From owner-freebsd-security  Wed Jul 17  0:30:27 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2C7B937B400
	for <security@FreeBSD.ORG>; Wed, 17 Jul 2002 00:30:21 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D6CA743E65
	for <security@FreeBSD.ORG>; Wed, 17 Jul 2002 00:30:19 -0700 (PDT)
	(envelope-from marka@drugs.dv.isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6H7TtJe081341;
	Wed, 17 Jul 2002 17:29:55 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200207170729.g6H7TtJe081341@drugs.dv.isc.org>
To: Bart Matthaei <bart@dreamflow.nl>
Cc: Mark D <markd@cogeco.ca>, security@FreeBSD.ORG
From: Mark.Andrews@isc.org
Subject: Re: ipfw and it's glory... 
In-reply-to: Your message of "Wed, 17 Jul 2002 09:03:49 +0200."
             <20020717070349.GA38299@heresy.dreamflow.nl> 
Date: Wed, 17 Jul 2002 17:29:55 +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> 
> --Nq2Wo0NMKNjxTN9z
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
> 
> On Tue, Jul 16, 2002 at 06:46:38PM -0400, Mark D wrote:
> [snip]
> > 	Alright, here we go... I plan to run http, ftp, ssh, smtp, and
> > pop on a lan box (I'm going to treat it as a real box - just so I can be
> > ready for when I do this in the future). I'd like http, ftp, pop, and
> > smtp to be open to anyone and for ssh connections to be only allowed
> > when I add the rule (to allow that specific host).
> >=20
> > 	I've read the man pages on ipfw and some other documents but am
> > still confused. Here is what I've put together so far (go easy on me);
> >=20
> >    allow ip from trusted-ip-addy-1 to any
> >    allow ip from trusted-ip-addy-2 to any
> >    allow log tcp from any to any established
> >    allow log tcp from trusted-ip-addy-1 to any 22 in setup
> >    allow log udp from internal-addy to any 53
> >    allow log udp from any 53 to internal-addy
> >    allow log tcp from any to internal-addy 80,21,110,15 setup
> >    -
> >    65535 deny ip from any to any
> 
> First of all. Avoid using ip adresses when adressing the "self"-box.
> Use 'me' instead.=20
> 
> Second, here's a basic setup that works for your situation:
> 
> # Allow "local" traffic
> ipfw add allow all from any to any via lo0
> 
> # Allow all outgoing trafic
> ipfw add allow all from any to any out

	This is a bad idea.  You should only allow out what you
	will accept back in.   If you don't you will eventually be
	guilty of pounding some poor server because you havn't
	allowed the answers to come back.

> # Allow IP fragments (for more info, see ipfw manpage)
> ipfw add allow all from any to any frag
> 
> # Allow established tcp connections
> ipfw add allow tcp from any to any established
> 
> # Allow tcp connections to the box > 1024 (In order to make
> # various clients work on the box)
> ipfw add pass tcp from any to me 1024-65535 setup
> 
> # Allow udp connections to the box > 1024 (same shit)
> ipfw add pass udp from any to me 1024-65535
> 
> # Allow dns querys
> ipfw add allow udp from any to any 53
> 
> # Allow the trusted ip's to the ssh port
> ipfw add allow tcp from $trusted_ip1 to me 22
> ipfw add allow tcp from $trusted_ip2 to me 22
> 
> # Allow ftp, smtp, http and pop and auth (I'm sure you want that)
> ipfw add allow tcp from any to me 21,25,80,110,113 setup
> 
> # I've added auth. If you don't want auth, make sure to reset all
> #traffic going to port 113, or ident lookups to your box will time-out.
> #use 'reset tcp from any to me 113'
> 
> # Allow icmptypes 0 3 8 and 11
> ipfw add allow icmp from any to any icmptypes 0,3,8,11
> 
> # Deny everything else
> ipfw add deny all from any to any
> 
> This is a basic setup. Add more rules for specific network setups.
> ipfw isn't difficult, you just need to figure the syntax and specific
> options out.
> 
> Cheers,
> 
> Bart
> 
> --=20
> Bart Matthaei                 bart@dreamflow.nl=20
> 
> If at first you don't succeed, redefine success.
> 
> --Nq2Wo0NMKNjxTN9z
> Content-Type: application/pgp-signature
> Content-Disposition: inline
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (FreeBSD)
> 
> iD8DBQE9NRbVQLMKY3ENEPcRAga6AKCaAvmjL5u2WP1c75ddouBmQ8+SxgCfW4Xc
> TAZ3hJSVmUNUSR8wLo0riaI=
> =UKxo
> -----END PGP SIGNATURE-----
> 
> --Nq2Wo0NMKNjxTN9z--
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message