Date: Sat, 6 May 2000 21:28:03 -0700 From: "Dan O'Connor" <dan@mostgraveconcern.com> To: <sage@mindcrime.net> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Firewall Rules Message-ID: <013001bfb7dc$a3195de0$0200000a@danco>
next in thread | raw e-mail | index | archive | help
>Send over your ipfw rules set as well, so i can see the differences in the
>2 if you wouldn't mind.
No problem...
From the 'simple' section of my /etc/rc.firewall:
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Stop spoofing
${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from 192.168.0.0:255.255.0.0 to any via ${oif}
${fwcmd} add deny log all from any to 192.168.0.0:255.255.0.0 via ${oif}
${fwcmd} add deny log all from 172.16.0.0:255.240.0.0 to any via ${oif}
${fwcmd} add deny log all from any to 172.16.0.0:255.240.0.0 via ${oif}
# Stop draft-manning-dsua-01.txt nets on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# HTTP - Allow outside access to web server
${fwcmd} add pass tcp from any to any 80 setup
# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25
# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to any 53
${fwcmd} add pass udp from any 53 to any
${fwcmd} add pass tcp from any to any 53
${fwcmd} add pass tcp from any 53 to any
# IDENT - Open the port (sendmail seems to use it...) but send reset
${fwcmd} add reset tcp from any to any 113 in recv ${oif}
# FTP - Allow outbound, deny inbound
${fwcmd} add pass tcp from any 20 to any setup
${fwcmd} add deny log tcp from any to ${onet}:${omask} 21 in via ${oif}
setup
${fwcmd} add pass tcp from any to ${inet}:${imask} 21 setup
# Uncomment these and comment-out 'deny' rule above to open up FTP
# ${fwcmd} add pass log tcp from any to any 20 setup
# ${fwcmd} add pass log tcp from any 21 to any setup
# ${fwcmd} add pass log tcp from any to any 21 setup
# SSH Login
${fwcmd} add pass tcp from any to any 22 setup
${fwcmd} add pass log tcp from any 22 to any setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}
# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123
# ICMP - Allow ping, et. al., for testing
${fwcmd} add pass icmp from any to any
# TRACEROUTE - Allow for within 30 hops.
${fwcmd} add pass udp from any to any 33434-33463
# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 via ${oif}
# Reject&Log SMB connections from outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}
# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}
I have a static IP, so if you're using DHCP you'll also want to open ports
67-68...
--Dan
--
Dan O'Connor
On Matters of Most Grave Concern
http://www.mostgraveconcern.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013001bfb7dc$a3195de0$0200000a>