From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 00:48:30 2014 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 061A8D16 for ; Wed, 10 Sep 2014 00:48:30 +0000 (UTC) Received: from gw.catspoiler.org (cl-1657.chi-02.us.sixxs.net [IPv6:2001:4978:f:678::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 89063149 for ; Wed, 10 Sep 2014 00:48:29 +0000 (UTC) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id s8A0mJL9011252; Tue, 9 Sep 2014 17:48:23 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201409100048.s8A0mJL9011252@gw.catspoiler.org> Date: Tue, 9 Sep 2014 17:48:19 -0700 (PDT) From: Don Lewis Subject: Re: Can I make this simple ipfw ruleset any more restrictive ? To: case@SDF.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: freebsd-net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2014 00:48:30 -0000 On 9 Sep, John Case wrote: > > I have a very simple firewall - it*blocks everything*, and the only > traffic that is allowed is for internal clients to make outbound > connections to tcp port 40. > > Also, internal clients can ping/traceroute. > > But that's it - no other connections in or out are allowed. I have this > ruleset and it is working perfectly: > > ipfw add 10 allow tcp from any to any established > ipfw add 20 allow icmp from any to any icmptypes 0,3,8,11 > ipfw add 30 allow udp from any to any 33433-33499 in via fxp1 > ipfw add 40 allow tcp from any to any 40 in via fxp1 > > (fxp1 is the internal interface, and so I allow the port 40 connections > and the udp for traceroute only for requests that come in from the > internal network) > > Is there anything I have screwed up here ? Any unintentional traffic that > I am letting through ? > > Is there any way to lock this down further, and make it even more strict ? I generally do something like that, but I also add anti-spoofing rules as well. Basically block any packets that have an inside source IP address that are received via the outside interface, and block any packets that don't have an inside IP source address that are received via the inside interface. The established keyword will let any TCP packets through that have either the ACK or RST flags set. That only blocks incoming connection attempts which have SYN without ACK. It would allow someone to scan your internal network by sending packets with ACK set and SYN not set and watching for RST packets being returned. I think you could avoid this with these two rules: ipfw add 10 check-state [...] ipfw add 40 allow tcp from any to any 40 in via fxp1 keep-state but I haven't actually done this.