From owner-freebsd-security Wed Jul 17 1: 2:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D4B637B400 for ; Wed, 17 Jul 2002 01:02:06 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8290143E42 for ; Wed, 17 Jul 2002 01:02:03 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.5/8.12.5) with ESMTP id g6H81sJe083568; Wed, 17 Jul 2002 18:01:55 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207170801.g6H81sJe083568@drugs.dv.isc.org> To: Bart Matthaei Cc: Mark D , security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: ipfw and it's glory... In-reply-to: Your message of "Wed, 17 Jul 2002 09:42:12 +0200." <20020717074212.GB38299@heresy.dreamflow.nl> Date: Wed, 17 Jul 2002 18:01:54 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Jul 17, 2002 at 05:29:55PM +1000, Mark.Andrews@isc.org wrote: > [snip] > > > # Allow all outgoing trafic > > > ipfw add allow all from any to any out > > > > This is a bad idea. You should only allow out what you > > will accept back in. If you don't you will eventually be > > guilty of pounding some poor server because you havn't > > allowed the answers to come back. > > This ruleset allows all traffic to any tcp port > 1024, and some ports > < 1024. It allows everything out. ALL TCP + ALL UDP + everything else. > For example, access to tcp port 443 is denied, so there's no way there > will be a connection coming from port 443 on the box. > But, your right, since you deny access to port 443, it's tidy to deny > traffic coming _from_ port 443. It's not only tidy, its essential if you want to be a good net citizen. I've see the results of firewalls that don't do this. > Or isn't this the point your trying to make ? > > Cheers, > > Bart > > > > # Allow IP fragments (for more info, see ipfw manpage) > > > ipfw add allow all from any to any frag > > > > > > # Allow established tcp connections > > > ipfw add allow tcp from any to any established > > > > > > # Allow tcp connections to the box > 1024 (In order to make > > > # various clients work on the box) > > > ipfw add pass tcp from any to me 1024-65535 setup > > > > > > # Allow udp connections to the box > 1024 (same shit) > > > ipfw add pass udp from any to me 1024-65535 > > > > > > # Allow dns querys > > > ipfw add allow udp from any to any 53 > > > > > > # Allow the trusted ip's to the ssh port > > > ipfw add allow tcp from $trusted_ip1 to me 22 > > > ipfw add allow tcp from $trusted_ip2 to me 22 > > > > > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > > > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > > > > > # I've added auth. If you don't want auth, make sure to reset all > > > #traffic going to port 113, or ident lookups to your box will time-out. > > > #use 'reset tcp from any to me 113' > > > > > > # Allow icmptypes 0 3 8 and 11 > > > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > > > > > # Deny everything else > > > ipfw add deny all from any to any > > -- > Bart Matthaei bart@dreamflow.nl > > If at first you don't succeed, redefine success. -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message