Date: Wed, 17 Jul 2002 07:28:16 -0500 From: Greg Panula <greg.panula@dolaninformation.com> To: markd@cogeco.ca Cc: freebsd-security@freebsd.org Subject: Re: ipfw and it's glory... Message-ID: <3D3562E0.A204EE05@dolaninformation.com> References: <000101c22d1a$a54d6e70$6401a8c0@promethium>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark D wrote:
>
> Hello,
>
> First, I hope this is appropriate for this list, if not I'll
> gladly repost. I thought this could be a freebsd-questions question, but
> hey, I took a chance.
>
> Alright, here we go... I plan to run http, ftp, ssh, smtp, and
> pop on a lan box (I'm going to treat it as a real box - just so I can be
> ready for when I do this in the future). I'd like http, ftp, pop, and
> smtp to be open to anyone and for ssh connections to be only allowed
> when I add the rule (to allow that specific host).
>
> I've read the man pages on ipfw and some other documents but am
> still confused. Here is what I've put together so far (go easy on me);
>
> allow ip from trusted-ip-addy-1 to any
> allow ip from trusted-ip-addy-2 to any
> allow log tcp from any to any established
> allow log tcp from trusted-ip-addy-1 to any 22 in setup
> allow log udp from internal-addy to any 53
> allow log udp from any 53 to internal-addy
> allow log tcp from any to internal-addy 80,21,110,15 setup
> -
> 65535 deny ip from any to any
>
> So... I'm not sure if that is the best approach (maybe adding a
> 'check state' here and a 'established' there ;p), but I'm hoping the
> subscribers of this list could give me some insight on securing it
> properly and only allowing in/out what I've specified above.
>
> I thank you in advance.
>
Here's my two bits... suitable for cut&paste into /etc/rc.firewall even.
[Mm][Aa][Rr][Kk])
pip="<public ip addres, e.g. 4.4.4.4>"
pnic="<public nic, e.g. fxp0>"
t1="<trusted address, e.g. 30.30.30.30>"
t2="<trusted address>"
# allow traffic to flow unrestricted across the loopback interface
${fwcmd} add allow ip from any to any via lo0
# allow certain icmp traffic to flow to&from the box
# optional but useful
${fwcmd} add allow icmp from any to ${pip} icmptype 0,3,4,8,11,12
${fwcmd} add allow icmp from ${pip} to any icmptype 0,3,4,8,11,12
# check the state table
${fwcmd} add 10000 check-state
# allow in certain services(ftp,smtp,http,pop3)
# and add it to the state table
${fwcmd} add allow tcp from any to ${pip} 21,25,80,110 keep-state in via
${pnic}
# allow outbound dns queries from the box
${fwcmd} add allow udp from ${pip} to any 53 keep-state out via ${pnic}
# allow inbound ssh traffic from trusted addresses
${fwcmd} add allow tcp from ${t1} to ${pip} 22 keep-state in via ${pnic}
${fwcmd} add allow tcp from ${t2} to ${pip} 22 keep-state in via ${pnic}
# deny and log the rest
${fwcmd} add 65000 deny log ip from any to any
echo firewall ruleset mark loaded
;;
Then in /etc/rc.conf just add
firewall_enable="YES"
firewall_type="MARK"
firewall_logging="YES"
good luck,
greg
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D3562E0.A204EE05>