From owner-freebsd-questions Fri Apr 20 15:53:41 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mtiwmhc27.worldnet.att.net (mtiwmhc27.worldnet.att.net [204.127.131.52]) by hub.freebsd.org (Postfix) with ESMTP id D2B4A37B43F for ; Fri, 20 Apr 2001 15:53:34 -0700 (PDT) (envelope-from parv@worldnet.att.net) Received: from worldnet.att.net ([32.101.235.76]) by mtiwmhc27.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010420225324.HTJV4349.mtiwmhc27.worldnet.att.net@worldnet.att.net> for ; Fri, 20 Apr 2001 22:53:24 +0000 Received: by worldnet.att.net (Postfix, from userid 1001) id 81E1A19647; Fri, 20 Apr 2001 18:53:47 -0400 (EDT) Date: Fri, 20 Apr 2001 18:53:47 -0400 From: parv To: f-q Subject: review ipf rules Message-ID: <20010420185347.A26268@moo.holy.cow> Mail-Followup-To: f-q Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG what do people think of following ipf rules? they're for a standalone machines connected to internet via ppp via modem only sometimes. i want to run sshd as the only server connected to internet, but at some point in future. i am on the side of paranoid as you may see below. of course, people will let me know if something is really redundant ... X is the only part that remains consistent whenever i get a dynamic ip. (i am using 4.3 rc as of apr 9 2001 ~9p est.) thanks in advance, and below are the rules... # 515::printer, 6000::X # 23::telnet, 21::ftp, 25::smtp, 79::finger, 80::http, 110::pop3 # 22::ssh, 53::domain(ns), 58::xns-mail # 587::(m)submission(a) # somebody was/is tryying to log on to port printer # 211.114.48.40:3564 # cr930156-a.glph1.on.wave.home.com:1088 #block return-icmp(net-unr) in log body quick proto udp from 211.114.0.0/16 to any #block return-rst in log body quick proto tcp from any to 211.114.0.0/16 block in log body quick from any to any with short block in log body quick from any to any with ipopts block in log quick from any to any with opt lsrr block in log quick from any to any with opt ssrr block in log quick from any to any with frags block in log quick proto tcp from any to any flags FUP block in log quick proto tcp from any to any flags SF/SFRA block in log quick proto tcp from any to any flags /SFRA block in log body quick from 192.168.0.0/16 to any head 100 block in log body quick from 172.16.0.0/16 to any group 100 block in log body quick from 10.0.0.0/8 to any group 100 block in log body quick from 127.0.0.0/8 to any group 100 block in log body quick from any to 192.168.0.0/16 group 100 block in log body quick from any to 172.16.0.0/16 group 100 block in log body quick from any to 10.0.0.0/8 group 100 block in log body quick from any to 127.0.0.0/8 group 100 # if nothing applies, block and return icmp-replies (unreachable and rst) #block return-icmp(net-unr) in log proto udp from any to any group 100 #block return-rst in log proto tcp from any to any group 100 block in on lo0 from any to any head 300 block out on lo0 from any to any head 500 pass in quick on lo0 proto tcp/udp from 127.0.0.1/24 to 127.0.0.1/24 keep state group 300 pass in quick on lo0 proto icmp from 127.0.0.1/24 to 127.0.0.1/24 keep state group 300 pass out quick on lo0 proto tcp/udp from 127.0.0.1/24 to 127.0.0.1/24 keep state group 500 pass out quick on lo0 proto icmp from 127.0.0.1/24 to 127.0.0.1/24 keep state group 500 block in log on tun0 from any to any head 200 block out on tun0 from any to any head 400 block return-icmp(net-unr) in log body quick on tun0 proto udp from any to any port = printer group 200 block return-rst in log body quick on tun0 proto tcp from any to any port = printer group 200 #block in log body quick on tun0 from any to any port = printer group 200 block in log body quick on tun0 from any to any port = ftp group 200 block in log body quick on tun0 from any to any port = finger group 200 block in log body quick on tun0 from any to any port = telnet group 200 block in log body quick on tun0 from any to any port = http group 200 block in log body quick on tun0 from any to any port = pop3 group 200 block in log body quick on tun0 from any to any port = smtp group 200 # #block in log body quick on tun0 from any to any port = 53 group 200 #block in log body quick on tun0 from any to any port = ssh group 200 # block in log body quick on tun0 from any to any port 5999 >< 6064 group 200 block in log body quick on tun0 from any to any port = xns-mail group 200 block in log body quick on tun0 from any to any port = 5432 group 200 pass in log on tun0 proto icmp from any to 0.0.0.0/0 icmp-type 0 keep state group 200 pass in log on tun0 proto icmp from any to X.0.0.0/8 icmp-type 3 keep state group 200 pass in log on tun0 proto icmp from any to X.0.0.0/8 icmp-type 11 keep state group 200 #pass in log on tun0 proto tcp/udp from any to X.0.0.0/8 keep state group 200 block out log body quick on tun0 from any to 192.168.0.0/16 group 400 block out log body quick on tun0 from any to 172.16.0.0/16 group 400 block out log body quick on tun0 from any to 127.0.0.0/8 group 400 block out log body quick on tun0 from 192.168.0.0/16 to any group 400 block out log body quick on tun0 from 172.16.0.0/16 to any group 400 block out log body quick on tun0 from 127.0.0.0/8 to any group 400 pass out quick on tun0 proto udp from 10.0.0.0/24 to /32 port = 53 keep state group 400 pass out quick on tun0 proto udp from 10.0.0.0/24 to /32 port = 53 keep state group 400 pass out log quick on tun0 proto udp from X.0.0.0/8 to any port 33433 >< 33465 keep state group 400 pass out log quick on tun0 proto icmp from X.0.0.0/8 to any icmp-type 8 keep state group 400 pass out on tun0 proto tcp/udp from X.0.0.0/8 to any keep state group 400 -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message