From owner-freebsd-questions@FreeBSD.ORG Sat Feb 14 12:32:00 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B7DB16A4CE for ; Sat, 14 Feb 2004 12:32:00 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49F2343D1D for ; Sat, 14 Feb 2004 12:31:59 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i1EKVkKw004051 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 14 Feb 2004 20:31:46 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i1EKVjU4004050; Sat, 14 Feb 2004 20:31:45 GMT (envelope-from matthew) Date: Sat, 14 Feb 2004 20:31:45 +0000 From: Matthew Seaman To: Eric F Crist Message-ID: <20040214203144.GA3904@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Eric F Crist , freebsd-questions@freebsd.org, Barbish3@adelphia.net References: <200402141247.13325.ecrist@adtechintegrated.com> <20040214185845.GA66227@falcon.midgard.homeip.net> <200402141315.13710.ecrist@adtechintegrated.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline In-Reply-To: <200402141315.13710.ecrist@adtechintegrated.com> User-Agent: Mutt/1.5.6i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: Barbish3@adelphia.net cc: freebsd-questions@freebsd.org Subject: Re: IPFW ruleset not working... advice? WAS Re: Running processes... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 20:32:00 -0000 --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 14, 2004 at 01:15:07PM -0600, Eric F Crist wrote: > Hey, thanks! I changed all the rules so they read: >=20 > allow ip from any to me >=20 > and added the rule: >=20 > allow ip from me to any at rule 50 >=20 > All seems to work now! Does anyone have any suggestions on how to make t= his=20 > system even tighter? Thanks. Yes. Use the stateful rules feature. Instead of opening up outgoing packets to everywhere, the keep-state rules dynamically open up a point to point connection that remains open while traffic is flowing beteeen the two systems, and times out after traffic stops or the connection is closed. A very minimal partial ruleset to allow incoming SSH, HTTP, HTTPS, SMTP and outgoing DNS lookups would look like: 00100 check-state 00200 deny log tcp from any to any established 00300 allow tcp from any to me 22,25,80,443 keep-state in recv fxp0 00400 allow udp from me to any 53 out xmit fxp0 00500 deny log ip from any to any [The 'in recv fxp0' and 'out xmit fxp0' stuff is optional: all it does is filter packets according to what interface they are traversing and in what direction. Remember to substitute the correct device name for your network interface.] Although at first sight, this would appear to block all tcp traffic except for the first 'SYN' packet, and not permit any incoming UDP traffic at all, the 'keep-state' flag in rules 00300 and 00400 generates dynamic rules that permit packets to flow in response to the packet that triggered them. Those rules are effectively inserted into the ruleset at the 'check-state' line (or at the first occuring 'limit' or 'keep-state' line). Use 'ipfw -d list' to show all active dynamic rules. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFALoWwdtESqEQa7a0RAtB+AKCNHZvpkLbUbk3RsLiOeCv9xako1QCeOqmV XAgyp79G0zij/72MsWxwKec= =m2PB -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK--