From owner-freebsd-questions@FreeBSD.ORG Sun Oct 23 16:12:24 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B81E916A41F for ; Sun, 23 Oct 2005 16:12:24 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5389D43D46 for ; Sun, 23 Oct 2005 16:12:24 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 546E35D4B; Sun, 23 Oct 2005 12:12:23 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63681-01; Sun, 23 Oct 2005 12:12:20 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-76-130.ny325.east.verizon.net [68.161.76.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 943DA5C20; Sun, 23 Oct 2005 12:12:20 -0400 (EDT) Message-ID: <435BB665.70001@mac.com> Date: Sun, 23 Oct 2005 12:12:21 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Eric F Crist References: <1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65@secure-computing.net> In-Reply-To: <1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65@secure-computing.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd questions Subject: Re: RFC: my firewall ruleset(s) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 16:12:24 -0000 Eric F Crist wrote: > Hey all. I'm relatively new to shell scripting and I'm looking for > some comments on my firewall script. > > Comments on either the ipfw rules themselves or on my scripting lack of > ability would be appreciated. Ugh. :-) IPFW knows how to increment rule numbers all by itself; you can get rid of the "rulenum1=`expr $rulenum1 + 50`" stuff. The breakdown of sh functions like setup_loopback, setup_keepstate, setup_ntp is fine if you want to play with shell scripts, but it scatters your IPFW rules into different places. I'd rather see something that closely resembles what "ipfw list" gives you. You could chain several ports together into a list rather than listing them all seperately as individual rules, IPFW will end up doing less work. You have anti-spoofing for the lookback, lo0 interface, but not for your other interfaces. You should add anti-spoofing rules, and also block strict and loose source routing [1]: # Stop strict and loose source routing add deny log all from any to any ipoptions ssrr add deny log all from any to any ipoptions lsrr You should give some thought to ICMP filtering. Consider something like: add allow icmp from any to any icmptypes 0,3,4,8,11,12 You should use the log command more when developing a ruleset, to see what traffic you are blocking or permitting, until you've gotten your rules and network finalized. -- -Chuck [1]: This is known to hackers as the "how to go through a firewall as if it wasn't there" IP option if you don't block these. :-)