From owner-freebsd-security Wed Jul 17 3:45:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5011E37B400 for ; Wed, 17 Jul 2002 03:45:30 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4527B43E64 for ; Wed, 17 Jul 2002 03:45:29 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: ipfw and it's glory... X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Date: Wed, 17 Jul 2002 12:44:51 +0200 Message-ID: <6C506EA550443D44A061432F1E92EA4C6C5359@citsnl045.europe.intranet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw and it's glory... Thread-Index: AcIteu2y32GGMy+cTPKur5+ChxB8ugAA5VTg Importance: normal From: "Carroll, D. (Danny)" To: "Bart Matthaei" , "Mark D" Cc: X-OriginalArrivalTime: 17 Jul 2002 10:45:02.0224 (UTC) FILETIME=[0117F900:01C22D7F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I disagree with te 1024-65535 rules. In my experience you can get it to work without allowing all of these. Plus the way you have it setup, if you ever have X running then port 6000 is open and I really hate that idea. Of course most agree that X on a firewall is a bad idea(tm) but I thought it was worth mentioning. Nice ruleset with the Auth and ICMP stuff, I forgot about those... -D :First of all. Avoid using ip adresses when adressing the "self"-box. :Use 'me' instead.=20 : :Second, here's a basic setup that works for your situation: : :# Allow "local" traffic :ipfw add allow all from any to any via lo0 : :# Allow all outgoing trafic :ipfw add allow all from any to any out : :# Allow IP fragments (for more info, see ipfw manpage) :ipfw add allow all from any to any frag : :# Allow established tcp connections :ipfw add allow tcp from any to any established : :# Allow tcp connections to the box > 1024 (In order to make :# various clients work on the box) :ipfw add pass tcp from any to me 1024-65535 setup : :# Allow udp connections to the box > 1024 (same shit) :ipfw add pass udp from any to me 1024-65535 : :# Allow dns querys :ipfw add allow udp from any to any 53 : :# Allow the trusted ip's to the ssh port :ipfw add allow tcp from $trusted_ip1 to me 22 :ipfw add allow tcp from $trusted_ip2 to me 22 : :# Allow ftp, smtp, http and pop and auth (I'm sure you want that) :ipfw add allow tcp from any to me 21,25,80,110,113 setup : :# I've added auth. If you don't want auth, make sure to reset all :#traffic going to port 113, or ident lookups to your box will time-out. :#use 'reset tcp from any to me 113' : :# Allow icmptypes 0 3 8 and 11 :ipfw add allow icmp from any to any icmptypes 0,3,8,11 : :# Deny everything else :ipfw add deny all from any to any : :This is a basic setup. Add more rules for specific network setups. :ipfw isn't difficult, you just need to figure the syntax and specific :options out. : :Cheers, : :Bart : :--=20 :Bart Matthaei bart@dreamflow.nl=20 : :If at first you don't succeed, redefine success. : -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message