Date: Thu, 21 Jul 2005 11:57:31 -0300 From: "Adolfo B. Ferreira" <bitchat@hotpop.com> To: freebsd-ipfw@freebsd.org Subject: Firewall Message-ID: <1121957861.1823.57.camel@notebook>
next in thread | raw e-mail | index | archive | help
Hi Folks, I'm sending this e-mail to get suggestions about my firewall. I red about firewall in FreeBSD HandBook and I got suggestions from my friends but I would like suggestions from here. # DEVICE: lo0 add 100 allow ip from any to any via lo0 add 102 deny ip from any to 127.0.0.0/8 # LAN: IN add 200 divert natd ip from any to any in via rl0 # LAN: DNS add 300 allow ip from 201.6.255.86 to 201.6.0.100 out via rl0 add 301 allow ip from 201.6.0.100 to 201.6.255.86 in via rl0 add 302 allow udp from 201.6.0.100 to 10.1.1.0/8 in via rl0 add 303 allow udp from 201.6.0.100 to 192.168.0.0/8 in via rl0 add 304 allow udp from 201.6.0.102 to 10.1.1.0/8 in via rl0 # CHECK STATE add 500 check-state # LAN: ROOT add 800 allow tcp from me to any out via rl0 setup keep-state uid root # LAN: OUT add 900 skipto 2000 ip from any to any out via rl0 setup keep-state add 901 skipto 2000 icmp from any to any out via rl0 icmptypes 8 add 902 skipto 2000 udp from any to 201.6.0.100 out via rl0 add 903 skipto 2000 udp from any to 201.6.0.102 out via rl0 # NETCRAFT add 1000 deny all from 195.92.95.0/32 to any in via rl0 # ICMP: BLOCK PING add 1100 allow icmp from any to any in via rl0 icmptypes 0 add 1101 prob 0.2 allow icmp from any to 201.6.255.86 in via rl0 icmptypes 8 add 1102 allow icmp from 201.6.255.86 to any out via rl0 icmptypes 0 # LAN: RFC add 1200 deny all from 192.168.0.0/16 to any in via rl0 add 1220 deny all from 172.16.0.0/12 to any in via rl0 add 1240 deny all from 127.0.0.0/8 to any in via rl0 add 1250 deny all from 0.0.0.0/8 to any in via rl0 add 1260 deny all from 169.254.0.0/16 to any in via rl0 add 1270 deny all from 192.0.2.0/24 to any in via rl0 add 1280 deny all from 204.152.64.0/23 to any in via rl0 add 1290 deny all from 224.0.0.0/3 to any in via rl0 # INTERNET: FRAG add 1300 deny all from any to any frag in via rl0 # INTERNET: STATE STABLE add 1400 deny ip from any to any established in via rl0 # INTERNET: SERVICES IN add 1600 pipe 30 tcp from any to 201.6.255.86 20,21 in via rl0 setup limit src-a ddr 2 add 1603 pipe 60 tcp from any to 201.6.255.86 80 in via rl0 setup limit src-addr 2 # DENY / LOG add 1800 deny log all from any to any out via rl0 add 1900 deny log all from any to any in via rl0 # LAN: NAT add 2000 divert natd ip from any to any out via rl0 add 2001 allow ip from any to any # BLOCK EVERYTHING ELSE add 2100 deny log all from any to any THanks All, Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Sophiex Serviços de Informática Telefone: 11 8135-6090
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1121957861.1823.57.camel>