Date: Wed, 14 Feb 2001 00:20:20 -0800 (Pacific Standard Time) From: Joseph Stein <joes@joescanner.com> To: <freebsd-security@freebsd.org> Subject: ipfw rules Message-ID: <Pine.WNT.4.31.0102140008440.1164-100000@hood>
next in thread | raw e-mail | index | archive | help
I'm looking for some peer-review to a firewall ruleset I've written based
on the O'Reilly book "Building Internet Firewalls" and the "default"
rc.firewall script
Here it is. I would gladly accept any comments; this is merely what
"works" on my system; if it breaks some paradigm, I'd like to hear about
why (please mail me privately, and I'll summarize if there is enough
interest).
I do have one specific question....
The last 20 or so lines are there specifically to allow ICQ to work
properly (I couldn't get ICQ to work succesfully with out them). Any
ideas on how to eliminate some of that mess?
Any other ideas?
Thanks in advance,
joe
joes@joescanner.com (regardless of what the email header says)
#!/bin/sh
#
# rc.firewall
#
# Created 12-Feb-2001 by joes
# Editted 13-Feb-2001 by joes
# * Looked at the bulk log output provided by a removed rule:
# ${fwcmd} add 65000 deny log all from any to any
# and reduced some of the logging overhead. Added rules to
# allow ICMP ECHO from this system and traceroute. Denied some
# "bogus" ports/services that are floating around on the "public"
# side of my IP configuration.
#
# Suck in configuration
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
# Set quiet mode if requested
#case ${firewall_quiet} in
#[Yy][Ee][Ss])
# fwcmd="/sbin/ipfw -q"
# ;;
#*)
fwcmd="/sbin/ipfw"
# ;;
#esac
# Flush all rules so we don't corrupt something
${fwcmd} -f flush
# Prototype Setup
# Outside interface setup
oif="rl0"
onet="64.6.196.0"
omask="255.255.255.0"
oip="64.6.196.149"
# Inside interface setup
iif="dc0"
inet="192.168.250.0"
imask="255.255.255.0"
iip="192.168.250.1"
# Only in rare cases do you want to change these rules:
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny log all from any to 127.0.0.0/8
# Allow VPN packets
${fwcmd} add 300 pass tcp from any to ${oip} 5555
${fwcmd} add 300 pass udp from any to ${oip} 5555
${fwcmd} add 300 pass tcp from ${oip} 5555 to any
${fwcmd} add 300 pass udp from ${oip} 5555 to any
${fwcmd} add 300 pass all from any to any via tun0
# Allow LAN packets
${fwcmd} add 400 pass all from any to any via ${iif}
# Stop spoofing:
${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 addresses on the outside interface
${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
${fwcmd} add deny udp from any 68 to any 67 via ${oif}
# Turn on NATD
${fwcmd} add divert natd all from any to any via ${natd_interface}
# Stop RFC1918 addresses on the outside interface
${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeded
${fwcmd} add pass tcp from any to any established
# Pass fragments
${fwcmd} add pass all from any to any frag
# Pass e-mail
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
${fwcmd} add pass udp from any 53 to ${oip}
# Allow access to WWW (http and https)
${fwcmd} add pass tcp from any to ${oip} 80 setup
${fwcmd} add pass tcp from any to ${oip} 443 setup
# Allow access to sthelens www server
${fwcmd} add pass tcp from any to ${oip} 8080 setup
${fwcmd} add pass tcp from any to 192.168.250.12 8080 via ${oif}
${fwcmd} add pass tcp from any to 192.168.250.12 8070 via ${oif}
# Napster
${fwcmd} add pass tcp from any to ${oip} 6699
${fwcmd} add pass tcp from any to 192.168.250.14 6699 via ${oif}
# Allow SSH in from the outside
${fwcmd} add pass tcp from any to ${oip} 22
${fwcmd} add pass tcp from ${oip} to any 22
# Reject and log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Reject all SMB/NetBIOS connections from/to outside
${fwcmd} add deny udp from any to any 137 via ${oif}
${fwcmd} add deny udp from any to any 138 via ${oif}
${fwcmd} add deny udp from any to any 139 via ${oif}
# Deny all rwho/ruptime connections from/to outside
${fwcmd} add deny udp from any to any 513 via ${oif}
# Allow pinging out
${fwcmd} add allow icmp from ${oip} to any via ${oif} icmptypes 8
${fwcmd} add allow icmp from any to ${oip} via ${oif} icmptypes 0
# Allow traceroute
${fwcmd} add allow udp from ${oip} to any 32767-65535 via ${oif}
${fwcmd} add allow icmp from any to any via ${oif} icmptypes 11
${fwcmd} add allow icmp from any to any via ${oif} icmptypes 3
# Deny 'PING' requests (ICMP type 8)
${fwcmd} add deny icmp from any to any via ${oif} icmptypes 8
# Deny attempts to hit port 631 from the outside with UDP packets
${fwcmd} add deny UDP from any to any 631 via ${oif}
# Deny attempts to hit port 525 from the outside (timed)
${fwcmd} add deny all from any to any 525 via ${oif}
# Deny attempts to hit port 1604 from the outside (unknown)
${fwcmd} add deny all from any to any 1604 via ${oif}
# Deny attempts to hit port 1027 from the outside (unknown)
${fwcmd} add deny all from any to any 1027 via ${oif}
# Deny Protocol 2
${fwcmd} add deny 2 from any to any via ${oif}
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow NTP queries out into the world
${fwcmd} add pass udp from any 123 to any via ${oif}
${fwcmd} add pass udp from any to any 123 via ${oif}
# Allow access to ICQ network
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.111 4000
${fwcmd} add pass udp from 205.188.153.111 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.111 1024-65535
${fwcmd} add pass tcp from 205.188.153.111 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.98 4000
${fwcmd} add pass udp from 205.188.153.98 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.98 1024-65535
${fwcmd} add pass tcp from 205.188.153.98 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.100 4000
${fwcmd} add pass udp from 205.188.153.100 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.100 1024-65535
${fwcmd} add pass tcp from 205.188.153.100 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.102 4000
${fwcmd} add pass udp from 205.188.153.102 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.102 1024-65535
${fwcmd} add pass tcp from 205.188.153.102 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.105 4000
${fwcmd} add pass udp from 205.188.153.105 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.105 1024-65535
${fwcmd} add pass tcp from 205.188.153.105 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.107 4000
${fwcmd} add pass udp from 205.188.153.107 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.107 1024-65535
${fwcmd} add pass tcp from 205.188.153.107 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.153.109 4000
${fwcmd} add pass udp from 205.188.153.109 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.153.109 1024-65535
${fwcmd} add pass tcp from 205.188.153.109 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.3.160 4000
${fwcmd} add pass udp from 205.188.3.160 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.3.160 1024-65535
${fwcmd} add pass tcp from 205.188.3.160 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 205.188.3.176 4000
${fwcmd} add pass udp from 205.188.3.176 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 205.188.3.176 1024-65535
${fwcmd} add pass tcp from 205.188.3.176 1024-65535 to ${oip} 1024-65535
${fwcmd} add pass udp from ${oip} 1024-65535 to 64.12.162.57 4000
${fwcmd} add pass udp from 64.12.162.57 4000 to ${oip} 1024-65535
${fwcmd} add pass tcp from ${oip} 1024-65535 to 64.12.162.57 1024-65535
${fwcmd} add pass tcp from 64.12.162.57 1024-65535 to ${oip} 1024-65535
# Anything not specifically listed above is denied by default
# (but not logged). Uncomment the following line to log all
# remaining denied packets.
#${fwcmd} add deny log all from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.WNT.4.31.0102140008440.1164-100000>