Date: Thu, 25 Apr 2002 16:52:47 -0700 From: "Drew Tomlinson" <drew@mykitchentable.net> To: <security@freebsd.org> Subject: Stateful IPFW Firewall Assistance Message-ID: <020501c1ecb4$4e21a220$6e2a6ba5@lc.ca.gov>
next in thread | raw e-mail | index | archive | help
I'm trying to fine-tune my firewall and am hoping for a little advice
regarding stateful behavior. I built this rule set based upon an
example by Peter Brezny I found on the web so it may look familar.
Here's my current network setup:
ISP
|
| Public DHCP address
|
3Com ADSL Modem/Router
(Router performs NAT and passes packets to 10.2 by default)
| (192.168.10.1)
|
|
| (ed1 192.168.10.2)
FBSD Gateway
| (ed0 192.168.1.2)
|
|
Internal LAN
And here are my current firewall rules:
00100 allow ip from any to any via lo0
00200 deny log ip from any to 127.0.0.0/8
00300 deny log ip from 192.168.1.0/24 to any in recv ed1
00400 deny log ip from not 192.168.1.0/24 to any in recv ed0
00500 allow tcp from any to any established
00600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993
setup
00700 allow tcp from any to 192.168.10.2 21,22 setup
00800 allow icmp from any to any icmptype 3,4,11,12
00900 allow icmp from any to any out icmptype 8
01000 allow icmp from any to any in icmptype 0
01100 reset log tcp from any to any 113
01200 allow udp from 206.13.19.133 123 to 192.168.10.2 123
01300 allow udp from 165.227.1.1 123 to 192.168.10.2 123
01400 allow udp from 63.192.96.2 123 to 192.168.10.2 123
01500 allow udp from 63.192.96.3 123 to 192.168.10.2 123
01600 allow udp from 132.239.254.49 123 to 192.168.10.2 123
01700 allow udp from 192.168.10.1 to any
01800 allow udp from any to 192.168.10.1
01900 check-state
02000 allow ip from 192.168.10.2 to any keep-state out xmit ed1
02100 allow ip from 192.168.1.0/24 to any keep-state via ed0
65500 deny log ip from any to any
In reading the ipfw man page, it tells me that "established" matches any
packet that has the RST or ACK bit set which is normal TCP traffic.
However this seems like it would be pretty easy to fake. In this case,
my rule 00500 leaves me pretty wide open? My thought is to change rules
00500-00700 to use check-state and keep-state so the rules look like
this:
00450 check-state
00500 deny tcp from any to any established
00600 allow tcp from any to 192.168.1.0/24 21,22,25,80,143,389,443,993
setup keep-state
00700 allow tcp from any to 192.168.10.2 21,22 setup keep-state
However, I don't understand how this will affect the rest of the rules,
especially 01900-02000. I'd appreciate any comments on this issue.
Thanks,
Drew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?020501c1ecb4$4e21a220$6e2a6ba5>