Date: Tue, 22 Jan 2002 23:58:49 -0500 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "FBSD Questions" <questions@FreeBSD.ORG> Subject: RE: Some questions about ipfw Message-ID: <LPBBIGIAAKKEOEJOLEGOMEHHCNAA.barbish@a1poweruser.com> In-Reply-To: <20020122204221.F48937-100000@bsd.smnolde.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Here is one of the many sample firewall rules sets patterned after the /etc/rc.firewall that can be found on the internet. What purpose does line 49 through 72 serve before the divert natd rule on line 81? What is line 15 through 25 doing and why? Other variations of this same rc.firewall move the line 81 the divert natd rule right after line 47 the flush rule, this puts lines 49 through 72 behind the divert natd rule. Does this make any difference? If so why? This rule set uses the established / setup combo method to process all tcp packets. It was previous said in this thread {It is considered "more secure" to use "keep-state"} method. What would this same rule set look like redone using the "keep-state" method? One good comparisons example says more that a million words. I was born in the show me state. If there are things missing like cvsup, passive FTP, or what ever are commonly used FBSD functions then add the rules to let them process. Also would like to see pointed out the difference of allowing things originating on the FBSD box or from behind being allowed as verses things coming in from the internet requesting services being allowed. A very important difference. All standard simple questions, but not answered any where with complete Working examples. Lets get this hidden information out into the open in one place all presented together for all the experts to agree on what is the best correct standardized rule set for the most commonly used FBSD functions. Firewall rules is some thing all FBSD users have to go through sooner or later on there FBSD box. So this will help every one. The following rule set came from http://www.mostgraveconcern.com/freebsd/ipfw.html 7. # rc.ipfw - Firewall Rules 8. # 9. # This file is a modified version of /etc/rc.firewall. 10. # 11. # Maintained by: D. O'Connor 12. # Modified: 7/18/2000. 13. # 14. 15. # Suck in the configuration variables. 16. if [ -r /etc/defaults/rc.conf ]; then 17. . /etc/defaults/rc.conf 18. source_rc_confs 19. elif [ -r /etc/rc.conf ]; then 20. . /etc/rc.conf 21. fi 22. 23. if [ -n "${1}" ]; then 24. firewall_type="${1}" 25. fi 26. 27. # Firewall program 28. fwcmd="/sbin/ipfw" 29. 30. # Outside interface network and netmask and ip 31. oif="dc0" 32. onet="123.45.67.0" 33. omask="255.255.252.0" 34. oip="123.45.67.89" 35. 36. # Inside interface network and netmask and ip 37. iif="ep0" 38. inet="10.20.155.0" 39. imask="255.255.255.0" 40. iip="10.20.155.1" 41. 42. # My ISP's DNS servers 43. dns1="123.45.67.8" 44. dns2="98.76.54.123" 45. 46. # Flush previous rules 47. ${fwcmd} -f flush 48. 49. # Allow loopbacks, deny imposters 50. ${fwcmd} add 100 pass all from any to any via lo0 51. ${fwcmd} add 200 deny all from any to 127.0.0.0/8 52. 53. # If you're using 'options BRIDGE', uncomment the following line to pass ARP 54. #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 55. 56. # Stop spoofing 57. ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 58. ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 59. 60. # Stop RFC1918 nets on the outside interface 61. ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 62. ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 63. ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 64. 65. # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 66. # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 67. # on the outside interface 68. ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} 69. ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} 70. ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} 71. ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} 72. ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 73. 74. # Network Address Translation. This rule is placed here deliberately 75. # so that it does not interfere with the surrounding address-checking 76. # rules. If for example one of your internal LAN machines had its IP 77. # address set to 192.0.2.1 then an incoming packet for it after being 78. # translated by natd(8) would match the `deny' rule above. Similarly 79. # an outgoing packet originated from it before being translated would 80. # match the `deny' rule below. 81. ${fwcmd} add divert natd all from any to any via ${natd_interface} 82. 83. # Stop RFC1918 nets on the outside interface 84. ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} 85. ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} 86. ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 87. 88. # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, 89. # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) 90. # on the outside interface 91. ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} 92. ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} 93. ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} 94. ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} 95. ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 96. 97. # Allow established connections with minimal overhead 98. ${fwcmd} add pass tcp from any to any established 99. 100. # Allow IP fragments to pass through 101. ${fwcmd} add pass all from any to any frag 102. 103. 104. ### TCP RULES 105. 106. # HTTP - Allow access to our web server 107. ${fwcmd} add pass tcp from any to any 80 setup 108. 109. # SMTP - Allow access to sendmail for incoming e-mail 110. ${fwcmd} add pass tcp from any to any 25 setup 111. 112. # FTP - Allow incoming data channel for outgoing connections, 113. # reject & log all incoming control connections 114. ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup 115. ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup 116. 117. # SSH Login - Allow & Log all incoming 118. ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup 119. 120. # IDENT - Reset incoming connections 121. ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup 122. 123. # Reject&Log all setup of incoming connections from the outside 124. ${fwcmd} add deny log tcp from any to any in via ${oif} setup 125. 126. # Allow setup of any other TCP connection 127. ${fwcmd} add pass tcp from any to any setup 128. 129. 130. ### UDP RULES 131. 132. # DNS - Allow queries out in the world 133. ${fwcmd} add pass udp from any to ${dns1} 53 134. ${fwcmd} add pass udp from any to ${dns2} 53 135. ${fwcmd} add pass udp from ${dns1} 53 to any 136. ${fwcmd} add pass udp from ${dns2} 53 to any 137. 138. # SMB - Allow local traffic 139. ${fwcmd} add pass udp from any to any 137-139 via ${iif} 140. 141. # SYSLOG - Allow machines on inside net to log to us. 142. ${fwcmd} add pass log udp from any to any 514 via ${iif} 143. 144. # NTP - Allow queries out in the world 145. ${fwcmd} add pass udp from any 123 to any 123 via ${oif} 146. ${fwcmd} add pass udp from any 123 to any via ${iif} 147. ${fwcmd} add pass udp from any to any 123 via ${iif} 148. 149. # TRACEROUTE - Allow outgoing 150. ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} 151. 152. 153. ### ICMP RULES 154. 155. # ICMP packets 156. # Allow all ICMP packets on internal interface 157. ${fwcmd} add pass icmp from any to any via ${iif} 158. 159. # Allow outgoing pings 160. ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} 161. ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} 162. 163. # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header 164. ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} 165. 166. # Deny the rest of them 167. ${fwcmd} add deny icmp from any to any 168. 169. 170. ### MISCELLANEOUS REJECT RULES 171. 172. # Reject broadcasts from outside interface 173. ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} 174. 175. # Reject&Log SMB connections on outside interface 176. ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} 177. 178. # Reject&Log all other connections from outside interface 179. ${fwcmd} add 65000 deny log ip from any to any via ${oif} 180. 181. # Everything else is denied by default, unless the 182. # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel 183. # config file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOMEHHCNAA.barbish>