Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Jan 2002 23:58:49 -0500
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        "FBSD Questions" <questions@FreeBSD.ORG>
Subject:   RE: Some questions about ipfw
Message-ID:  <LPBBIGIAAKKEOEJOLEGOMEHHCNAA.barbish@a1poweruser.com>
In-Reply-To: <20020122204221.F48937-100000@bsd.smnolde.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Here is one of the many sample firewall rules sets patterned
after the /etc/rc.firewall that can be found on the internet.

What purpose does line 49 through 72 serve before the divert
natd rule on line 81?

What is line 15 through 25 doing and why?

Other variations of this same rc.firewall move the line 81 the
divert natd rule right after line 47 the flush rule, this puts
lines 49 through 72 behind the divert natd rule.
Does this make any difference? If so why?

This rule set uses the established / setup combo method to process
all tcp packets. It was previous said in this thread
{It is considered "more secure" to use "keep-state"} method.

What would this same rule set look like redone using the
"keep-state" method?

One good comparisons example says more that a million words.
I was born in the show me state.

If there are things missing like cvsup, passive FTP, or what ever are
commonly used FBSD functions then add the rules to let them process.

Also would like to see pointed out the difference of allowing things
originating on the FBSD box or from behind being allowed as verses
things coming in from the internet requesting services being allowed.
A very important difference.

All standard simple questions, but not answered any where with complete
Working examples. Lets get this hidden information out into the open
in one place all presented together for all the experts to agree on what
is the best correct standardized rule set for the most commonly used
FBSD functions. Firewall rules is some thing all FBSD users have to go
through sooner or later on there FBSD box. So this will help every one.

The following rule set came from
http://www.mostgraveconcern.com/freebsd/ipfw.html


7.  # rc.ipfw - Firewall Rules
8. #
9. # This file is a modified version of /etc/rc.firewall.
10. #
11. # Maintained by:  D. O'Connor
12. # Modified:       7/18/2000.
13. #
14.
15. # Suck in the configuration variables.
16. if [ -r /etc/defaults/rc.conf ]; then
17.         . /etc/defaults/rc.conf
18.         source_rc_confs
19. elif [ -r /etc/rc.conf ]; then
20.         . /etc/rc.conf
21. fi
22.
23. if [ -n "${1}" ]; then
24.         firewall_type="${1}"
25. fi
26.
27. # Firewall program
28. fwcmd="/sbin/ipfw"
29.
30. # Outside interface network and netmask and ip
31. oif="dc0"
32. onet="123.45.67.0"
33. omask="255.255.252.0"
34. oip="123.45.67.89"
35.
36. # Inside interface network and netmask and ip
37. iif="ep0"
38. inet="10.20.155.0"
39. imask="255.255.255.0"
40. iip="10.20.155.1"
41.
42. # My ISP's DNS servers
43. dns1="123.45.67.8"
44. dns2="98.76.54.123"
45.
46. # Flush previous rules
47. ${fwcmd} -f flush
48.
49. # Allow loopbacks, deny imposters
50. ${fwcmd} add 100 pass all from any to any via lo0
51. ${fwcmd} add 200 deny all from any to 127.0.0.0/8
52.
53. # If you're using 'options BRIDGE', uncomment the following line to pass
ARP
54. #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
55.
56. # Stop spoofing
57. ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
58. ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
59.
60. # Stop RFC1918 nets on the outside interface
61. ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
62. ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
63. ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
64.
65. # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
66. # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
67. # on the outside interface
68. ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
69. ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
70. ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
71. ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
72. ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
73.
74. # Network Address Translation.  This rule is placed here deliberately
75. # so that it does not interfere with the surrounding address-checking
76. # rules.  If for example one of your internal LAN machines had its IP
77. # address set to 192.0.2.1 then an incoming packet for it after being
78. # translated by natd(8) would match the `deny' rule above.  Similarly
79. # an outgoing packet originated from it before being translated would
80. # match the `deny' rule below.
81. ${fwcmd} add divert natd all from any to any via ${natd_interface}
82.
83. # Stop RFC1918 nets on the outside interface
84. ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
85. ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
86. ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
87.
88. # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
89. # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
90. # on the outside interface
91. ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
92. ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
93. ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
94. ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
95. ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
96.
97. # Allow established connections with minimal overhead
98. ${fwcmd} add pass tcp from any to any established
99.
100. # Allow IP fragments to pass through
101. ${fwcmd} add pass all from any to any frag
102.
103.
104. ### TCP RULES
105.
106. # HTTP - Allow access to our web server
107. ${fwcmd} add pass tcp from any to any 80 setup
108.
109. # SMTP - Allow access to sendmail for incoming e-mail
110. ${fwcmd} add pass tcp from any to any 25 setup
111.
112. # FTP - Allow incoming data channel for outgoing connections,
113. # reject & log all incoming control connections
114. ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
115. ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup
116.
117. # SSH Login - Allow & Log all incoming
118. ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup
119.
120. # IDENT - Reset incoming connections
121. ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup
122.
123. # Reject&Log all setup of incoming connections from the outside
124. ${fwcmd} add deny log tcp from any to any in via ${oif} setup
125.
126. # Allow setup of any other TCP connection
127. ${fwcmd} add pass tcp from any to any setup
128.
129.
130. ### UDP RULES
131.
132. # DNS - Allow queries out in the world
133. ${fwcmd} add pass udp from any to ${dns1} 53
134. ${fwcmd} add pass udp from any to ${dns2} 53
135. ${fwcmd} add pass udp from ${dns1} 53 to any
136. ${fwcmd} add pass udp from ${dns2} 53 to any
137.
138. # SMB - Allow local traffic
139. ${fwcmd} add pass udp from any to any 137-139 via ${iif}
140.
141. # SYSLOG - Allow machines on inside net to log to us.
142. ${fwcmd} add pass log udp from any to any 514 via ${iif}
143.
144. # NTP - Allow queries out in the world
145. ${fwcmd} add pass udp from any 123 to any 123 via ${oif}
146. ${fwcmd} add pass udp from any 123 to any via ${iif}
147. ${fwcmd} add pass udp from any to any 123 via ${iif}
148.
149. # TRACEROUTE - Allow outgoing
150. ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
151.
152.
153. ### ICMP RULES
154.
155. # ICMP packets
156. # Allow all ICMP packets on internal interface
157. ${fwcmd} add pass icmp from any to any via ${iif}
158.
159. # Allow outgoing pings
160. ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
161. ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
162.
163. # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
164. ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
165.
166. # Deny the rest of them
167. ${fwcmd} add deny icmp from any to any
168.
169.
170. ### MISCELLANEOUS REJECT RULES
171.
172. # Reject broadcasts from outside interface
173. ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via
${oif}
174.
175. # Reject&Log SMB connections on outside interface
176. ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}
177.
178. # Reject&Log all other connections from outside interface
179. ${fwcmd} add 65000 deny log ip from any to any via ${oif}
180.
181. # Everything else is denied by default, unless the
182. # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
183. # config file.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOMEHHCNAA.barbish>