From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 10:48:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9676437B401 for ; Fri, 25 Apr 2003 10:48:07 -0700 (PDT) Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 2476543F3F for ; Fri, 25 Apr 2003 10:48:07 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20030425174806.92494.qmail@web10107.mail.yahoo.com> Received: from [68.5.49.41] by web10107.mail.yahoo.com via HTTP; Fri, 25 Apr 2003 10:48:06 PDT Date: Fri, 25 Apr 2003 10:48:06 -0700 (PDT) From: twig les To: Antoine Jacoutot , freebsd-security@freebsd.org In-Reply-To: <200304251609.17393.ajacoutot@lphp.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: firewalling help/audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2003 17:48:07 -0000 I'm no ipfw guru, but you seem to have a bunch of duplicate rules in the 2nd 1918 and draft-manning-dsua-03 sections. --- Antoine Jacoutot wrote: > Hi ! > > First of all, I am sorry if this is not the list for that, but > I've been > learning (a little bit...) a way to implement a freeBSD > firewall. > So far I came up with a set of rules I would like to show you > for commenting. > I am sure there're a lot of errors and/or stupid rules (I am > not sure the > rules order is good for what I need) and I would be really > pleased if one > could have a look at it... otherwise, please ignore my mail > (it is big !). > Basically, I have a 192.168.0.0/24 network connected to a > gateway that has a > dynamic IP. I would like the network and the gateway itself to > do whatever > they want and in the meantime filter everything from the > outside except for > specified services (http, ftp...) and share the internet > connexion. > I understand it is a very basic configuration but I would like > to be sure not > to make any mistake. > > Thanks a lot in advance. > > Antoine > > Here is my ruleset: > > #!/bin/sh > # Firewall Command > fwcmd="/sbin/ipfw" > > # Flush out the list before we begin. > ${fwcmd} -f flush > > # Stop spoofing > ${fwcmd} add deny all from 192.168.0.0:255.255.255.0 to any in > via tun0 > ### ${fwcmd} add deny all from ${outside_net}:${outside_mask} > to any in via > vr0 ### Disabled --> dynamic @ip > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 10.0.0.0/8 via tun0 > ${fwcmd} add deny all from any to 172.16.0.0/12 via tun0 > ${fwcmd} add deny all from any to 192.168.0.0/16 via tun0 > ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 > ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 > > # Stop draft-manning-dsua-03.txt nets > ${fwcmd} add deny all from any to 0.0.0.0/8 via tun0 > ${fwcmd} add deny all from any to 169.254.0.0/16 via tun0 > ${fwcmd} add deny all from any to 192.0.2.0/24 via tun0 > ${fwcmd} add deny all from any to 224.0.0.0/4 via tun0 > ${fwcmd} add deny all from any to 240.0.0.0/4 via tun0 > ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 > ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 > ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 > > # Setup Loopback > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > # Network Address Translation. > ${fwcmd} add divert natd all from any to any via tun0 > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 > ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 > ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 > ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 > > # Stop draft-manning-dsua-03.txt nets > ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 > ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 > ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 > ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 > ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 > > # Allow firewall outbound for everything > ${fwcmd} add pass all from any to any via vr0 > > # Stateful rules & allow everything from our net > ${fwcmd} add check-state > ${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any > setup keep-state > ${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any > keep-state > > # Deny suspicious packets > $fwcmd add deny log tcp from any to any in tcpflags syn,fin > > # Allow some icmp > ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12 > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through ### --> should we deny > this ? > ${fwcmd} add pass all from any to any frag > > # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 > ${fwcmd} add pass tcp from any to me in via tun0 > 20,21,22,25,53,80,110 setup > ${fwcmd} add pass udp from any to me in via tun0 53 > > # Reject & log all setup of incoming connections from the > outside > ${fwcmd} add deny log tcp from any to any in via tun0 setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > # Deny everything else > ${fwcmd} add deny ip from any to any > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com