Date: Fri, 23 Mar 2001 20:25:40 -0500 From: Asymmetric <all@biosys.net> To: "Brent" <brentb@loa.com>, <stable@FreeBSD.ORG> Subject: Re: ipfw rules ?? Message-ID: <4.3.2.7.2.20010323200654.00c506f0@64.7.7.83> In-Reply-To: <004b01c0b3b0$894cc660$e32b82d0@cybertours.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:47 3/23/2001 -0500, Brent wrote: >i recently installed ipfw on my Freebsd 4.2 machine...with default to >ACCEPT...(i couldnt get the firewall rules to work correctly with default to >DENY on in the kernel) is there a place that has a good set of firewall >rules when using "default to DENY" in the kernel ??? I would say you can get basic functionality with just a few rules, and go from there.. this is similar to what I have. This assumes you have two network cards which for the sake of example I'll call ed0 and ed1. ed0 is your inside interface and has a subnet of 10.0.0.0/16. ed1 is your outside interface and has a subnet of 10.1.0.0/16. ; loopback traffic Rule 5000 : allow all from any to any via lo0 ; allow all traffic in from any connection you make that goes out. Rule 5000 : allow tcp from any to 10.0.0.0/16 established ; deny any traffic with a provably spoofed source address. Rule 5001 : deny all from 10.0.0.0/16 to any in ed1 ; allow all outgoing traffic except internal spoofing Rule 5002 : allow all from 10.0.0.0/16 to any in ed0 ; deny everything else Rule 65000 : deny all from any to any These rules are very basic and will not allow some sorts of connections through. You'll have to to open up incoming ports as you see fit for traffic from the outside world to connect to internal servers, and add other rules to support ICMP and UDP if you want pings (in either direction) to work, but I leave that as an exercise to you. One note on management.. I run a /28 subnet at home, and find it easiest if I break up the rules into manageable, logical blocks. In my setup, with ip's from XXX.XXX.XXX.YYY to XXX.XXX.XXX.ZZZ, I set up all my rules like this : YYYNN .. ZZZNN. So the IP 10.0.0.10 would be allocated rules 1000 - 1099. 10.0.0.21 would be allocated 2100 - 2199. Change the system to suit your situation, but you get the idea. It's a lot easier to do "ipfw show | grep 010" and get only the rules that apply to the .10 host than to pick through them line by line when you're trying to track down a problem. This gives you 100 rules per host which is more than enough for any sane network, and works well if you only have a small block to manage. YMMV. -------signature file------- PGP Key Fingerprint: 446B 7718 B219 9F1E 43DD 8E4A 6BE9 D739 CCC5 7FD7 "I don't think [Linux] will be very successful in the long run." "My experience and some of my friends' experience is that Linux is quite unreliable. Microsoft is really unreliable but Linux is worse." -Ken Thompson, Interview May 1999. http://www.freebsd.org FreeBSD - The Power to Serve http://www.rfnj.org Radio Free New Jersey - 445 streams - 40kbps @ 22khz Stereo http://namespace.org -- http://name.space Resist the ICANN! Support name.space! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010323200654.00c506f0>