From owner-freebsd-current Sun Mar 17 22:24:03 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id WAA02406 for current-outgoing; Sun, 17 Mar 1996 22:24:03 -0800 (PST) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id WAA02359 for ; Sun, 17 Mar 1996 22:23:53 -0800 (PST) Received: from grumble.grondar.za (mark@localhost [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id IAA03506 for ; Mon, 18 Mar 1996 08:23:30 +0200 (SAT) Message-Id: <199603180623.IAA03506@grumble.grondar.za> To: current@freebsd.org Subject: Firewall setup... Date: Mon, 18 Mar 1996 08:23:29 +0200 From: Mark Murray Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi As I have a leased line to the net, andas my home net is frequently unsupervised, I am pretty paranoid about security. So, I have decided to add one more layer of protection, a firewall. I _love_ the FreeBSD firewall setup! It took me about an hour from having never setup such a thing before to having the rudiments working pretty well: > 00200 deny all from 10.0.0.0/8 to any > 00300 deny all from 172.16.0.0/16 to any > 00400 deny all from 192.168.0.0/16 to any > 00500 deny all from any to 10.0.0.0/8 > 00600 deny all from any to 172.16.0.0/16 > 00700 deny all from any to 192.168.0.0/16 > 00800 deny all from any to 127.0.0.0/8 via tun0 > 00900 deny all from any to 127.0.0.0/8 via ed0 > 01000 deny all from any to 0.0.0.0/8 > 01100 deny all from 127.0.0.0/8 to any via tun0 > 01200 deny all from 127.0.0.0/8 to any via ed0 > 01300 deny all from 0.0.0.0/8 to any It is however not that clear how to do the last bit. I would like to zap spoofing - > 01350 accept all from any to 196.7.18.0/24 via tun0 > 01350 accept all from 196.7.18.0/24 to any via tun0 If my firewall machine has 2 interfaces - tun0=196.7.18.65 and ed0=196.7.18.129 with a netmask of 0xfffffff0, how do I prevent packets claiming to be from 196.7.18/24 from coming into tun0? The above 2 lines are necessary for me to communicate with the world. Are there any other "standard" anti spoofing rules that can be applied? I am basically running my firewall as a serious filter, rather than as a closed-to-the-world firewall. > 01500 accept all from any to any via ed0 > 01700 accept all from any to any via lo0 > 65535 deny all from any to any (I based most of this on a script by PST about 2 months ago(?), but that was before PHK's reorg of the sorting rules, and the sytax has changed quite a bit since then.) Thanks! M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key