Date: Sat, 19 Aug 2000 10:35:43 -0500 From: "Bill McMilleon" <billmcmilleon@home.com> To: <freebsd-questions@freebsd.org> Subject: hardening my nat/firewall rules Message-ID: <005201c009f3$27ca5bd0$6401a8c0@tp770z>
next in thread | raw e-mail | index | archive | help
I'd love to "harden" this ipfw ruleset up a bit --- any suggestions are welcome. I tried some of the newer keep-state stuff, but could never get it to work right. Below are copies of my ipfw.rules (a file which ipfw reads directly since I specify a firewall_type of "/etc/ipfw.rules") and natd.conf. In this case ep0 is the public interface (which has been changed for this example to 24.1.1.1). There are comments and questions for most rules... (ipfw.rules) # clean up existing ruleset... -f flush # take care of localhost add allow all from localhost to localhost # Always allow traffic on the local/private subnet add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via xl0 # Allow anything incoming on xl0 from 192.168 that is going elsewhere add skipto 10000 ip from 192.168.0.0/16 to not 192.168.0.0/16 in recv xl0 # kill any specific bad guys add deny log all from 24.0.94.0/24 to any # @home's authorized-scan.security.home.net subnet # Allow the "safer" ICMP types through add skipto 10000 icmp from any to any icmptype 0,3,8,11 # add support for incoming connections on port 80 for the web server add skipto 10000 log tcp from any to 24.1.1.1 80 setup # kill any other connection setup requests that are incoming on the public interface add deny log tcp from any to 24.1.1.1 setup in recv ep0 # kill all fragmented packets add deny log all from any to any frag in recv ep0 # kill all with source routing options set add deny log all from any to any ipoptions ssrr in recv ep0 add deny log all from any to any ipoptions lsrr in recv ep0 # allow existing connections to continue speaking add skipto 10000 tcp from any to 24.1.1.1 established # need UDP, but how to control?? This seems too loose...but it works add skipto 10000 udp from any to any # kill everything else #add deny ip from any to any # perform NAT. Shouldn't this be more refined than "any" to "any?" add 10000 divert natd all from any to any # I didn't know how to proceed here, but this works for now add allow ip from any to any (natd.conf) # Operate on packets traversing ep0... interface ep0 #http... # incoming tcp packets destined for port 80 on this machine (the firewall 24.1.1.1) # will be sent to port 80 on the internal web server (192.168.1.5) redirect_port tcp 192.168.1.5:80 24.1.1.1:80 #dialpad.com services... # incoming tcp and udp packets on specified ports will be allowed thru redirect_port tcp 192.168.1.99:51210 24.1.1.1:51210 redirect_port udp 192.168.1.99:51200 24.1.1.1:51200 redirect_port udp 192.168.1.99:51201 24.1.1.1:51201 # Log denied incoming packets via syslog (see also log_facility) log_denied # Only alter outgoing packets with an unregistered source address. # According to rfc 1918, unregistered source addresses are # 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. unregistered_only Thanks in advance, --Bill billmc@internetaddress.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005201c009f3$27ca5bd0$6401a8c0>