reply.

The "10.21.1.0" is the beginning of my router's IP address assign range.
The router itself is 10.21.1.1.


----------

