From owner-freebsd-security  Fri Jul  3 19:03:46 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA23098
          for freebsd-security-outgoing; Fri, 3 Jul 1998 19:03:46 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from sunra.csci.unt.edu (sunra.csci.unt.edu [129.120.3.43])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23093
          for <freebsd-security@FreeBSD.ORG>; Fri, 3 Jul 1998 19:03:41 -0700 (PDT)
          (envelope-from louie@sunra.csci.unt.edu)
Received: (from louie@localhost)
	by sunra.csci.unt.edu (8.8.7/8.8.7) id UAA20374
	for freebsd-security@FreeBSD.ORG; Fri, 3 Jul 1998 20:58:16 -0500 (CDT)
	(envelope-from louie)
Date: Fri, 3 Jul 1998 20:58:16 -0500 (CDT)
From: Louie <louie@sunra.csci.unt.edu>
Message-Id: <199807040158.UAA20374@sunra.csci.unt.edu>
To: freebsd-security@FreeBSD.ORG
Subject: ipfw with ppp -alias setup
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I'm using userland ppp with packet aliasing to give a private
address IP network (192.168.1.x on ed0) Internet access through a
dialup ISP that assigns dynamic IP addresses.  This works.  I'm
also using ipfw for packet filtering.  This also works but since
I don't claim to be a security expert I'm not sure if I've set this
up properly.  I'm using ipfw instead of ppp's packet filtering
because I prefer ipfw's log output.  (Maybe not a good reason.)
My intentions are to block just about everything from the Internet.
(Call me paranoid.)  I've also tried to define an ipfw rule list
using just interface names since the IP addresses my ISP assigns
can vary over multiple class C networks.  I also don't want to have
to rerun ipfw every time I make a new connection with my ISP.

Enough background.  My question is, will this rule list work or
have I just proved I don't know what I'm doing?

# ipfw list
01000 allow ip from any to any via lo0
01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8
01110 deny log ip from 192.168.0.0/16 to any in recv tun0
01210 deny log ip from 172.16.0.0/12 to any in recv tun0
01310 deny log ip from 10.0.0.0/8 to any in recv tun0
01410 allow tcp from any to any in recv tun0 established
01510 deny log tcp from any to any in recv tun0 setup
01610 allow tcp from any to any out xmit tun0
01710 allow tcp from any to any via ed0
01810 allow udp from any 53 to any
01910 allow udp from any to any 53
02010 allow icmp from any to any icmptype 0
02110 allow icmp from any to any icmptype 3
02210 allow icmp from any to any icmptype 8
02310 allow icmp from any to any icmptype 11
65535 deny ip from any to any

Thanks for your time,
Louie <louie@sunra.csci.unt.edu>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message