Date: Wed, 17 Jul 2002 12:44:51 +0200 From: "Carroll, D. (Danny)" <Danny.Carroll@mail.ing.nl> To: "Bart Matthaei" <bart@dreamflow.nl>, "Mark D" <markd@cogeco.ca> Cc: <security@freebsd.org> Subject: RE: ipfw and it's glory... Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet>
index | next in thread | raw e-mail
I disagree with te 1024-65535 rules. In my experience you can get it to work without allowing all of these. Plus the way you have it setup, if you ever have X running then port 6000 is open and I really hate that idea. Of course most agree that X on a firewall is a bad idea(tm) but I thought it was worth mentioning. Nice ruleset with the Auth and ICMP stuff, I forgot about those... -D :First of all. Avoid using ip adresses when adressing the "self"-box. :Use 'me' instead. : :Second, here's a basic setup that works for your situation: : :# Allow "local" traffic :ipfw add allow all from any to any via lo0 : :# Allow all outgoing trafic :ipfw add allow all from any to any out : :# Allow IP fragments (for more info, see ipfw manpage) :ipfw add allow all from any to any frag : :# Allow established tcp connections :ipfw add allow tcp from any to any established : :# Allow tcp connections to the box > 1024 (In order to make :# various clients work on the box) :ipfw add pass tcp from any to me 1024-65535 setup : :# Allow udp connections to the box > 1024 (same shit) :ipfw add pass udp from any to me 1024-65535 : :# Allow dns querys :ipfw add allow udp from any to any 53 : :# Allow the trusted ip's to the ssh port :ipfw add allow tcp from $trusted_ip1 to me 22 :ipfw add allow tcp from $trusted_ip2 to me 22 : :# Allow ftp, smtp, http and pop and auth (I'm sure you want that) :ipfw add allow tcp from any to me 21,25,80,110,113 setup : :# I've added auth. If you don't want auth, make sure to reset all :#traffic going to port 113, or ident lookups to your box will time-out. :#use 'reset tcp from any to me 113' : :# Allow icmptypes 0 3 8 and 11 :ipfw add allow icmp from any to any icmptypes 0,3,8,11 : :# Deny everything else :ipfw add deny all from any to any : :This is a basic setup. Add more rules for specific network setups. :ipfw isn't difficult, you just need to figure the syntax and specific :options out. : :Cheers, : :Bart : :-- :Bart Matthaei bart@dreamflow.nl : :If at first you don't succeed, redefine success. : ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C506EA550443D44A061432F1E92EA4C6C5359>