Date: Sat, 19 Aug 2000 17:26:55 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: "Bill McMilleon" <billmcmilleon@home.com> Cc: questions@freebsd.org Subject: hardening my nat/firewall rules Message-ID: <14751.2479.923607.828576@guru.mired.org> In-Reply-To: <11900310@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill McMilleon writes: > I'd love to "harden" this ipfw ruleset up a bit --- any suggestions are > welcome. Well, I'll point out what I've done/do... > # kill any specific bad guys > add deny log all from 24.0.94.0/24 to any # @home's > authorized-scan.security.home.net subnet Cool! > # allow existing connections to continue speaking > add skipto 10000 tcp from any to 24.1.1.1 established Personally, I always put this one closer to the top. After the generic denials, but before I start allowing connections. I figure it should make things just a bit faster. Probably not noticable, but it doesn't hurt. > # need UDP, but how to control?? This seems too loose...but it works > add skipto 10000 udp from any to any Reading through /etc/rc.firewall, you can derive: # Allow DNS queries out in the world add pass udp from any 53 to 24.1.1.1 add pass udp from 24.1.1.1 to any 53 # Allow NTP queries out in the world add pass udp from any 123 to 24.1.1.1 add pass udp from 24.1.1.1 to any 123 It's obvious how to extend that for other protocols. > # I didn't know how to proceed here, but this works for now > add allow ip from any to any No. Never. The safe behavior is to deny everything you don't specifically allow, not to allow everything you don't specifically deny. Use "add deny log ip from any to any" as the last rule. This turns off everything else, and logs what happened. Check the logs regularly. If something doesn't work, check the logs to see what's being blocked, and then enable that. If you're seriously interested in the subject, check out the books listed in /etc/rc.firewall. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14751.2479.923607.828576>