From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 23:50:44 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A451EA69 for ; Tue, 9 Sep 2014 23:50:44 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 65A3CB1C for ; Tue, 9 Sep 2014 23:50:44 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s89NogqP024537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Sep 2014 16:50:42 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s89Nog17024536; Tue, 9 Sep 2014 16:50:42 -0700 (PDT) (envelope-from jmg) Date: Tue, 9 Sep 2014 16:50:42 -0700 From: John-Mark Gurney To: John Case Subject: Re: Can I make this simple ipfw ruleset any more restrictive ? Message-ID: <20140909235042.GP82175@funkthat.com> Mail-Followup-To: John Case , freebsd-net@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Tue, 09 Sep 2014 16:50:42 -0700 (PDT) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2014 23:50:44 -0000 John Case wrote this message on Tue, Sep 09, 2014 at 23:37 +0000: > > I have a very simple firewall - it*blocks everything*, and the only > traffic that is allowed is for internal clients to make outbound > connections to tcp port 40. > > Also, internal clients can ping/traceroute. > > But that's it - no other connections in or out are allowed. I have this > ruleset and it is working perfectly: > > ipfw add 10 allow tcp from any to any established > ipfw add 20 allow icmp from any to any icmptypes 0,3,8,11 > ipfw add 30 allow udp from any to any 33433-33499 in via fxp1 > ipfw add 40 allow tcp from any to any 40 in via fxp1 > > (fxp1 is the internal interface, and so I allow the port 40 connections > and the udp for traceroute only for requests that come in from the > internal network) > > Is there anything I have screwed up here ? Any unintentional traffic that > I am letting through ? > > Is there any way to lock this down further, and make it even more strict ? You could lock down the UDP ports to a single one and remember to use -e with traceroute: -e Firewall evasion mode. Use fixed destination ports for UDP and TCP probes. The destination port does NOT increment with each packet sent. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."