Date: Wed, 17 Jul 2002 09:42:12 +0200 From: Bart Matthaei <bart@dreamflow.nl> To: Mark.Andrews@isc.org Cc: Mark D <markd@cogeco.ca>, security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <20020717074212.GB38299@heresy.dreamflow.nl> In-Reply-To: <200207170729.g6H7TtJe081341@drugs.dv.isc.org> References: <20020717070349.GA38299@heresy.dreamflow.nl> <200207170729.g6H7TtJe081341@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 17, 2002 at 05:29:55PM +1000, Mark.Andrews@isc.org wrote: [snip] > > # Allow all outgoing trafic > > ipfw add allow all from any to any out > > This is a bad idea. You should only allow out what you > will accept back in. If you don't you will eventually be > guilty of pounding some poor server because you havn't > allowed the answers to come back. This ruleset allows all traffic to any tcp port > 1024, and some ports < 1024. For example, access to tcp port 443 is denied, so there's no way there will be a connection coming from port 443 on the box. But, your right, since you deny access to port 443, it's tidy to deny traffic coming _from_ port 443. Or isn't this the point your trying to make ? Cheers, Bart > > # Allow IP fragments (for more info, see ipfw manpage) > > ipfw add allow all from any to any frag > > > > # Allow established tcp connections > > ipfw add allow tcp from any to any established > > > > # Allow tcp connections to the box > 1024 (In order to make > > # various clients work on the box) > > ipfw add pass tcp from any to me 1024-65535 setup > > > > # Allow udp connections to the box > 1024 (same shit) > > ipfw add pass udp from any to me 1024-65535 > > > > # Allow dns querys > > ipfw add allow udp from any to any 53 > > > > # Allow the trusted ip's to the ssh port > > ipfw add allow tcp from $trusted_ip1 to me 22 > > ipfw add allow tcp from $trusted_ip2 to me 22 > > > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > > > # I've added auth. If you don't want auth, make sure to reset all > > #traffic going to port 113, or ident lookups to your box will time-out. > > #use 'reset tcp from any to me 113' > > > > # Allow icmptypes 0 3 8 and 11 > > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > > > # Deny everything else > > ipfw add deny all from any to any -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020717074212.GB38299>