Date: Thu, 29 Feb 1996 14:16:15 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: phk@critter.tfs.com (Poul-Henning Kamp) Cc: jgreco@brasil.moneng.mei.com, fenner@parc.xerox.com, nate@sri.MT.net, stable@freebsd.org, current@freebsd.org Subject: Re: IPFW (was: Re: -stable hangs at boot) Message-ID: <199602292016.OAA06433@brasil.moneng.mei.com> In-Reply-To: <2612.825584015@critter.tfs.com> from "Poul-Henning Kamp" at Feb 29, 96 09:53:35 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > Technically, one might want to place it's much-less-often-considered brother
> > in the firewall too... the one that prevents OUTgoing packets that do NOT
> > have a 13.0.0.0 address...
> >
> > (no I don't do this either but I should).
>
> And if you're on a lousy ISP, also a filter to block all of the "private"
> networks, 192.168.x.x and so on, (RFC 1596 ?)
Okay, firewall debaters. Here's what I've done on gateway.inr.sol.net.
204.95.219.1 is the local address of my T1 interface. 206.55.64.17 is the
address of the router on my backbone Ethernet.
Commentary in curly braces.
#! /bin/sh -
PATH=/sbin; export PATH
ipfw f
echo "Installing Firewall"
#
# ----- IP Bad Address Prevention Section -----
# { Packets from these addresses should never be coming in }
# Block RFC1597 "Private Internets" (inbound)
ipfw addf deny all from 10.0.0.0/8 to 0/0 via 204.95.219.1
ipfw addf deny all from 172.16.0.0/16 to 0/0 via 204.95.219.1
ipfw addf deny all from 192.168.0.0/16 to 0/0 via 204.95.219.1
# Block other "Shouldn't Exist" Internets (inbound)
ipfw addf deny all from 127.0.0.0/8 to 0/0 via 204.95.219.1
ipfw addf deny all from 0.0.0.0/8 to 0/0 via 204.95.219.1
# { Likewise, we should never allow packets with these addresses }
# { as source or destination to go out onto the Big Net }
# Block RFC1597 "Private Internets" as Source Address (outbound)
ipfw addf deny all from 10.0.0.0/8 to 0/0 via 206.55.64.17
ipfw addf deny all from 172.16.0.0/16 to 0/0 via 206.55.64.17
ipfw addf deny all from 192.168.0.0/16 to 0/0 via 206.55.64.17
# Block RFC1597 "Private Internets" as Destination Address (outbound)
ipfw addf deny all from 0/0 to 10.0.0.0/8 via 206.55.64.17
ipfw addf deny all from 0/0 to 172.16.0.0/16 via 206.55.64.17
ipfw addf deny all from 0/0 to 192.168.0.0/16 via 206.55.64.17
# Block other "Shouldn't Exist" Internets as Source Address (outbound)
ipfw addf deny all from 0/0 to 127.0.0.0/8 via 206.55.64.17
ipfw addf deny all from 0/0 to 0.0.0.0/8 via 206.55.64.17
# Block other "Shouldn't Exist" Internets as Destination Address (outbound)
ipfw addf deny all from 127.0.0.0/8 to 0/0 via 206.55.64.17
ipfw addf deny all from 0.0.0.0/8 to 0/0 via 206.55.64.17
#
# ----- IP Spoofing Prevention Section -----
# { Prevent packets that claim to have source addresses on our networks }
# { from entering from outside our networks }
# Block SOLNET-BLK-1 (inbound)
ipfw addf deny all from 206.55.64.0/20 to 0/0 via 204.95.219.1
# Block INCNET-172 (inbound)
ipfw addf deny all from 204.95.172.0/24 to 0/0 via 204.95.219.1
# Block INCNET-219 (inbound)
ipfw addf deny all from 204.95.219.0/24 to 0/0 via 204.95.219.1
# { Now do something funny. Block *every* outbound source address and }
# { then re-allow JUST those that could potentially be generated on our }
# { networks. Yes this means that the above checks for "Private }
# { Internets" as Source Address checks are not strictly necessary. }
#
# Disallow all Source Addresses (outbound)
ipfw addf deny all from 0/0 to 0/0 via 206.55.64.17
# Allow SOLNET-BLK-1 (outbound)
ipfw addf accept all from 206.55.64.0/20 to 0/0 via 206.55.64.17
# Allow INCNET-172 (outbound)
ipfw addf accept all from 204.95.172.0/24 to 0/0 via 206.55.64.17
# Allow INCNET-219 (outbound)
ipfw addf accept all from 204.95.219.0/24 to 0/0 via 206.55.64.17
What have I forgotten, if anything? :-)
... Joe
-------------------------------------------------------------------------------
Joe Greco - Systems Administrator jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI 414/546-7968
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602292016.OAA06433>