From owner-freebsd-questions Sat Aug 19 16:12:23 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom0-151.telepath.com [216.14.0.151]) by hub.freebsd.org (Postfix) with SMTP id 98CFE37B423 for ; Sat, 19 Aug 2000 16:12:15 -0700 (PDT) Received: (qmail 9009 invoked by uid 100); 19 Aug 2000 23:11:34 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14751.5158.782263.898054@guru.mired.org> Date: Sat, 19 Aug 2000 18:11:34 -0500 (CDT) To: "Bill McMilleon" Cc: questions@freebsd.org Subject: hardening my nat/firewall rules In-Reply-To: <11900310@toto.iv> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Bill McMilleon writes: > # Always allow traffic on the local/private subnet > add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via xl0 I almost forgot - don't do this. Go back and open holes for individual services for the local net as well. The idea is that, should someone break into a system behind through the firewall (say your web server), or in larger installations through an external connection installed by somene else, you're not making their life any easier. This also gives you a chance to log the connections so you can watch for suspicious behavior. It's all part of the "All that is not permitted is denied" idea. You also might want to look at adding rules to throw out packets with bogus IP addresses - especially those coming from the outside world. I.e. (after the localhost rule): add deny all from any to 127.0.0.0/8 add deny all from 192.168.0.0/16 recv ep0 Note that 192.168.0.0/16 are the IPs your internal network uses, not just a generic unregistered network. The idea is to throw out packets claiming to be from your internal network showing up on the external interface. This probably requires tweaking, *especially* if your firewall isn't your router.