I have prepared the following configuration:
# cat /etc/firewall.conf
add 1000 count udp from any to me 10000
add 1001 count udp from any to me 10001
add 1002 count udp from any to me 10002
add 65000 allow ip from any to any
This is the output from ipfw:
# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01000 count udp from any to me 10000
01001 count udp from any to me 10001
01002 count udp from any to me 10002
65000 allow ip from any to any
65535 deny ip from any to any
I have the following two questions:
What would be the command to allow
UDPtraffic fromIP 203.0.113.1toUDP port range 20500-20750? Would the rule below be the right one?add 2000 allow udp from 203.0.113.1 to me 20500-20750With the above configuration, do I ensure that all traffic is allowed?
Right, that will work.
It depends on what you meant of "all traffic". Rule
65000 allow ip from any to anyeffectively allows all traffic, so except of rules 200-500, there is no sense to keep others in the same moment.Without rule 65000, however, there is a lack of many critical rules: ssh access to server itself and, the most funny part, any outgoing traffic from the one.
So I'd recommend to read numerous manuals of firewall set up.
One more useful thing is to use
ipfwlogging in the rules end.Check out a great FreeBSD handbook: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html