Date: Fri, 21 Mar 2003 14:05:53 -0600 From: "Brian Henning" <b1henning@hotmail.com> To: "freebsd" <freebsd-questions@FreeBSD.ORG> Subject: ipfw rules Message-ID: <OE73eF0WScFSwblfci30000a771@hotmail.com>
next in thread | raw e-mail | index | archive | help
Greetings, This is what i came up with for my network after reviewing some docs and talking with some people. i want to run it by you all before i impimented because i want it to be secure before i open up my internal network to the outside world. what do you think of my ipfw rules? do they pretty much match up with my situation below? is there anything i could improve on? thanks for any input, brian this is my situation -------------------- # rl1 is external nic on the router <ip comes from the isp> # rl0 is internal nic on the router 192.168.1.254 # internal network is 192.168.1.0/24 # 192.168.1.42 is a machine on the local network with sshd # 192.168.1.42 is a machine on the local network with httpd # 192.168.1.40 is a machine on the local network that needs to access a cisco router at work # 192.168.1.0/24 is a trusted network # allow machine on my local network to ping the router setup ----- kernel config file ------------------ options IPFIREWALL #ipfw compiled into the kernel options IPFIREWALL_VERBOSE #firewall logging capability - optional options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPDIVERT #natd compiled into the kernel rc.conf ------- gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/ipfw.rules" natd_enable="YES" natd_interface="rl1" # natd -interface rl1, public interface natd_flags="-f /etc/natd.conf" /etc/ipfw.rules --------------- #Deny TCP Fragments add deny log tcp from any to any via any frag #Allow loopback traffic add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 #Allow LAN Traffic add allow ip from 192.168.1.0/24 to 192.168.1.0/24 via rl0 #Allow other traffic add allow tcp from 192.168.1.0/24 to any via rl0 setup keep-state add allow tcp from any to 192.168.1.0/24 via rl0 established keep-state add allow udp from 192.168.1.0/24 to any via rl0 keep-state add allow udp from any to 192.168.1.0/24 via rl0 keep-state add allow icmp from 192.168.1.0/24 to any via rl0 add allow icmp from any to 192.168.1.0/24 via rl0 #Allow internet traffic add allow tcp from any to any out xmit rl1 setup keep-state add allow tcp from any to any in recv rl1 established keep-state #add allow udp from any to any 53.123 out xmit rl1 keep-state #add allow udp from any 53,123 to any in recv rl1 keep-state #add allow udp from any to any 33433-33533 out xmit rl1 keep-state add allow tcp from any to any 22 in recv rl1 setup keep-state add allow tcp from any 22 to any out xmit rl1 established keep-state #Deny everything else and log it add deny log ip from any to any via any /etc/natd.conf -------------- use_sockets yes same_ports yes dynamic yes unregistered_only yes redirect_port tcp 192.168.1.42:22 22 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE73eF0WScFSwblfci30000a771>