From owner-freebsd-security Tue Jan 25 14:36:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 88AE214D45 for ; Tue, 25 Jan 2000 14:36:36 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA71995; Tue, 25 Jan 2000 14:32:40 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001252232.OAA71995@gndrsh.dnsmgr.net> Subject: Re: more complete ipfw rules In-Reply-To: <388D7516.C4EB676@rug.ac.be> from Tony Voet at "Jan 25, 2000 11:04:06 am" To: Tony.Voet@rug.ac.be (Tony Voet) Date: Tue, 25 Jan 2000 14:32:40 -0800 (PST) Cc: freebsd-security@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The Mad Scientist wrote: > > > > I have this commented-out line in my ruleset. > > #$fwcmd add 550 deny log ip from 169.254.0.0/16 to any in via ${out_if} > > Don't quite remember what it's for. I hope it's not another wasted class > > B. Can anyone enlighten me? > > This IETF draft answers your question: > > http://www.ietf.org/internet-drafts/draft-manning-dsua-01.txt And that draft produces the following patch for review: Index: rc.firewall =================================================================== RCS file: /home/ncvs/src/etc/rc.firewall,v retrieving revision 1.28 diff -u -r1.28 rc.firewall --- rc.firewall 1999/12/04 01:27:51 1.28 +++ rc.firewall 2000/01/25 22:30:08 @@ -110,9 +110,9 @@ ############ # set these to your network and netmask and ip - net="192.168.4.0" + net="192.0.2.0" mask="255.255.255.0" - ip="192.168.4.17" + ip="192.0.2.1" # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} @@ -155,27 +155,39 @@ # set these to your outside interface network and netmask and ip oif="ed0" - onet="192.168.4.0" - omask="255.255.255.0" - oip="192.168.4.17" + onet="192.0.2.0" + omask="255.255.255.240" + oip="192.0.2.1" # set these to your inside interface network and netmask and ip iif="ed1" - inet="192.168.3.0" - imask="255.255.255.0" - iip="192.168.3.17" + inet="192.0.2.16" + imask="255.255.255.240" + iip="192.0.2.17" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface - ${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif} - ${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} - ${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} - ${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} + ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} + ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} + ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} + ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} + ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} + ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} + + # Stop draft-manning-dsua-01.txt nets on the outside interface + ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} + ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} + ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} + ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} + ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} + ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} + ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} + ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} + ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} + ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message