From owner-freebsd-questions Fri Mar 21 12: 8:55 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E54B137B404 for ; Fri, 21 Mar 2003 12:08:52 -0800 (PST) Received: from hotmail.com (oe73.law12.hotmail.com [64.4.18.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id EECC243FB1 for ; Fri, 21 Mar 2003 12:08:51 -0800 (PST) (envelope-from b1henning@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 21 Mar 2003 12:08:51 -0800 Received: from 192.216.212.193 by oe73.law12.hotmail.com with DAV; Fri, 21 Mar 2003 20:08:51 +0000 X-Originating-IP: [192.216.212.193] X-Originating-Email: [b1henning@hotmail.com] From: "Brian Henning" To: "freebsd" Subject: ipfw rules Date: Fri, 21 Mar 2003 14:05:53 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 21 Mar 2003 20:08:51.0747 (UTC) FILETIME=[B117C730:01C2EFE5] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings, This is what i came up with for my network after reviewing some docs and talking with some people. i want to run it by you all before i impimented because i want it to be secure before i open up my internal network to the outside world. what do you think of my ipfw rules? do they pretty much match up with my situation below? is there anything i could improve on? thanks for any input, brian this is my situation -------------------- # rl1 is external nic on the router # rl0 is internal nic on the router 192.168.1.254 # internal network is 192.168.1.0/24 # 192.168.1.42 is a machine on the local network with sshd # 192.168.1.42 is a machine on the local network with httpd # 192.168.1.40 is a machine on the local network that needs to access a cisco router at work # 192.168.1.0/24 is a trusted network # allow machine on my local network to ping the router setup ----- kernel config file ------------------ options IPFIREWALL #ipfw compiled into the kernel options IPFIREWALL_VERBOSE #firewall logging capability - optional options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPDIVERT #natd compiled into the kernel rc.conf ------- gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/ipfw.rules" natd_enable="YES" natd_interface="rl1" # natd -interface rl1, public interface natd_flags="-f /etc/natd.conf" /etc/ipfw.rules --------------- #Deny TCP Fragments add deny log tcp from any to any via any frag #Allow loopback traffic add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 #Allow LAN Traffic add allow ip from 192.168.1.0/24 to 192.168.1.0/24 via rl0 #Allow other traffic add allow tcp from 192.168.1.0/24 to any via rl0 setup keep-state add allow tcp from any to 192.168.1.0/24 via rl0 established keep-state add allow udp from 192.168.1.0/24 to any via rl0 keep-state add allow udp from any to 192.168.1.0/24 via rl0 keep-state add allow icmp from 192.168.1.0/24 to any via rl0 add allow icmp from any to 192.168.1.0/24 via rl0 #Allow internet traffic add allow tcp from any to any out xmit rl1 setup keep-state add allow tcp from any to any in recv rl1 established keep-state #add allow udp from any to any 53.123 out xmit rl1 keep-state #add allow udp from any 53,123 to any in recv rl1 keep-state #add allow udp from any to any 33433-33533 out xmit rl1 keep-state add allow tcp from any to any 22 in recv rl1 setup keep-state add allow tcp from any 22 to any out xmit rl1 established keep-state #Deny everything else and log it add deny log ip from any to any via any /etc/natd.conf -------------- use_sockets yes same_ports yes dynamic yes unregistered_only yes redirect_port tcp 192.168.1.42:22 22 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message