From owner-freebsd-security Wed Jul 17 0:42:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0FBA37B401 for ; Wed, 17 Jul 2002 00:42:20 -0700 (PDT) Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by mx1.FreeBSD.org (Postfix) with SMTP id A98D443E31 for ; Wed, 17 Jul 2002 00:42:19 -0700 (PDT) (envelope-from bart@dreamflow.nl) Received: (qmail 39099 invoked by uid 1000); 17 Jul 2002 07:42:12 -0000 Date: Wed, 17 Jul 2002 09:42:12 +0200 From: Bart Matthaei To: Mark.Andrews@isc.org Cc: Mark D , security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <20020717074212.GB38299@heresy.dreamflow.nl> References: <20020717070349.GA38299@heresy.dreamflow.nl> <200207170729.g6H7TtJe081341@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207170729.g6H7TtJe081341@drugs.dv.isc.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 17, 2002 at 05:29:55PM +1000, Mark.Andrews@isc.org wrote: [snip] > > # Allow all outgoing trafic > > ipfw add allow all from any to any out > > This is a bad idea. You should only allow out what you > will accept back in. If you don't you will eventually be > guilty of pounding some poor server because you havn't > allowed the answers to come back. This ruleset allows all traffic to any tcp port > 1024, and some ports < 1024. For example, access to tcp port 443 is denied, so there's no way there will be a connection coming from port 443 on the box. But, your right, since you deny access to port 443, it's tidy to deny traffic coming _from_ port 443. Or isn't this the point your trying to make ? Cheers, Bart > > # Allow IP fragments (for more info, see ipfw manpage) > > ipfw add allow all from any to any frag > > > > # Allow established tcp connections > > ipfw add allow tcp from any to any established > > > > # Allow tcp connections to the box > 1024 (In order to make > > # various clients work on the box) > > ipfw add pass tcp from any to me 1024-65535 setup > > > > # Allow udp connections to the box > 1024 (same shit) > > ipfw add pass udp from any to me 1024-65535 > > > > # Allow dns querys > > ipfw add allow udp from any to any 53 > > > > # Allow the trusted ip's to the ssh port > > ipfw add allow tcp from $trusted_ip1 to me 22 > > ipfw add allow tcp from $trusted_ip2 to me 22 > > > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > > > # I've added auth. If you don't want auth, make sure to reset all > > #traffic going to port 113, or ident lookups to your box will time-out. > > #use 'reset tcp from any to me 113' > > > > # Allow icmptypes 0 3 8 and 11 > > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > > > # Deny everything else > > ipfw add deny all from any to any -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message