From owner-freebsd-security Mon Jan 24 20:51: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta2.snfc21.pbi.net (mta2.snfc21.pbi.net [206.13.28.123]) by hub.freebsd.org (Postfix) with ESMTP id 1A77B158AF for ; Mon, 24 Jan 2000 20:51:07 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta2.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.1999.09.16.21.57.p8) with SMTP id <0FOV00A4AK2A3S@mta2.snfc21.pbi.net> for freebsd-security@freebsd.org; Mon, 24 Jan 2000 20:49:23 -0800 (PST) Date: Mon, 24 Jan 2000 20:51:27 -0800 From: The Mad Scientist Subject: Re: more complete ipfw rules In-reply-to: <3.0.5.32.20000124151825.01c3d100@staff.sentex.ca> X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.20000124201245.00962220@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:18 PM 1/24/00 -0500, you wrote: > >With all the recent talk of flooding etc, I decided to go over my ipfw >rules on my two border routers to a) make sure I am not letting in things I >dont need, and b) to be a good net citizen and not allow source addresses >to leave my network that dont belong here. > >With ${oif} being my outside interface, > >I had been using that stuff in > > # Stop RFC1918 nets on the outside interface > >But what about multicast addresses ? I am not running any multicast >applications. Should there not also be > > $fwcmd add deny all from 224.0.0.0/8 to any via ${oif} > >and I was also wondering about > > $fwcmd add deny all from 0.0.0.0/8 to any via ${oif} > $fwcmd add deny all from 255.0.0.0/8 to any via ${oif} > >and I dont want outside connections with a source address of the loopback > > $fwcmd add deny all from 127.0.0.0/8 to any in recv ${oif} Don't forget about $fwcmd add 100 allow all from any to any via lo0 $fwcmd add 200 deny log all from any to 127.0.0.0/8 >but I am not sure if this will do what I want it to do. Are there any >others ? What about icmp? Just redirects ? $fwcmd add 2000 allow icmp from any to any icmptypes ${icmpallow} where icmpallow="0,3,4,5,11,12,14,16,18" this varies by what types of icmp you would like to let in. These types are pretty much all replies. loose and strict source routing isn't illegal, but usually used for subversion. $fwcmd add 500 deny log ip from any to any in via ${out_if} ipoptions lsrr,ssrr I have this commented-out line in my ruleset. #$fwcmd add 550 deny log ip from 169.254.0.0/16 to any in via ${out_if} Don't quite remember what it's for. I hope it's not another wasted class B. Can anyone enlighten me? watchtower:/root# whois -a 169.254.0.0 Internet Assigned Numbers Authority (IANA) (NETBLK-LINKLOCAL) For use with Link Local Networks Information Sciences Institute University of Southern California 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6695 Netname: LINKLOCAL Netblock: 169.254.0.0 - 169.254.255.255 hth, -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message