Date: Tue, 15 Jun 2004 20:54:34 +0100 From: Robert Downes <nullentropy@lineone.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Firewall rules Message-ID: <40CF53FA.7070308@lineone.net>
next in thread | raw e-mail | index | archive | help
I'm obviously missing something... I've read as much about IPFW and firewall packet filtering as I can, and I"m still happy with these very simple rules: su-2.05b# ipfw -a list 00100 16 1144 divert 8668 ip from any to any in via rl0 00200 17 964 divert 8668 ip from any to any out via rl0 00300 0 0 check-state 00400 32 3296 allow ip from me to me 00500 21 1268 allow ip from 192.168.0.0/24 to any keep-state 00600 274 25875 allow ip from 192.168.1.0/24 to any keep-state 00700 2 96 deny log ip from any to any 65535 4 429 deny ip from any to any Now, having seen plenty of examples of huge lists of rules, I'm obviously not seeing something that is apparent to others. I've tested my network using the grc.com ShieldsUp! port probing system. It informs me that every one of the first 1056 ports is stealthed (i.e. does not even reply to probes). In fact, the only thing it complains about is the fact that my IP replies to ICPM ping requests (though I don't understand how). The above rules only allow replies to IPs and ports on my network that establish a connection first. I'm not running any net services, so I don't need to allow any unsolicited inbound connections. All the machines on my network seem to be able to fetch mail, browse web pages, ping, and nslookup machines on the Internet at large. And my /var/log/security file shows that dozens of random connections to ports 135 and 445 have been dropped. So, what am I missing? What gaping hole have I left open? -- Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40CF53FA.7070308>