Date: Sat, 19 Aug 2000 10:23:51 -0700 (PDT) From: Steve Lewis <nepolon@systray.com> To: billmc@internetaddress.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: hardening my nat/firewall rules Message-ID: <Pine.BSF.4.05.10008191011300.12367-100000@greg.ad9.com> In-Reply-To: <005201c009f3$27ca5bd0$6401a8c0@tp770z>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Aug 2000, Bill McMilleon wrote: > I'd love to "harden" this ipfw ruleset up a bit --- any suggestions > are welcome. I tried some of the newer keep-state stuff, but could Take my suggestions worth a grain of salt, but... I would be using shell variables to specify outside interface, outside net, and outside ip, and the same for inside. makes for fewer typos. also I don't see you specifically restricting RFC 1918 addresses that come in through the public interface. this should happen before the divert obviously. > # take care of localhost > add allow all from localhost to localhost allow from any to lo0 instead > # Always allow traffic on the local/private subnet > add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via xl0 does this traffic pass THROUGH the firewall? I would think not. kill this rule. > # kill any specific bad guys > ## @home's authorized-scan.security.home.net subnet > add deny log all from 24.0.94.0/24 to any woohoo! you tell 'em! ;) > # need UDP, but how to control?? This seems too loose...but it works > add skipto 10000 udp from any to any I would deny specific ports on this... you can research which ones you want to block. > # perform NAT. Shouldn't this be more refined than "any" to "any?" > add 10000 divert natd all from any to any nope. divert them all, let natd decide who to translate and who to leave alone (see also the -u switch to natd). --Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10008191011300.12367-100000>