Date: Tue, 24 Oct 2000 20:49:12 -0700 (PDT) From: "Mike Hoskins" <mike@adept.org> To: Andrew Johns <johnsa@kpi.com.au>, peter@sysadmin-inc.com, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <20001025034912.7190E9EE01@snafu.adept.org>
next in thread | raw e-mail | index | archive | help
> b) Forget the RFC1918 deny's and only allow specific target IP/ports > through and explicitly deny everything else. My personal favorite, I.e.: check-state allow ip from a.b.c.d to any keep-state allow ip from x.y.z.z/24 to any keep-state allow tcp from NS1 to a.b.c.d 53 setup allow udp from NS1 to a.b.c.d 53 allow udp from a.b.c.d 53 to any allow tcp from any to a.b.c.d 25 setup allow tcp from any to a.b.c.d 22 in keep-state lifetime 3600 allow tcp from any to a.b.c.d 80 setup allow tcp from any to a.b.c.d 443 setup allow tcp from NTP to a.b.c.d 123 setup allow udp from NTP to a.b.c.d 123 Note: a.b.c.d == outside IP x.y.z.z == internal network NS1 == primary nameserver's IP NTP == NTP server's IP This builds dynamic rules for internal hosts and allows access to tcp/udp 53 from our upstream nameserver, DNS queries to the world, SMTP, SSH (setting timeout to 1 hour vs. default sysctl values thanks to Aaron Gifford's patches), HTTP, SSL, and NTP. This is certainly more of a custom firewall chain than a slight modification to rc.firewall's 'simple' configuration, but I'm usually anal enough I wouldn't feel comfortable any other way. ;) Also remember that this is just a quick example... read the man page for a more detailed understanding. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001025034912.7190E9EE01>