Date: Fri, 5 May 2000 09:17:49 +0000 (GMT) From: sage@mindcrime.net To: "Dan O'Connor" <dan@mostgraveconcern.com> Cc: Marc Silver <marcs@draenor.org>, freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <Pine.BSF.4.21.0005050916510.28116-100000@cricket.mindcrime.net> In-Reply-To: <019201bfb699$aa17c800$0200000a@danco>
next in thread | previous in thread | raw e-mail | index | archive | help
Send over your ipfw rules set as well, so i can see the differences in the 2 if you wouldn't mind. /sm On Fri, 5 May 2000, Dan O'Connor wrote: > >Do you feel that userland ppp is as safe as the kernel firewalling > >options? I would like to gain a better understanding. What are the > >major differences between the two? > > As far as I know, they both work about the same. IPFW has more flexibility, > with complexity being the trade off. > > These are the /etc/ppp/ppp.conf rules I used before I got my DSL line (and > switched to IPFW/NATD): > > # Prevent ICMP, DNS (53), and NTP (123) from keeping the connection alive: > set filter alive 0 deny icmp > set filter alive 1 deny udp src eq 53 > set filter alive 2 deny udp dst eq 53 > set filter alive 3 deny udp src eq 123 > set filter alive 4 deny udp dst eq 123 > set filter alive 5 permit 0 0 > > # Prevent NTP (123) from causing a dialup: > set filter dial 0 deny udp src eq 123 > set filter dial 1 deny udp dst eq 123 > set filter dial 2 permit 0 0 > > # Allow ident (113), ftp (20 & 21), SSH (22), SMTP (25), DNS (53), > # HTTP (80) IN & OUT, POP3 (110), NNTP (119), NTP (123), HTTPS (443), > # SOCKS (1080), CVS (5998, 5999), ICMP (ping) and traceroute (>33433). > # Everything else is blocked by default: > > set filter in 0 permit tcp dst eq 113 > set filter out 0 permit tcp src eq 113 > set filter in 1 permit tcp src eq 20 dst gt 1023 > set filter out 1 permit tcp dst eq 20 > set filter in 2 permit tcp src eq 21 estab > set filter out 2 permit tcp dst eq 21 > set filter in 3 permit tcp src eq 22 > set filter out 3 permit tcp dst eq 22 > set filter in 4 permit tcp src eq 25 > set filter out 4 permit tcp dst eq 25 > set filter in 5 permit udp src eq 53 > set filter out 5 permit udp dst eq 53 > set filter in 6 permit tcp src eq 80 > set filter out 6 permit tcp dst eq 80 > set filter in 7 permit tcp dst eq 80 > set filter out 7 permit tcp src eq 80 > set filter in 8 permit tcp src eq 110 > set filter out 8 permit tcp dst eq 110 > set filter in 9 permit tcp src eq 119 > set filter out 9 permit tcp dst eq 119 > set filter in 10 permit udp src eq 123 > set filter out 10 permit udp dst eq 123 > set filter in 11 permit tcp src eq 443 > set filter out 11 permit tcp dst eq 443 > set filter in 12 permit udp src eq 443 > set filter out 12 permit udp dst eq 443 > set filter in 13 permit tcp src eq 1080 > set filter out 13 permit tcp dst eq 1080 > set filter in 14 permit udp src eq 1080 > set filter out 14 permit udp dst eq 1080 > set filter in 15 permit tcp src eq 5998 > set filter out 15 permit tcp dst eq 5998 > set filter in 16 permit tcp src eq 5999 > set filter out 16 permit tcp dst eq 5999 > set filter in 17 permit icmp > set filter out 17 permit icmp > set filter in 18 permit udp dst gt 33433 > set filter out 18 permit udp src gt 33433 > > > Hope they help! > > --Dan > > -- > Dan O'Connor > On Matters of Most Grave Concern > http://www.mostgraveconcern.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005050916510.28116-100000>