From owner-freebsd-questions Sat Aug 19 15:27:24 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom2-154.telepath.com [216.14.2.154]) by hub.freebsd.org (Postfix) with SMTP id 7D2C237B43E for ; Sat, 19 Aug 2000 15:27:20 -0700 (PDT) Received: (qmail 8362 invoked by uid 100); 19 Aug 2000 22:26:55 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14751.2479.923607.828576@guru.mired.org> Date: Sat, 19 Aug 2000 17:26:55 -0500 (CDT) To: "Bill McMilleon" Cc: questions@freebsd.org Subject: hardening my nat/firewall rules In-Reply-To: <11900310@toto.iv> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Bill McMilleon writes: > I'd love to "harden" this ipfw ruleset up a bit --- any suggestions are > welcome. Well, I'll point out what I've done/do... > # kill any specific bad guys > add deny log all from 24.0.94.0/24 to any # @home's > authorized-scan.security.home.net subnet Cool! > # allow existing connections to continue speaking > add skipto 10000 tcp from any to 24.1.1.1 established Personally, I always put this one closer to the top. After the generic denials, but before I start allowing connections. I figure it should make things just a bit faster. Probably not noticable, but it doesn't hurt. > # need UDP, but how to control?? This seems too loose...but it works > add skipto 10000 udp from any to any Reading through /etc/rc.firewall, you can derive: # Allow DNS queries out in the world add pass udp from any 53 to 24.1.1.1 add pass udp from 24.1.1.1 to any 53 # Allow NTP queries out in the world add pass udp from any 123 to 24.1.1.1 add pass udp from 24.1.1.1 to any 123 It's obvious how to extend that for other protocols. > # I didn't know how to proceed here, but this works for now > add allow ip from any to any No. Never. The safe behavior is to deny everything you don't specifically allow, not to allow everything you don't specifically deny. Use "add deny log ip from any to any" as the last rule. This turns off everything else, and logs what happened. Check the logs regularly. If something doesn't work, check the logs to see what's being blocked, and then enable that. If you're seriously interested in the subject, check out the books listed in /etc/rc.firewall.