From owner-freebsd-security Fri May 5 7:17:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from cricket.mindcrime.net (cricket.mindcrime.net [209.70.202.96]) by hub.freebsd.org (Postfix) with ESMTP id 2383A37B572 for ; Fri, 5 May 2000 07:17:14 -0700 (PDT) (envelope-from sagem@cricket.mindcrime.net) Received: from cricket.mindcrime.net (cricket.mindcrime.net [209.70.202.96]) by cricket.mindcrime.net (8.9.3/8.9.3) with ESMTP id JAA28208; Fri, 5 May 2000 09:17:49 GMT (envelope-from sagem@cricket.mindcrime.net) Date: Fri, 5 May 2000 09:17:49 +0000 (GMT) From: sage@mindcrime.net X-Sender: sagem@cricket.mindcrime.net To: "Dan O'Connor" Cc: Marc Silver , freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules In-Reply-To: <019201bfb699$aa17c800$0200000a@danco> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Send over your ipfw rules set as well, so i can see the differences in the 2 if you wouldn't mind. /sm On Fri, 5 May 2000, Dan O'Connor wrote: > >Do you feel that userland ppp is as safe as the kernel firewalling > >options? I would like to gain a better understanding. What are the > >major differences between the two? > > As far as I know, they both work about the same. IPFW has more flexibility, > with complexity being the trade off. > > These are the /etc/ppp/ppp.conf rules I used before I got my DSL line (and > switched to IPFW/NATD): > > # Prevent ICMP, DNS (53), and NTP (123) from keeping the connection alive: > set filter alive 0 deny icmp > set filter alive 1 deny udp src eq 53 > set filter alive 2 deny udp dst eq 53 > set filter alive 3 deny udp src eq 123 > set filter alive 4 deny udp dst eq 123 > set filter alive 5 permit 0 0 > > # Prevent NTP (123) from causing a dialup: > set filter dial 0 deny udp src eq 123 > set filter dial 1 deny udp dst eq 123 > set filter dial 2 permit 0 0 > > # Allow ident (113), ftp (20 & 21), SSH (22), SMTP (25), DNS (53), > # HTTP (80) IN & OUT, POP3 (110), NNTP (119), NTP (123), HTTPS (443), > # SOCKS (1080), CVS (5998, 5999), ICMP (ping) and traceroute (>33433). > # Everything else is blocked by default: > > set filter in 0 permit tcp dst eq 113 > set filter out 0 permit tcp src eq 113 > set filter in 1 permit tcp src eq 20 dst gt 1023 > set filter out 1 permit tcp dst eq 20 > set filter in 2 permit tcp src eq 21 estab > set filter out 2 permit tcp dst eq 21 > set filter in 3 permit tcp src eq 22 > set filter out 3 permit tcp dst eq 22 > set filter in 4 permit tcp src eq 25 > set filter out 4 permit tcp dst eq 25 > set filter in 5 permit udp src eq 53 > set filter out 5 permit udp dst eq 53 > set filter in 6 permit tcp src eq 80 > set filter out 6 permit tcp dst eq 80 > set filter in 7 permit tcp dst eq 80 > set filter out 7 permit tcp src eq 80 > set filter in 8 permit tcp src eq 110 > set filter out 8 permit tcp dst eq 110 > set filter in 9 permit tcp src eq 119 > set filter out 9 permit tcp dst eq 119 > set filter in 10 permit udp src eq 123 > set filter out 10 permit udp dst eq 123 > set filter in 11 permit tcp src eq 443 > set filter out 11 permit tcp dst eq 443 > set filter in 12 permit udp src eq 443 > set filter out 12 permit udp dst eq 443 > set filter in 13 permit tcp src eq 1080 > set filter out 13 permit tcp dst eq 1080 > set filter in 14 permit udp src eq 1080 > set filter out 14 permit udp dst eq 1080 > set filter in 15 permit tcp src eq 5998 > set filter out 15 permit tcp dst eq 5998 > set filter in 16 permit tcp src eq 5999 > set filter out 16 permit tcp dst eq 5999 > set filter in 17 permit icmp > set filter out 17 permit icmp > set filter in 18 permit udp dst gt 33433 > set filter out 18 permit udp src gt 33433 > > > Hope they help! > > --Dan > > -- > Dan O'Connor > On Matters of Most Grave Concern > http://www.mostgraveconcern.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message