From owner-freebsd-security  Tue Oct 24 20:49:36 2000
Delivered-To: freebsd-security@freebsd.org
Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44])
	by hub.freebsd.org (Postfix) with ESMTP id A83C837B479
	for <freebsd-security@FreeBSD.ORG>; Tue, 24 Oct 2000 20:49:32 -0700 (PDT)
Received: by snafu.adept.org (Postfix, from userid 65532)
	id 7190E9EE01; Tue, 24 Oct 2000 20:49:12 -0700 (PDT)
From: "Mike Hoskins" <mike@adept.org>
To: Andrew Johns <johnsa@kpi.com.au>, peter@sysadmin-inc.com,
	freebsd-security@FreeBSD.ORG
Subject: Re: request for example rc.firewall script
X-Mailer: NeoMail 1.20pre3
X-IPAddress: 206.136.108.22
MIME-Version: 1.0
Message-Id: <20001025034912.7190E9EE01@snafu.adept.org>
Date: Tue, 24 Oct 2000 20:49:12 -0700 (PDT)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> b) Forget the RFC1918 deny's and only allow specific target IP/ports
> through and explicitly deny everything else.

My personal favorite, I.e.:

check-state
allow ip from a.b.c.d to any keep-state
allow ip from x.y.z.z/24 to any keep-state
allow tcp from NS1 to a.b.c.d 53 setup
allow udp from NS1 to a.b.c.d 53
allow udp from a.b.c.d 53 to any
allow tcp from any to a.b.c.d 25 setup
allow tcp from any to a.b.c.d 22 in keep-state lifetime 3600
allow tcp from any to a.b.c.d 80 setup
allow tcp from any to a.b.c.d 443 setup
allow tcp from NTP to a.b.c.d 123 setup
allow udp from NTP to a.b.c.d 123

Note:
 a.b.c.d	== outside IP
 x.y.z.z	== internal network
 NS1		== primary nameserver's IP
 NTP		== NTP server's IP

This builds dynamic rules for internal hosts and allows access to
tcp/udp 53 from our upstream nameserver, DNS queries to the world, SMTP,
SSH (setting timeout to 1 hour vs. default sysctl values thanks to Aaron
Gifford's patches), HTTP, SSL, and NTP.

This is certainly more of a custom firewall chain than a slight
modification to rc.firewall's 'simple' configuration, but I'm usually
anal enough I wouldn't feel comfortable any other way.  ;)  Also
remember that this is just a quick example...  read the man page for a
more detailed understanding.

-mrh



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message