Date: Wed, 17 Jul 2002 18:01:54 +1000 From: Mark.Andrews@isc.org To: Bart Matthaei <bart@dreamflow.nl> Cc: Mark D <markd@cogeco.ca>, security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <200207170801.g6H81sJe083568@drugs.dv.isc.org> In-Reply-To: Your message of "Wed, 17 Jul 2002 09:42:12 %2B0200." <20020717074212.GB38299@heresy.dreamflow.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, Jul 17, 2002 at 05:29:55PM +1000, Mark.Andrews@isc.org wrote: > [snip] > > > # Allow all outgoing trafic > > > ipfw add allow all from any to any out > > > > This is a bad idea. You should only allow out what you > > will accept back in. If you don't you will eventually be > > guilty of pounding some poor server because you havn't > > allowed the answers to come back. > > This ruleset allows all traffic to any tcp port > 1024, and some ports > < 1024. It allows everything out. ALL TCP + ALL UDP + everything else. > For example, access to tcp port 443 is denied, so there's no way there > will be a connection coming from port 443 on the box. > But, your right, since you deny access to port 443, it's tidy to deny > traffic coming _from_ port 443. It's not only tidy, its essential if you want to be a good net citizen. I've see the results of firewalls that don't do this. > Or isn't this the point your trying to make ? > > Cheers, > > Bart > > > > # Allow IP fragments (for more info, see ipfw manpage) > > > ipfw add allow all from any to any frag > > > > > > # Allow established tcp connections > > > ipfw add allow tcp from any to any established > > > > > > # Allow tcp connections to the box > 1024 (In order to make > > > # various clients work on the box) > > > ipfw add pass tcp from any to me 1024-65535 setup > > > > > > # Allow udp connections to the box > 1024 (same shit) > > > ipfw add pass udp from any to me 1024-65535 > > > > > > # Allow dns querys > > > ipfw add allow udp from any to any 53 > > > > > > # Allow the trusted ip's to the ssh port > > > ipfw add allow tcp from $trusted_ip1 to me 22 > > > ipfw add allow tcp from $trusted_ip2 to me 22 > > > > > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > > > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > > > > > # I've added auth. If you don't want auth, make sure to reset all > > > #traffic going to port 113, or ident lookups to your box will time-out. > > > #use 'reset tcp from any to me 113' > > > > > > # Allow icmptypes 0 3 8 and 11 > > > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > > > > > # Deny everything else > > > ipfw add deny all from any to any > > -- > Bart Matthaei bart@dreamflow.nl > > If at first you don't succeed, redefine success. -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207170801.g6H81sJe083568>