From owner-freebsd-questions@FreeBSD.ORG Mon May 21 16:01:36 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3F601065675 for ; Mon, 21 May 2012 16:01:36 +0000 (UTC) (envelope-from paul@ifdnrg.com) Received: from ifdnrg30.ifdnrg.com (ifdnrg30.ifdnrg.com [193.200.98.50]) by mx1.freebsd.org (Postfix) with ESMTP id 49B3E8FC0A for ; Mon, 21 May 2012 16:01:35 +0000 (UTC) Received: from [192.168.1.75] (93-97-172-73.zone5.bethere.co.uk [93.97.172.73]) (authenticated bits=0) by ifdnrg30.ifdnrg.com (8.14.5/8.14.4) with ESMTP id q4LG1Ytx084156 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 21 May 2012 17:01:34 +0100 (BST) (envelope-from paul@ifdnrg.com) Message-ID: <4FBA66DA.7040902@ifdnrg.com> Date: Mon, 21 May 2012 17:01:30 +0100 From: Paul Macdonald User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Michael Sierchio References: <20120521120027.716761065686@hub.freebsd.org> <20120521232412.B98171@sola.nimnet.asn.au> <4FBA5FB3.5010900@ifdnrg.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Ian Smith , freebsd-questions@freebsd.org Subject: Re: ipfw subnetting X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 16:01:36 -0000 On 21/05/2012 16:44, Michael Sierchio wrote: > On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald wrote: > >> A very open firewall test script is as follows: >> >> 00010 allow ip from any to any via lo0 >> 00081 deny log ip from 180.0.0.0/8 to any >> 00100 check-state > You don't need the following >> 00101 allow tcp from any to any established > This may not do what you think - "out" does not necessarily mean out > your external interface. Packets can go in and out (from the > perspective of the ruleset) more than once. And you want only to > start a dynamic rule for legitimate TCP traffic, which means "tcpflags > syn,!ack" - See below > >> 00102 allow ip from any to any out keep-state > and you probably want to be selective about which ICMP you allow >> 00103 allow icmp from any to any >> 65535 deny ip from any to any > It's also helpful (most of the time) to be explicit about the interface > > Is this ruleset just protecting this host itself, or are you using it > as a firewall for an internal network? > > ipfw add allow ip from any to any via lo0 > ifpw add allow ip from $local_net to $local_net > > ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if > > ipfw add check-state > > ipfw add allow tcp from any to any out xmit $ext_if setup keep-state > ipfw add allow udp from any to any out xmit $ext_if keep-state > ipfw add allow icmp from any to any out xmit $ext_if keep-state > > ipfw add allow icmp from any to any in recv $ext_if icmptypes 3,8,11 > > ipfw add deny ip from any to any > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" this is for one host only, so i'm not so worried about interfaces..not worried about icmp either.. I'm still seeing this traffic coming in, can anyone help with this simpler config to keep 180.0.0.0 out? IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag $IPF 50 check-state #$IPF 51 allow tcp from any to any established DISABLED PER SUGGESTION #$IPF 52 allow all from any to any out keep-state DISABLED PER SUGGESTION $IPF 53 allow icmp from any to any (am 0k with this) #temp wide reaching filter $IPF 137 deny all from 180.0.0.0/8 to any #Allows for ports $IPF 181 allow tcp from any to any 21 $IPF 183 allow tcp from any to any 25 #...........etc #Another attempt to get rid of 180.x.x.x in case it is last match?? $IPF 450 deny all from 180.0.0.0/8 to any #------------ deny and log everything $IPF 499 deny udp from any to any $IPF 5000 deny log all from any to any $IPF 5010 deny icmp from any to any -- ------------------------- Paul Macdonald IFDNRG Ltd Web and video hosting ------------------------- t: 0131 5548070 m: 07970339546<