From owner-freebsd-hackers  Thu Jan 16 15: 5:16 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9FECF37B401
	for <freebsd-hackers@FreeBSD.ORG>; Thu, 16 Jan 2003 15:05:14 -0800 (PST)
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D706743ED8
	for <freebsd-hackers@FreeBSD.ORG>; Thu, 16 Jan 2003 15:05:12 -0800 (PST)
	(envelope-from nate@yogotech.com)
Received: from emerger.yogotech.com (emerger.yogotech.com [206.127.123.131])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id QAA00809;
	Thu, 16 Jan 2003 16:05:08 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by emerger.yogotech.com (8.12.6/8.12.6) id h0GN57bS068746;
	Thu, 16 Jan 2003 16:05:07 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15911.15011.409213.712266@emerger.yogotech.com>
Date: Thu, 16 Jan 2003 16:05:07 -0700
To: "."@babolo.ru
Cc: Josh Brooks <user@mail.econolodgetulsa.com>,
	Sean Chittenden <sean@chittenden.org>, freebsd-hackers@FreeBSD.ORG,
	nate@yogotech.com
Subject: Re: FreeBSD firewall for high profile hosts - waste of time ?
In-Reply-To: <200301162254.h0GMsfLs001559@aaz.links.ru>
References: <20030116124254.J9642-100000@mail.econolodgetulsa.com>
	<200301162254.h0GMsfLs001559@aaz.links.ru>
X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

> Try this simple ruleset:
> 
> possible deny log tcp from any to any setup tcpoptions !mss
> 
> ipfw add allow ip from any to any out
> ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> ipfw add deny log ip from any to any

I'd limit these to the outside interface, for performance rules.


# Whatever the interface is...
outif="fxp0"
ipfw add allow ip from any to any out via ${outif}
ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif}
ipfw add deny log ip from any to any via ${outif}

etc...

Or, you could do.
# The internal interface is not filtered
intif="fxp1"
ipfw add allow all from any to any via ${inif}

# Everything else only applies to the external interface
ipfw add allow ip from any to any out
ipfw add allow ip from any to your.c.net{x,y,z,so on...}
ipfw add deny log ip from any to any



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message