From owner-freebsd-questions  Wed Aug 15  5:59:28 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from comp04.prc.uic.edu (comp04.prc.uic.edu [128.248.230.104])
	by hub.freebsd.org (Postfix) with SMTP id 5388237B414
	for <questions@freebsd.org>; Wed, 15 Aug 2001 05:59:23 -0700 (PDT)
	(envelope-from lucas@comp04.prc.uic.edu)
Received: (qmail 4598 invoked by uid 1000); 15 Aug 2001 12:59:43 -0000
Date: Wed, 15 Aug 2001 07:59:43 -0500
From: Lucas Bergman <lucas@slb.to>
To: default - Subscriptions <default013subscriptions@hotmail.com>
Cc: questions@freebsd.org
Subject: Re: Question about default IPFW Rules...
Message-ID: <20010815075943.D4491@comp04.prc.uic.edu>
Reply-To: lucas@slb.to
References: <OE35Fur2iz2Mb1s7nlT0000ba58@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <OE35Fur2iz2Mb1s7nlT0000ba58@hotmail.com>; from default013subscriptions@hotmail.com on Tue, Aug 14, 2001 at 11:06:21PM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> I have a question about this rule in the default rc.firewall script:
> 
>         # Allow any traffic to or from my own net
>         ${fwcmd} add pass all from ${ip} to ${net}:${mask}
>         ${fwcmd} add pass all from ${net}:${mask} to ${ip}

In my copy of /usr/src/etc/rc.firewall, these rules only appear in the
"client" firewall configuration; i.e., if you set
firewall_type=client, you are saying implicitly that you trust your
subnet.

> If one is on a cable/dsl connection like @home, wouldn't this rule
> supercede all other rules and let any traffic in from my
> I.P. address range? (given that example I.P. is 192.168.0.3, and
> netmask is 255.255.255.0)

I have @Home, but I got a routable address.  Lucky me, I guess.

Provided the rules appeared sufficiently early in the configuration
(which they do in the default "client" configuration in rc.firewall),
then you're right.  If you want to black-hole your subnet except for,
say, your own addresses and your gateway, then you'll have to add that
in.

> I am concerned with this because I do have hackers in my range that
> have been trying to get in...
                                             ^^^^^^^
You misspelled "crackers"... :)

> Is there a better way to do this? Or would you guys suggest removing
> this rule completely? (I have not tried this yet...)

If you want to protect yourself more from people on 192.168.0/24
(other than you and your gateway), then you'll have to do something
somewhat more complicated.  Maybe look into one of the more complete
firewall configurations that, say, drop TCP packets except for
connections that you setup.  (That, at least, stops many TCP-based
attacks.)

Lucas

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message