From owner-freebsd-questions Sat Feb 7 16:23:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA28781 for questions-outgoing; Sat, 7 Feb 1998 16:23:52 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from infowest.com (infowest.com [204.17.177.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA28776 for ; Sat, 7 Feb 1998 16:23:49 -0800 (PST) (envelope-from agifford@infowest.com) Received: from infowest.com (gandalf.eq.net [207.49.60.254]) by infowest.com (8.8.5/8.8.5) with ESMTP id RAA10994 for ; Sat, 7 Feb 1998 17:23:47 -0700 (MST) Message-ID: <34DCFAF4.576BB4D1@infowest.com> Date: Sun, 08 Feb 1998 00:23:16 +0000 From: "Aaron D. Gifford" X-Mailer: Mozilla 4.03 [en] (X11; U; FreeBSD 2.2.5-STABLE i386) MIME-Version: 1.0 To: questions@FreeBSD.ORG Subject: Simple ipfw filter for my dial-up FreeBSD box Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG X-To-Unsubscribe: mail to majordomo@FreeBSD.org "unsubscribe questions" Hello, I've been trying to get my ipfw list tuned just right, and so I'm looking for suggestions/comments. My current ipfw list is lsted below. My ISP-assigned dynamic IP is stored in the $ip variable, the name of the external dial-up interface (tun0) is in $extern, and the loopback interface (lo0) is in $loop. I'm also wondering what I should add to permit ping to work correctly. What sort of icmp permit lines are other folks using? Finally, I absolutely HATE the way udp DNS queries are permitted (and NTP udp communication) in my list below. Any suggestions? Thanks in advance! Aaron out. # ====== HERE IT IS ===== # # First deny obviously spoofed packets: /sbin/ipfw add deny log all from 127.0.0.1 to any via ${extern} /sbin/ipfw add deny log all from ${ip} to any in via ${extern} /sbin/ipfw add deny log all from 192.168.0.0:255.255.0.0 to any /sbin/ipfw add deny log all from 172.16.0.0:255.240.0.0 to any /sbin/ipfw add deny log all from 10.0.0.0:255.0.0.0 to any # Pass all other localhost traffic: /sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 via ${loop} /sbin/ipfw add pass all from ${ip} to 127.0.0.1 via ${loop} /sbin/ipfw add pass all from 127.0.0.1 to ${ip} via ${loop} /sbin/ipfw add pass all from ${ip} to ${ip} via ${loop} # Pass any already established TCP connections: /sbin/ipfw add pass tcp from any to any established # Pass outgoing new TCP session setup packets: /sbin/ipfw add pass tcp from ${ip} to any setup # Pass new incoming SSH connections: /sbin/ipfw add pass tcp from any to ${ip} 22 in via ${extern} setup # Pass new incoming HTTP connections: /sbin/ipfw add pass tcp from any to ${ip} 80 in via ${extern} setup # Pass incoming TCP connections to my DNS server: /sbin/ipfw add pass tcp from any to ${ip} 53 in via ${extern} setup # Deny all other TCP connection setup attempts: /sbin/ipfw add deny log tcp from any to any in via ${extern} setup # Pass outgoing DNS queries: /sbin/ipfw add pass udp from ${ip} to any 53 out via ${extern} # Pass incoming DNS replies: # (This sure is ugly! It allows someone to do a udp portscan from port 53.) /sbin/ipfw add pass udp from any 53 to ${ip} in via ${extern} # Pass outgoing NTP queries: /sbin/ipfw add pass udp from ${ip} to any 123 out via ${extern} # Pass incoming NTP replies: # (This sure is ugly! It allows someone to do a udp portscan from port 123.) /sbin/ipfw add pass udp from any 123 to ${ip} in via ${extern} # I wish I had some good permit lines here to allow outgoing # ping packets the returning replies -- ICMP something or other??? # Toast EVERYTHING else: /sbin/ipfw add deny log all from any to any