Date: Sun, 25 Mar 2001 13:59:39 -0500 From: Graywane <graywane@home.com> To: Randy Bush <randy@psg.com> Cc: FreeBSD Stable <freebsd-stable@FreeBSD.ORG> Subject: Re: ipf idiot wants to roam Message-ID: <20010325135939.A31237@home.com> In-Reply-To: <E14hExB-0003q8-00@rip.psg.com>; from randy@psg.com on Sun, Mar 25, 2001 at 10:09:25AM -0800 References: <E14hExB-0003q8-00@rip.psg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 25, 2001 at 10:09:25AM -0800, Randy Bush wrote: > # reserved addresses > # > block in log first quick from 10.0.0.0/8 to any > block in log first quick from 192.168.0.0/16 to any > block in log first quick from 172.16.0.0/12 to any > # > # loopback allows all packets > # > pass in quick on lo0 all > pass out quick on lo0 all I'd put lo0 at the top of your rules file and add the following to your reserved addresses blocking: 127.0.0.0/8 0.0.0.0/8 169.254.0.0/16 192.0.2.0/24 204.152.64.0/23 224.0.0.0/3 =20 The last entry may not be appropriate if you multicast. > # Support all icmp connections initiated from inside > # > pass in log first quick proto icmp all keep state This rule doesn't match the comment. You want to keep state on the "out" icmp packets and block the "in" icmp packets. However, you should be aware of the consequences of blocking too many ICMP packet types. ICMP is there for a reason. You can usually get away with blocking incoming redir, echo, and 13,15,17 ICMP types. You may want to allow the rest. > pass in quick proto udp from any to any port =3D 67 # dhcps > pass in quick proto udp from any to any port =3D 68 # dhcpc You want to allow incoming packets from your dhcp server's bootps port to your bootpc port. You probably don't want to allow everyone in the world to connect to your bootps and bootpc ports. > pass in quick proto udp from any to any port =3D 123 # ntp Not necessary if you are only using NTP and not creating a server. Just allow outgoing UDP with keep state. > pass in quick proto tcp from any to any port =3D 113 # ident You probably want to add something like "flags S/SFRA" to the end of incoming tcp pass rules. > # Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) > # > pass in log first quick proto tcp all flags S/SA keep state Here again your comment says "outgoing" but your rule applies to incoming. > # return RST packets for invalid SYN packets to help the other end close > block return-rst in log first proto tcp from any to any flags S/SA You just allowed all of these packets several lines before here so this rule will never be used. There are likely other problems but this should be enough to get you started. Basically you want to only use "pass in" for connections initiated on another machine to a service you provide. You then keep state on outgoing tcp/udp connections which handles return traffic to you. --=20 Note: See http://www.members.home.net/graywane/ for PGP information. --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjq+QBsACgkQeHdFaBWUGN3JPQCgqevtEqU14Fw6P2B1nZJwAjj9 ftkAoLpNdzlsc3dotME/mpHrZb7hYkvz =sK5b -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010325135939.A31237>