From owner-freebsd-questions@FreeBSD.ORG Wed Dec 20 13:41:54 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A4EC716A403 for ; Wed, 20 Dec 2006 13:41:54 +0000 (UTC) (envelope-from jurjenm@stack.nl) Received: from mx1.stack.nl (meestal.stack.nl [131.155.140.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D6BB43CB8 for ; Wed, 20 Dec 2006 13:41:54 +0000 (GMT) (envelope-from jurjenm@stack.nl) Received: by mx1.stack.nl (Postfix, from userid 65534) id F028B4B1FD; Wed, 20 Dec 2006 14:23:16 +0100 (CET) X-Spam-DCC: : snail.stack.nl 1113; Body=1 Fuz1=1 Fuz2=1 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on snail.stack.nl X-Spam-Level: X-Spam-Status: No, score=-3.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, J_CHICKENPOX_32,J_CHICKENPOX_84 autolearn=ham version=3.1.5 X-Spam-Relay-Country: Received: from jurjen (wlan073187.nbw.tue.nl [131.155.73.187]) by mailhost.stack.nl (Postfix) with ESMTP id 68EF54B256 for ; Wed, 20 Dec 2006 14:23:15 +0100 (CET) Received: by jurjen (sSMTP sendmail emulation); Wed, 20 Dec 2006 14:22:46 +0100 From: "Jurjen Middendorp" Date: Wed, 20 Dec 2006 14:22:46 +0100 To: freebsd-questions Message-ID: <20061220132246.GA5499@jurjenm.stack.nl> Mail-Followup-To: freebsd-questions References: <20061216170123.GA962@jurjenm.stack.nl> <20061218022906.GC2552@kobe.laptop> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061218022906.GC2552@kobe.laptop> User-Agent: Mutt/1.4.2.2i Subject: Re: ipfw rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2006 13:41:54 -0000 Cool! thanks for the reply + suggestions! I haven't had any trouble with my firewall blocking too much yet (also didn't connect to the internet much yet :), but i'll think about just allowing all out... on the other hand i like the idea of just letting through out that i need (which isn't very much) and denying all else. I don't use the file shares on the network, so i figured if i got a packet from one of those addresses it would be a mistake so i let them drop. Anyway, i'll try to build some rules based on the suggestions you made and then i can try them both and then decide which one gives me the least trouble :) greetings, jurjen. On Mon, Dec 18, 2006 at 04:29:06AM +0200, Giorgos Keramidas wrote: >On 2006-12-16 18:01, Jurjen Middendorp wrote: >> I tried making a firewall for my laptop..but i'm not sure if i forgot >> anything. And things can always be done better :) > >> #to stack (student computer thing... e-mail, irc, ssh stuff) >> $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks >> >> #allow ssh >> $cmd 021 allow all from me to any 22 out via $oif setup $ks >> >> #internet sites: >> $cmd 032 allow tcp from me to any 80 out via $oif setup $ks >> #https >> $cmd 033 allow tcp from me to any 443 out via $oif setup $ks >> #gopher >> $cmd 034 allow tcp from me to any 70 out via $oif setup $ks >> >> #other e-mail >> #pop >> $cmd 040 allow tcp from me to any 110 out via $oif setup $ks >> #imap >> $cmd 041 allow tcp from me to any 143 out via $oif setup $ks >> >> #allow dns queries >> $cmd 050 allow udp from me to any 53 out via $oif $ks >> #allow ntp (?) queries >> $cmd 051 allow udp from me to any 123 out via $oif $ks >> >> #i can send icmp myself >> $cmd 060 allow icmp from me to any out via $oif $ks >> #but others can't >> $cmd 061 deny icmp from any to me >> >> # >> #root can do anything >> $cmd 070 allow tcp from me to any out via $oif setup $ks uid root >> >> #log other outgoing packets >> $cmd 071 deny log all from any to any out via $oif >> >> #### >> # Incoming >> >> #The default is that all other connections will be blocked anyway, but >> # the more stuff i put in here, the less stuff will get logged >> >> #deny incoming to private networks >> $cmd 100 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 >> $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC 1918 >> $cmd 105 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto >> $cmd 106 deny all from 192.0.2.0/24 to any in via $oif #reserved >> $cmd 108 deny all from 192.168.0.0/16 to any in via $oif #D & E class >> # multicast >> #block smb stuff >> $cmd 120 deny tcp from any to me 137 in via $oif >> $cmd 121 deny tcp from any to me 138 in via $oif >> $cmd 122 deny tcp from any to me 139 in via $oif >> >> #log ACK packets that did'nt match the dynamic ruleset >> $cmd 130 deny log all from any to any established in via $oif >> >> #Now log some stuff in case i did something wrong >> $cmd 999 deny log any to me rule 999 had a syntax error and now it reads "...log all from..." that works a bit better :) > >It's a fairly complex ruleset, but it seems mostly ok. There are >a few things I'd change, mostly resulting from my own personal >preferences: > > * I don't like hard-coding rule numbers in IPFW rulesets. > > * I like using 127.0.0.1/32 instead of any for loopback interfaces. > > * In general, I prefer much simpler rulesets. > > * I try to avoid a lot of variables/macros, like your $ks, since they > don't really keep things a lot shorter, and when they do they try to > abstract away too much of ipfw's syntax. > > * I don't aggressively filter out ICMP packets. They are useful for a > lot of things, they are rate-limited by the kernel, and it is > usually silly to block them without a fair amount of knowledge and a > very good reason. > > * I don't deny packets for 'private' networks,like 192.168.0.0/26 > because the networks I use with my laptop *ARE* private a lot of the > time. Having the firewall block too much and cause me problems is > rarely a good way of spending my time. > >I would probably start with something like: > > <<>> > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"