Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Jul 2003 08:40:50 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        Darren <darren@dazdaz.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: no keep-state and and unpredictable ssh connections
Message-ID:  <3F23F282.5020605@tenebras.com>
In-Reply-To: <13347545536.20030726003910@dazdaz.org>
References:  <13347545536.20030726003910@dazdaz.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
You may need to fiddle with the default values for these

net.inet.ip.fw.dyn_ack_lifetime
net.inet.ip.fw.dyn_syn_lifetime
net.inet.ip.fw.dyn_fin_lifetime
net.inet.ip.fw.dyn_rst_lifetime
net.inet.ip.fw.dyn_udp_lifetime
net.inet.ip.fw.dyn_short_lifetime

and you want

/sbin/sysctl net.inet.ip.fw.dyn_keepalive=1


Anyway, try it this way.

#!/bin/sh

fwcmd="/sbin/ipfw -q"

$fwcmd -f flush

$fwcmd add allow ip from any to any via lo0

$fwcmd add check-state

$fwcmd add deny ip from 127.0.0.8 to any
$fwcmd add deny ip from any to 127.0.0.8

$fwcmd add deny tcp from any to any established

# antispoofing rules

$fwcmd add deny ip from 10.0.0.0/8 to any in recv xl0
$fwcmd add deny ip from 172.16.0.0/12 to any in recv xl0
$fwcmd add deny ip from 192.168.0.0/16 to any in recv xl0
$fwcmd add deny ip from me to any in recv xl0

# some ICMP types you musn't block -- esp. 3 for PMTU, etc.

$fwcmd add allow icmp from any to any icmptype 0,3,11

# allow local net traffic

$fwcmd add allow ip from $mynet to $mynet

# from me to anywhere

$fwcmd add allow tcp from me to any setup keep-state
$fwcmd add allow udp from me to any keep-state
$fwcmd add allow icmp from me to any

# Separate rules for SSH and HTTP, etc.

$fwcmd add count log logamount 0 tcp from any to me ssh in recv xl0 setup
$fwcmd add allow tcp from any to me ssh in recv xl0 keep-state setup

$fwcmd add count log logamount 0 tcp from any to me http in recv xl0 setup
$fwcmd add allow tcp from any to me http in recv xl0 keep-state setup

$fwcmd add deny log logamount 0 ip from any to any

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F23F282.5020605>