From owner-freebsd-security Wed Jul 17 0: 4: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89C4437B400 for ; Wed, 17 Jul 2002 00:04:00 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 77D0E43E4A for ; Wed, 17 Jul 2002 00:03:59 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 38836 invoked by uid 1000); 17 Jul 2002 07:03:49 -0000 Date: Wed, 17 Jul 2002 09:03:49 +0200 From: Bart Matthaei To: Mark D Cc: security@freebsd.org Subject: Re: ipfw and it's glory... Message-ID: <20020717070349.GA38299@heresy.dreamflow.nl> References: <000101c22d1a$a54d6e70$6401a8c0@promethium> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z" Content-Disposition: inline In-Reply-To: <000101c22d1a$a54d6e70$6401a8c0@promethium> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 16, 2002 at 06:46:38PM -0400, Mark D wrote: [snip] > Alright, here we go... I plan to run http, ftp, ssh, smtp, and > pop on a lan box (I'm going to treat it as a real box - just so I can be > ready for when I do this in the future). I'd like http, ftp, pop, and > smtp to be open to anyone and for ssh connections to be only allowed > when I add the rule (to allow that specific host). >=20 > I've read the man pages on ipfw and some other documents but am > still confused. Here is what I've put together so far (go easy on me); >=20 > allow ip from trusted-ip-addy-1 to any > allow ip from trusted-ip-addy-2 to any > allow log tcp from any to any established > allow log tcp from trusted-ip-addy-1 to any 22 in setup > allow log udp from internal-addy to any 53 > allow log udp from any 53 to internal-addy > allow log tcp from any to internal-addy 80,21,110,15 setup > - > 65535 deny ip from any to any First of all. Avoid using ip adresses when adressing the "self"-box. Use 'me' instead.=20 Second, here's a basic setup that works for your situation: # Allow "local" traffic ipfw add allow all from any to any via lo0 # Allow all outgoing trafic ipfw add allow all from any to any out # Allow IP fragments (for more info, see ipfw manpage) ipfw add allow all from any to any frag # Allow established tcp connections ipfw add allow tcp from any to any established # Allow tcp connections to the box > 1024 (In order to make # various clients work on the box) ipfw add pass tcp from any to me 1024-65535 setup # Allow udp connections to the box > 1024 (same shit) ipfw add pass udp from any to me 1024-65535 # Allow dns querys ipfw add allow udp from any to any 53 # Allow the trusted ip's to the ssh port ipfw add allow tcp from $trusted_ip1 to me 22 ipfw add allow tcp from $trusted_ip2 to me 22 # Allow ftp, smtp, http and pop and auth (I'm sure you want that) ipfw add allow tcp from any to me 21,25,80,110,113 setup # I've added auth. If you don't want auth, make sure to reset all #traffic going to port 113, or ident lookups to your box will time-out. #use 'reset tcp from any to me 113' # Allow icmptypes 0 3 8 and 11 ipfw add allow icmp from any to any icmptypes 0,3,8,11 # Deny everything else ipfw add deny all from any to any This is a basic setup. Add more rules for specific network setups. ipfw isn't difficult, you just need to figure the syntax and specific options out. Cheers, Bart --=20 Bart Matthaei bart@dreamflow.nl=20 If at first you don't succeed, redefine success. --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9NRbVQLMKY3ENEPcRAga6AKCaAvmjL5u2WP1c75ddouBmQ8+SxgCfW4Xc TAZ3hJSVmUNUSR8wLo0riaI= =UKxo -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message