Date: Wed, 20 Dec 2006 14:22:46 +0100 From: "Jurjen Middendorp" <jurjenm@stack.nl> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: ipfw rules Message-ID: <20061220132246.GA5499@jurjenm.stack.nl> In-Reply-To: <20061218022906.GC2552@kobe.laptop> References: <20061216170123.GA962@jurjenm.stack.nl> <20061218022906.GC2552@kobe.laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
Cool! thanks for the reply + suggestions! I haven't had any trouble with my firewall blocking too much yet (also didn't connect to the internet much yet :), but i'll think about just allowing all out... on the other hand i like the idea of just letting through out that i need (which isn't very much) and denying all else. I don't use the file shares on the network, so i figured if i got a packet from one of those addresses it would be a mistake so i let them drop. Anyway, i'll try to build some rules based on the suggestions you made and then i can try them both and then decide which one gives me the least trouble :) greetings, jurjen. On Mon, Dec 18, 2006 at 04:29:06AM +0200, Giorgos Keramidas wrote: >On 2006-12-16 18:01, Jurjen Middendorp <jurjenm@stack.nl> wrote: >> I tried making a firewall for my laptop..but i'm not sure if i forgot >> anything. And things can always be done better :) > >> #to stack (student computer thing... e-mail, irc, ssh stuff) >> $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks >> >> #allow ssh >> $cmd 021 allow all from me to any 22 out via $oif setup $ks >> >> #internet sites: >> $cmd 032 allow tcp from me to any 80 out via $oif setup $ks >> #https >> $cmd 033 allow tcp from me to any 443 out via $oif setup $ks >> #gopher >> $cmd 034 allow tcp from me to any 70 out via $oif setup $ks >> >> #other e-mail >> #pop >> $cmd 040 allow tcp from me to any 110 out via $oif setup $ks >> #imap >> $cmd 041 allow tcp from me to any 143 out via $oif setup $ks >> >> #allow dns queries >> $cmd 050 allow udp from me to any 53 out via $oif $ks >> #allow ntp (?) queries >> $cmd 051 allow udp from me to any 123 out via $oif $ks >> >> #i can send icmp myself >> $cmd 060 allow icmp from me to any out via $oif $ks >> #but others can't >> $cmd 061 deny icmp from any to me >> >> # >> #root can do anything >> $cmd 070 allow tcp from me to any out via $oif setup $ks uid root >> >> #log other outgoing packets >> $cmd 071 deny log all from any to any out via $oif >> >> #### >> # Incoming >> >> #The default is that all other connections will be blocked anyway, but >> # the more stuff i put in here, the less stuff will get logged >> >> #deny incoming to private networks >> $cmd 100 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 >> $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC 1918 >> $cmd 105 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto >> $cmd 106 deny all from 192.0.2.0/24 to any in via $oif #reserved >> $cmd 108 deny all from 192.168.0.0/16 to any in via $oif #D & E class >> # multicast >> #block smb stuff >> $cmd 120 deny tcp from any to me 137 in via $oif >> $cmd 121 deny tcp from any to me 138 in via $oif >> $cmd 122 deny tcp from any to me 139 in via $oif >> >> #log ACK packets that did'nt match the dynamic ruleset >> $cmd 130 deny log all from any to any established in via $oif >> >> #Now log some stuff in case i did something wrong >> $cmd 999 deny log any to me rule 999 had a syntax error and now it reads "...log all from..." that works a bit better :) > >It's a fairly complex ruleset, but it seems mostly ok. There are >a few things I'd change, mostly resulting from my own personal >preferences: > > * I don't like hard-coding rule numbers in IPFW rulesets. > > * I like using 127.0.0.1/32 instead of any for loopback interfaces. > > * In general, I prefer much simpler rulesets. > > * I try to avoid a lot of variables/macros, like your $ks, since they > don't really keep things a lot shorter, and when they do they try to > abstract away too much of ipfw's syntax. > > * I don't aggressively filter out ICMP packets. They are useful for a > lot of things, they are rate-limited by the kernel, and it is > usually silly to block them without a fair amount of knowledge and a > very good reason. > > * I don't deny packets for 'private' networks,like 192.168.0.0/26 > because the networks I use with my laptop *ARE* private a lot of the > time. Having the firewall block too much and cause me problems is > rarely a good way of spending my time. > >I would probably start with something like: > > <<<recommendation for ipfw ruleset>>> > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061220132246.GA5499>