From owner-freebsd-security Fri Jul 3 19:03:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23098 for freebsd-security-outgoing; Fri, 3 Jul 1998 19:03:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sunra.csci.unt.edu (sunra.csci.unt.edu [129.120.3.43]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23093 for ; Fri, 3 Jul 1998 19:03:41 -0700 (PDT) (envelope-from louie@sunra.csci.unt.edu) Received: (from louie@localhost) by sunra.csci.unt.edu (8.8.7/8.8.7) id UAA20374 for freebsd-security@FreeBSD.ORG; Fri, 3 Jul 1998 20:58:16 -0500 (CDT) (envelope-from louie) Date: Fri, 3 Jul 1998 20:58:16 -0500 (CDT) From: Louie Message-Id: <199807040158.UAA20374@sunra.csci.unt.edu> To: freebsd-security@FreeBSD.ORG Subject: ipfw with ppp -alias setup Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm using userland ppp with packet aliasing to give a private address IP network (192.168.1.x on ed0) Internet access through a dialup ISP that assigns dynamic IP addresses. This works. I'm also using ipfw for packet filtering. This also works but since I don't claim to be a security expert I'm not sure if I've set this up properly. I'm using ipfw instead of ppp's packet filtering because I prefer ipfw's log output. (Maybe not a good reason.) My intentions are to block just about everything from the Internet. (Call me paranoid.) I've also tried to define an ipfw rule list using just interface names since the IP addresses my ISP assigns can vary over multiple class C networks. I also don't want to have to rerun ipfw every time I make a new connection with my ISP. Enough background. My question is, will this rule list work or have I just proved I don't know what I'm doing? # ipfw list 01000 allow ip from any to any via lo0 01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 01110 deny log ip from 192.168.0.0/16 to any in recv tun0 01210 deny log ip from 172.16.0.0/12 to any in recv tun0 01310 deny log ip from 10.0.0.0/8 to any in recv tun0 01410 allow tcp from any to any in recv tun0 established 01510 deny log tcp from any to any in recv tun0 setup 01610 allow tcp from any to any out xmit tun0 01710 allow tcp from any to any via ed0 01810 allow udp from any 53 to any 01910 allow udp from any to any 53 02010 allow icmp from any to any icmptype 0 02110 allow icmp from any to any icmptype 3 02210 allow icmp from any to any icmptype 8 02310 allow icmp from any to any icmptype 11 65535 deny ip from any to any Thanks for your time, Louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message