From owner-freebsd-questions@FreeBSD.ORG  Mon Sep  8 16:08:07 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 55B28802
 for <freebsd-questions@freebsd.org>; Mon,  8 Sep 2014 16:08:07 +0000 (UTC)
Received: from sdf.lonestar.org (mx.sdf.org [192.94.73.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx.sdf.org", Issuer "SDF.ORG" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 366E4126C
 for <freebsd-questions@freebsd.org>; Mon,  8 Sep 2014 16:08:06 +0000 (UTC)
Received: from otaku.freeshell.org (IDENT:case@otaku.freeshell.org
 [192.94.73.9])
 by sdf.lonestar.org (8.14.8/8.14.5) with ESMTP id s88G7qtV009441
 (using TLSv1/SSLv3 with cipher DHE-RSA-AES256-SHA (256 bits) verified NO)
 for <freebsd-questions@freebsd.org>; Mon, 8 Sep 2014 16:07:55 GMT
Date: Mon, 8 Sep 2014 16:07:52 +0000 (UTC)
From: John Case <case@SDF.ORG>
X-X-Sender: case@faeroes.freeshell.org
To: freebsd-questions@freebsd.org
Subject: Can I make this simple ipfw ruleset more restrictive ?
Message-ID: <Pine.NEB.4.64.1409081603140.28278@faeroes.freeshell.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2014 16:08:07 -0000


I have a very simple firewall - it sits on the network border and it 
*blocks everything*, and the only traffic that is allowed is for internal 
clients to make outbound port 40 connections.

Also internal clients can ping and traceroute.

But that's it - no other connections in or out are allowed.  I havet he 
following ruleset that is working perfectly:


ipfw add 10 allow tcp from any to any established

ipfw add 20 allow icmp from any to any icmptypes 0,3,8,11
ipfw add 21 allow udp from any to any 33433-33499 in via fxp1

ipfw add 30 allow tcp from any to any 40 in via fxp1


(fxp1 is the *internal* interface, and so I allow the port 40 connections 
and the udp for traceroute only for requests that come in from the 
internal net)

Is there anything I have screwed up here ?  Any connections that can come 
in or out that I am trying to avoid ?

Is there any way to lock this down any further ?

Thanks very much.