Date: Fri, 28 Dec 2001 17:13:06 -0500 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "Jonathan Chen" <jonc@chen.org.nz> Cc: "FBSD Questions" <questions@FreeBSD.ORG> Subject: RE: avoid ping Message-ID: <LPBBIGIAAKKEOEJOLEGOKEKJCKAA.barbish@a1poweruser.com> In-Reply-To: <20011229100814.A24652@grimoire.chen.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the fast reply. Your answer helped me add rules to stop ping echo
attacks.
I built my rules set from the rc.firewall simple default.
I still working on adding the following functions yet.
Allow pings on internal net and out to internet.
Allow telenet access from tun1, local net, and from outside internet.
Allow ftp access from tun1, local net, and from outside internet.
Would you please critique my rules file below for completeness that
in general that all the common attack doors are closed?
Thanks for your expert help.
Joe
############
#
# Define IPFW firewall rules for gateway.a1poweruser.com
#
# user ppp tun0 dial out to ISP with dynamic IP addresses assigned
# user ppp tun1 dial in to this box with dynamic IP addresses
assigned
# User ppp nat not used. natd used. Private Ip address used inside
# 3 winx boxes on LAN with static IP address hard coded.
# protect the whole private network from loss of service attacks
#
############
# Set rules command prefix
#
fwcmd="/sbin/ipfw"
# Flush out the list before we begin.
#
${fwcmd} -f flush
# Set defaults
# set these to your outside interface network and netmask and ip
# for dynamic IP address from ISP use there range
oif="tun0"
onet="62.70.155.1/24" # dynamic IP address range issued by ISP
omask="62.70.155.0" # mask 62.70.155.0 thru 62.70.155.255
oip="62.70.155.1/24"
odns="208.206.15.11" # ISP's dns IP address
# set these to your inside interface network and netmask and ip
iif="xl0" # Nic card
inet="10.0.10.1" # IP address of Nic card
imask="10.0.10.0" # mask 10.0.10.0 thru 10.0.10.255
iip="10.0.10.1"
# Don't know what these are doing
${fwcmd} add pass all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop ping echo attacks
# deny echo reply (ICMP type 0), and echo request (type 8).
${fwcmd} add deny icmp from any to ${onet}:${omask} icmptype 0 in via
${oif}
${fwcmd} add deny icmp from any to ${onet}:${omask} icmptype 8 in
via ${oif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately.
# All rules above check traffic from public internet before nat does it
# thing.
# All the rules following the nat check the private net.
${fwcmd} add divert natd all from any to any via ${oif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${odns} 53 setup
${fwcmd} add pass udp from any to ${odns} 53
${fwcmd} add pass udp from ${odns} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Everything else is denied by default
-----Original Message-----
From: Jonathan Chen [mailto:jonc@chen.org.nz]
Sent: Friday, December 28, 2001 4:08 PM
To: Joe & Fhe Barbish
Cc: FBSD Questions
Subject: Re: avoid ping
On Fri, Dec 28, 2001 at 01:10:21PM -0500, Joe & Fhe Barbish wrote:
> You responded
> ipfw add 400 deny icmp from any to ${you} icmptype 8
> Where ${you} is the public IP address of your machine, or network
> address of your subnet.
>
> I respond.
> ${you} is the static IP address issued by your ISP. How do I get
> this value if my ISP does dynamic IP assignments?
You could write it like this:
ipfw add 400 deny icmp from any to me icmptype 8 via ${IF}
where ${IF} is the interface involved (eg: xl0, fxp0, etc).
Cheers.
--
Jonathan Chen <jonc@chen.org.nz>
----------------------------------------------------------------------
If you're right 90% of the time, why quibble about the remaining 3%?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOKEKJCKAA.barbish>