Date: Wed, 17 Jul 2002 12:44:51 +0200 From: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl> To: "Bart Matthaei" <bart@dreamflow.nl>, "Mark D" <markd@cogeco.ca> Cc: <security@freebsd.org> Subject: RE: ipfw and it's glory... Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet>
next in thread | raw e-mail | index | archive | help
I disagree with te 1024-65535 rules. In my experience you can get it to work without allowing all of these. Plus the way you have it setup, if you ever have X running then port 6000 is open and I really hate that idea. Of course most agree that X on a firewall is a bad idea(tm) but I thought it was worth mentioning. Nice ruleset with the Auth and ICMP stuff, I forgot about those... -D :First of all. Avoid using ip adresses when adressing the "self"-box. :Use 'me' instead.=20 : :Second, here's a basic setup that works for your situation: : :# Allow "local" traffic :ipfw add allow all from any to any via lo0 : :# Allow all outgoing trafic :ipfw add allow all from any to any out : :# Allow IP fragments (for more info, see ipfw manpage) :ipfw add allow all from any to any frag : :# Allow established tcp connections :ipfw add allow tcp from any to any established : :# Allow tcp connections to the box > 1024 (In order to make :# various clients work on the box) :ipfw add pass tcp from any to me 1024-65535 setup : :# Allow udp connections to the box > 1024 (same shit) :ipfw add pass udp from any to me 1024-65535 : :# Allow dns querys :ipfw add allow udp from any to any 53 : :# Allow the trusted ip's to the ssh port :ipfw add allow tcp from $trusted_ip1 to me 22 :ipfw add allow tcp from $trusted_ip2 to me 22 : :# Allow ftp, smtp, http and pop and auth (I'm sure you want that) :ipfw add allow tcp from any to me 21,25,80,110,113 setup : :# I've added auth. If you don't want auth, make sure to reset all :#traffic going to port 113, or ident lookups to your box will time-out. :#use 'reset tcp from any to me 113' : :# Allow icmptypes 0 3 8 and 11 :ipfw add allow icmp from any to any icmptypes 0,3,8,11 : :# Deny everything else :ipfw add deny all from any to any : :This is a basic setup. Add more rules for specific network setups. :ipfw isn't difficult, you just need to figure the syntax and specific :options out. : :Cheers, : :Bart : :--=20 :Bart Matthaei bart@dreamflow.nl=20 : :If at first you don't succeed, redefine success. : -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C506EA550443D44A061432F1E92EA4C6C5359>