Date: Tue, 9 Sep 2014 16:50:42 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: John Case <case@SDF.ORG> Cc: freebsd-net@freebsd.org Subject: Re: Can I make this simple ipfw ruleset any more restrictive ? Message-ID: <20140909235042.GP82175@funkthat.com> In-Reply-To: <Pine.NEB.4.64.1409092333450.17244@faeroes.freeshell.org> References: <Pine.NEB.4.64.1409092333450.17244@faeroes.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help
John Case wrote this message on Tue, Sep 09, 2014 at 23:37 +0000: > > I have a very simple firewall - it*blocks everything*, and the only > traffic that is allowed is for internal clients to make outbound > connections to tcp port 40. > > Also, internal clients can ping/traceroute. > > But that's it - no other connections in or out are allowed. I have this > ruleset and it is working perfectly: > > ipfw add 10 allow tcp from any to any established > ipfw add 20 allow icmp from any to any icmptypes 0,3,8,11 > ipfw add 30 allow udp from any to any 33433-33499 in via fxp1 > ipfw add 40 allow tcp from any to any 40 in via fxp1 > > (fxp1 is the internal interface, and so I allow the port 40 connections > and the udp for traceroute only for requests that come in from the > internal network) > > Is there anything I have screwed up here ? Any unintentional traffic that > I am letting through ? > > Is there any way to lock this down further, and make it even more strict ? You could lock down the UDP ports to a single one and remember to use -e with traceroute: -e Firewall evasion mode. Use fixed destination ports for UDP and TCP probes. The destination port does NOT increment with each packet sent. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140909235042.GP82175>