Date: Mon, 27 Mar 2000 12:41:45 -0800 (PST) From: Bigby Findrake <bigby@ephemeron.org> To: Blake Matheny <matheny@bussert.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules Message-ID: <Pine.BSF.4.21.0003271231530.11423-100000@home.ephemeron.org> In-Reply-To: <Pine.BSF.4.10.10003271156080.30553-100000@arf.bussert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Mar 2000, Blake Matheny wrote: > I have a standard dual homed firewall that has the following options > compiled in the kernel: > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPDIVERT > I added the following rule to my firewall rules list to disallow 1 > workstation from having access to the internet: > ipfw add deny tcp from 192.168.2.1/24 to any setup > ipfw add deny tcp from 192.168.2.1/24 to any > This machine is running nat and routed. Although these rules are loaded as > shown by ipfw list this machine still has access to the internet, is this > a flaw in my syntax, implementation, or what? Thanks. 1. The above rules don't cover udp packets. You should use the keywords "ip" or "all" instead of "tcp" if you wanted to block all traffic. 2. Rule #1 is covered by rule #2, i.e. it's unnecessary. 3. The above rules only cover machines who's IPs first 24 bits come out to be 192.168.2. If your target machine's IP does not start out with 192.168.2 then your implementation is flawed. What is the target's IP address? How do you know that the target is accessing the internet through the firewall? Those rules don't do what you think they do, but they should prevent a good amount of internet traffic, given that the IP address of the target is in the right range. Unless you have specialized needs, ou might want to consider using 2 rules, one the blocks incoming to the target and one that blocks outgoing from the target, such as: ipfw add 10000 deny all from 192.168.2.1/24 to any ipfw add 11000 deny all from any to 192.168.2.1/24 Those are pretty general rules (i.e. they cover a lot of ground), and you might not want to block that much traffic. /-------------------------------------------------------------------------/ Under deadline pressure for the next week. If you want something, it can wait. Unless it's blind screaming paroxysmally hedonistic ... finger bigby@ephemeron.org for my pgpkey or http://home.ephemeron.org/~bigby/pgp_key.txt e-mail bigby@pager.ephemeron.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003271231530.11423-100000>