From owner-freebsd-questions@FreeBSD.ORG Mon May 21 15:44:33 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B60B1065686 for ; Mon, 21 May 2012 15:44:33 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id E1FB38FC0C for ; Mon, 21 May 2012 15:44:32 +0000 (UTC) Received: by pbbro2 with SMTP id ro2so7651134pbb.13 for ; Mon, 21 May 2012 08:44:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=DI1F8guG3AHdOekhdlTmwTiaEyznHnFRAhJSiDUTeeE=; b=Vb0EEUQeHbRGRkPzLYgW7P59HzLpCo4lvW74/XQFnxrHN62tXP82DCLhnohYpjUOfy oWAoa9HLHS+24T32EWLkihHGhuHD/epc5XiHXTlpNsOkF9ZKvj1pnaYb2QnnUao47jbd RVQ6EPAG4snR894vZXrGlksIAdzB0Ex5hSQHQLNbWdQ0tf9xnZu3yim2xwMED1UEOngI Wi+YiG3T8CLpkTIsnYpgXOF/ME6GYXaCkhjxZ8EjHtUd3SaruQaytNSJKdI0lVr5HGvK WWIiEb909O/HFT8DcTZvw8KVEkOz2SCwpExaMxC8CJ+c8stS+uEFNSgOBudi/K3WL8t9 v9JA== MIME-Version: 1.0 Received: by 10.68.203.73 with SMTP id ko9mr70515229pbc.66.1337615072402; Mon, 21 May 2012 08:44:32 -0700 (PDT) Received: by 10.68.203.229 with HTTP; Mon, 21 May 2012 08:44:32 -0700 (PDT) In-Reply-To: <4FBA5FB3.5010900@ifdnrg.com> References: <20120521120027.716761065686@hub.freebsd.org> <20120521232412.B98171@sola.nimnet.asn.au> <4FBA5FB3.5010900@ifdnrg.com> Date: Mon, 21 May 2012 08:44:32 -0700 Message-ID: From: Michael Sierchio To: Paul Macdonald Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQkX9QSkKgWCV8fK8xErgw4C9qGfcBQZcN++6BqOhtRToxDlb5xldLUa3aBcAo/hj1C+j0aL Cc: Ian Smith , freebsd-questions@freebsd.org Subject: Re: ipfw subnetting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 15:44:33 -0000 On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald wrote: > A very open firewall test script is as follows: > > 00010 allow ip from any to any via lo0 > 00081 deny log ip from 180.0.0.0/8 to any > 00100 check-state You don't need the following > 00101 allow tcp from any to any established This may not do what you think - "out" does not necessarily mean out your external interface. Packets can go in and out (from the perspective of the ruleset) more than once. And you want only to start a dynamic rule for legitimate TCP traffic, which means "tcpflags syn,!ack" - See below > 00102 allow ip from any to any out keep-state and you probably want to be selective about which ICMP you allow > 00103 allow icmp from any to any > 65535 deny ip from any to any It's also helpful (most of the time) to be explicit about the interface Is this ruleset just protecting this host itself, or are you using it as a firewall for an internal network? ipfw add allow ip from any to any via lo0 ifpw add allow ip from $local_net to $local_net ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if ipfw add check-state ipfw add allow tcp from any to any out xmit $ext_if setup keep-state ipfw add allow udp from any to any out xmit $ext_if keep-state ipfw add allow icmp from any to any out xmit $ext_if keep-state ipfw add allow icmp from any to any in recv $ext_if icmptypes 3,8,11 ipfw add deny ip from any to any