From owner-freebsd-security Wed Jul 17 1:20:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B96D37B400 for ; Wed, 17 Jul 2002 01:20:50 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 296F543E42 for ; Wed, 17 Jul 2002 01:20:49 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Subject: RE: ipfw and it's glory... Date: Wed, 17 Jul 2002 09:09:34 +0200 Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5353@citsnl045.europe.intranet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw and it's glory... Importance: normal Thread-Index: AcItGq++OnNNBKRvTQW8P7vb4t84XQAROPEw From: "Carroll, D. (Danny)" To: , X-OriginalArrivalTime: 17 Jul 2002 07:09:35.0373 (UTC) FILETIME=[E8170BD0:01C22D60] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here are a couple of simple things I noticed. Check in-line... : allow ip from trusted-ip-addy-1 to any : allow ip from trusted-ip-addy-2 to any : allow log tcp from any to any established This rule is redundant. Rule 1 gets it. : allow log tcp from trusted-ip-addy-1 to any 22 in setup If you want to be paranoid then you could make these only applicable to the DNS servers of your ISP. : allow log udp from internal-addy to any 53 : allow log udp from any 53 to internal-addy Internal-addy. Is that a RFC1918 addresses??? Or is it a real (routable) internet address. If it is routable then I would consider using the alias "external addy" to save confusion. If it is 1918 the I assume this is a multi nic server and you probably need nat to do some address translation. : allow log tcp from any to internal-addy 80,21,110,15 setup : - : 65535 deny ip from any to any Other than what you have I'd consider logging the deny, and adding specific denies for address spoofing protection. By that I mean disallow 192.168.x.x or 127.x.x.x et al traffic comming IN from the OUTSIDE. But then again, you do not seem to be specifically allowing anything from the *inside* so it's not that important IMHO. Simpler is often better. Just consider it (spoofing) if you want to start doing this. Hope this helps.. -D -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message