From owner-freebsd-security Sat Jul 4 19:14:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA09044 for freebsd-security-outgoing; Sat, 4 Jul 1998 19:14:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from sunra.csci.unt.edu (sunra.csci.unt.edu [129.120.3.43]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA09017 for ; Sat, 4 Jul 1998 19:14:01 -0700 (PDT) (envelope-from louie@sunra.csci.unt.edu) Received: (from louie@localhost) by sunra.csci.unt.edu (8.8.7/8.8.7) id VAA22240; Sat, 4 Jul 1998 21:08:32 -0500 (CDT) (envelope-from louie) Date: Sat, 4 Jul 1998 21:08:32 -0500 (CDT) From: Louie Message-Id: <199807050208.VAA22240@sunra.csci.unt.edu> To: jkb@best.com, louie@sunra.csci.unt.edu Subject: Re: ipfw with ppp -alias setup Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 3 Jul 1998, Jan B. Koum wrote: > ># ipfw list > >01000 allow ip from any to any via lo0 > >01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 > >01110 deny log ip from 192.168.0.0/16 to any in recv tun0 > ^^^^^^ > > Aren't you using 192.168.1.0/16 as you mentioned above? Yes, but I'm blocking 192.168.1.0/16 from coming in on the PPP side. Spoof prevention. > >01210 deny log ip from 172.16.0.0/12 to any in recv tun0 > >01310 deny log ip from 10.0.0.0/8 to any in recv tun0 > >01410 allow tcp from any to any in recv tun0 established > >01510 deny log tcp from any to any in recv tun0 setup > >01610 allow tcp from any to any out xmit tun0 > >01710 allow tcp from any to any via ed0 > >01810 allow udp from any 53 to any > >01910 allow udp from any to any 53 > >02010 allow icmp from any to any icmptype 0 > >02110 allow icmp from any to any icmptype 3 > >02210 allow icmp from any to any icmptype 8 > >02310 allow icmp from any to any icmptype 11 > >65535 deny ip from any to any > > I'd also do: > ipfw add 65534 deny log ip from any to any I like this. Thanks. > This way if you will see something not working you will have a > log to debug. For example, your ftp will not work -- you'll have to use > passive ftp. Else you gonna see server trying to connect to your port > 40000+ (if I remember correctly) from it's port 20. If you dont' wan't to > use passive ftp, then > > ipfw add 1509 allow tcp from any 20 to any 40000-40100 in recv tun0 > ^^^^ > > Notice how it should be before 1510. Also, you have to add > incoming port and not just "... from any 20 to any" since if I am root, I > can claim to be from port 20. :) Since it's just me on the inside, I don't mind having to use passive mode. > AFAICT the rules look ok. Really paranoid people might just take > out icmp (think Phrack issue 51 article 6). But yeah, everything looks > fine. Add the "deny log" rule before last one if you want. I'll have to check that out. > I am sure if I missed something people here will correct me. I'm sure they will. :) > -- Yan > > Jan Koum jkb@best.com | "Turn up the lights; I don't want > www.FreeBSD.org -- The Power to Serve | to go home in the dark." > ---------------------------------------+----------------------------------- > ICMP: What happens when you hack into a military network and they catch you. Louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message