Date: Tue, 6 Feb 2018 19:07:29 +0200 From: Christos Chatzaras <chris@cretaforce.gr> To: freebsd-ipfw@freebsd.org Subject: Recommendations for my rules Message-ID: <AD14758D-8585-4944-B63D-F5627BBA9449@cretaforce.gr>
next in thread | raw e-mail | index | archive | help
Can someone with experience with ipfw have a look to these rules? I want to have incoming + outgoing: FTP (passive + active) SSH MySQL DNS WWW (http + https) MAIL (smtps + submission) Only incoming: MAIL (pop3, imap, pop3s, imaps) SNMP Only outgoing: MAIL (smtp for some specific users to avoid direct telnet connections to = port 25 from other users) #!/bin/sh # Flush all rules before we begin. ipfw -q -f flush # Set rules command prefix cmd=3D"ipfw -q add " cmd2=3D"ipfw -q " pif=3D`ifconfig -l | awk '{ print $1 }'` # Allow loopback and deny loopback spoofing $cmd 00010 allow ip from any to any via lo0 $cmd 00020 deny ip from any to 127.0.0.0/8 $cmd 00030 deny ip from 127.0.0.0/8 to any # Checks stateful rules $cmd 00050 check-state $cmd 00060 deny tcp from any to any established # SSHGUARD $cmd 01000 reset ip from 'table(22)' to any # NTP $cmd 01005 allow udp from any to any dst-port 123 out via $pif = keep-state # ICMP $cmd 01010 allow icmp from any to any out via $pif keep-state $cmd 01011 allow icmp from any to any in via $pif # FTP $cmd 10001 allow tcp from me to any dst-port 21 out via $pif setup = keep-state $cmd 10002 allow tcp from any 20 to me in via $pif setup keep-state $cmd 10003 allow tcp from me to any dst-port 49152-65535 out via $pif = keep-state $cmd 10004 allow tcp from any to me 21 in via $pif setup keep-state $cmd 10004 allow tcp from me 20,21 to any out via $pif keep-state $cmd 10006 allow tcp from any to me 50000-51000 in via $pif setup = keep-state # SSH $cmd 10010 allow tcp from any to me dst-port 22 in via $pif setup = keep-state $cmd 10011 allow tcp from me to any dst-port 22 out via $pif setup = keep-state # DNS $cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup = keep-state $cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state $cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup = keep-state $cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state # SNMP $cmd 10026 allow udp from any to me dst-port 161 in via $pif keep-state # EPP $cmd 10027 allow tcp from me to any dst-port 700 out via $pif setup = keep-state # WWW $cmd 10030 allow tcp from me to any dst-port 80 out via $pif setup = keep-state $cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup = keep-state $cmd 10032 allow tcp from any to me dst-port 80 in via $pif setup = keep-state $cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup = keep-state # MAIL $cmd 10039 allow tcp from any to me dst-port 25 in via $pif setup = keep-state $cmd 10040 allow tcp from me to any dst-port 25 uid root out via $pif = setup keep-state $cmd 10041 allow tcp from me to any dst-port 25 uid postfix out via $pif = setup keep-state $cmd 10042 allow tcp from me to any dst-port 25 uid filter out via $pif = setup keep-state $cmd 10044 allow tcp from any to me dst-port 465 in via $pif setup = keep-state $cmd 10045 allow tcp from me to any dst-port 465 out via $pif setup = keep-state $cmd 10046 allow tcp from any to me dst-port 587 in via $pif setup = keep-state $cmd 10047 allow tcp from me to any dst-port 587 out via $pif setup = keep-state $cmd 10048 allow tcp from any to me dst-port 110 in via $pif setup = keep-state $cmd 10049 allow tcp from any to me dst-port 995 in via $pif setup = keep-state $cmd 10050 allow tcp from any to me dst-port 143 in via $pif setup = keep-state $cmd 10051 allow tcp from any to me dst-port 993 in via $pif setup = keep-state # MYSQL $cmd 10100 allow tcp from me to any dst-port 3306 out via $pif setup = keep-state $cmd 10101 allow tcp from any to me dst-port 3306 in via $pif setup = keep-state # WHOIS OUTGOING $cmd 10200 allow tcp from me to any dst-port 43 out via $pif setup = keep-state # Deny everything else, and log it $cmd 56599 deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AD14758D-8585-4944-B63D-F5627BBA9449>