Date: Mon, 30 Nov 1998 19:19:45 +0500 (KGT) From: CyberPsychotic <mlists@gizmo.kyrnet.kg> To: John Paul Lonie <jp@zip.com.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW Sample rule sets Message-ID: <Pine.LNX.4.05.9811301853160.1250-100000@gizmo.kyrnet.kg> In-Reply-To: <4.1.19981201001727.00c5f5d0@pop3.zip.com.au>
index | next in thread | previous in thread | raw e-mail
~ Hello all,
~
~ I am wondering if anyone can point me to a list of sample IPFW rule sets.
~
~ Other then one ones in rc.firewall ;-)
~
here's what I use.Not perfect (I would appreciate any hints even). But it
works for me fairly well.
consider my scheme as following:
BSD
--ed0--| box |--ppp-- internet
ed0, say has 1.1.1.1/(net 255.255.255.0) IP
ppp0, say has 1.1.2.1 IP
1.1.3.1, is IP of my secondary nameserver
add deny log all from 1.1.1.0:255.255.255.0 to any in via ppp0 <-- no
spoof
add deny log all from 1.1.2.1:255.255.255.255 to any in via ed0
add deny all from 192.168.0.0:255.255.0.0 to any via ppp0 <-- no iternal
IP
add deny all from 172.16.0.0:255.240.0.0 to any via ppp0
add deny all from 10.0.0.0:255.0.0.0 to any via ppp0
add pass all from 1.1.1.2 to any <----- I want this dude to di anything
add pass all from any to 1.1.1.2 <---- including caring of his security
add deny udp from 1.1.1.3 137 to any <-- there are some Windog machines in
add deny udp from 1.1.1.3 138 to any <-- lan which broadcast UDP/netbios
packs, and thus fill my log with
junk.
add pass tcp from any to any established <-- any estabilished conn. should
go
add pass tcp from 1.1.2.1 to any <--------- I want to use all tcp stuff
add pass tcp from 1.1.1.0/24 to any <------- so my lan does.
add pass tcp from any to 1.1.2.1 25 <------- sendmail
add pass tcp from any to 1.1.1.1 25
add pass tcp from 1.1.3.1 to 1.1.1.1 53 setup
add pass tcp from any to 1.1.1.1 80 <--- web
add pass tcp from any to 1.1.2.1 80
add pass tcp from any to 1.1.2.1 1024-65535 <-- I don't run X so it
add pass tcp from any to 1.1.1.0/24 1024-65535 <-- should be quite
safe, and allow
non-passive ftp
add pass log tcp from any to 1.1.1.1 113 setup donno why but i want
add pass log tcp from any to 1.1.2.1 113 setup to see who does ident
lookup
add pass log tcp from any to 1.1.1.4 23 setup I want to allow telnet
add pass tcp from any to 1.1.1.4 25 setup and sendmail to some
iternal box
add pass udp from any to 1.1.2.1 53 <---------- I had to allow this
to make DNS working.
add pass udp from 1.1.2.1 to any 53 <--- not all UDP responces I want
to be passed out.
add pass udp from 1.1.1.1 53 to any <---
add pass udp from any to 1.1.1.4 53 <-- other box which will want DNS
lookups.
add pass udp from 1.1.1.4 to any 53
add pass udp from any 53 to 1.1.1.1 1024-65535 <-- that's actually what
I had to leave for
allowing DNS queries
replys, should be safe
enough, right?
add pass udp from any 53 to 1.1.1.4 1024-65535
add pass udp from any 123 to 1.1.2.1 timeserver
add pass udp from 1.1.2.1 to any 123
add pass udp from any 3130 to 1.1.2.1 3130 squid things,
not sure of this piece
tho...
add pass udp from 1.1.2.1 3130 to any 3130
add pass icmp from 1.1.2.1 to any <--- ICMP should not be dangerous,
right?
add pass icmp from any to 1.1.2.1
add pass icmp from 1.1.1.4 to any
add pass icmp from any to 1.1.1.4
add pass log icmp from any to any <--- others should also work, but I
should know who tried it.
add deny log all from any to any <---- everything else I want to have
logged and denied.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.9811301853160.1250-100000>