Date: Thu, 24 Dec 1998 02:16:32 -0500 From: Brian Reichert <reichert@numachi.com> To: freebsd-security@FreeBSD.ORG Subject: Re: IPFW configuration question Message-ID: <19981224021632.D29742@numachi.com> In-Reply-To: <199812240103.RAA17365@dnai.com>; from Mike Thompson on Wed, Dec 23, 1998 at 05:02:20PM -0800 References: <199812240103.RAA17365@dnai.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 23, 1998 at 05:02:20PM -0800, Mike Thompson wrote:
> Hello everyone,
>
> As part of securing a couple of FreeBSD 2.2.7 servers to be
> placed on the Internet, it was suggested that I use "ipfw"
> as an additional security measure.
>
> In doing this I thought I would pass the script I developed
> to configure the FreeBSD kernel firewall these servers to
> this e-mail list for comments. Basically, I only want access
> to our DNS, Apache and secure shell to get through.
Your script also allows http in. Just reminding you...
> This
> script was derived from the simple scripts provided in
> rc.firewall and with some embellishment by myself.
>
> The only thing that I believe is missing is that I would
> also like to enable traceroute to work from the server to
> help diagnose Internet delay problems. I guess I also have
> to let ICMP packets through to do this, but I would have
> another script to do only when I am actually on the system.
You might want ping:
$fwcmd add allow icmp from any to any
What I'm using for traceroute, which I'm not convinced is totally
correct:
$fwcmd add allow udp from any to any 33434-33534
> Any comments would be appreciated. Not being a system admin
> I am just trying to cover as many bases as I can and trying
> to err on the side of caution.
The rc.firewall script ('simple') also has a template for not
leaking packets out for RFC1918 nets; I suspect that you'd want to
do as well...
Also, for a gateway, you'd want to take steps to not leak out
packets that are not from your net, and conversely, not let _in_
packet that are allegedly from your net.
I put firewalls up on my gateways recently (still tuning), and
modeled my filtering on the 'simple' option (advice always
appreciated):
1) Stop spoofing; ie: only stuff _not from_ your net can come in,
only stuff _from_ your net can go out.
2) block the RFC1918 nets.
3) allow ping and traceroute to work.
4) Allow established TCP connections in. You'll want this rule
before any other rules (I expect), as most incoming packets will
be for established sessions, and you want to 'early out' of the
rules as quickly as possible...
5) Allow connections to those TCP and UDP services that you care
about. I care, for example, about domain ('DNS') (to my name
servers only), smtp (to my MX hosts only), ssh, http, ntp.
Now, for additional analysis that I do:
7) Explicitly deny those expected connections that are common/expected
(and unwanted), as to prevent my logs (see #8 and #9) from being
clogged.
8) Reject and log all incoming connections, so you can see what
people are looking for.
9) Accept and log all outgoing connections, so you can better
analyze how your users are making use of your net connection.
Additionally, I chucked into /etc/daily:
echo "Clearing firewall accounting"
ipfw zero
> Thanks,
>
> Mike Thompson
> -------------------------------------------------------------
--
Brian 'you Bastard' Reichert reichert@numachi.com
37 Crystal Ave. #303 Current daytime number: (603)-434-6842
Derry NH 03038-1713 USA Intel architecture: the left-hand path
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981224021632.D29742>