From owner-freebsd-questions@FreeBSD.ORG  Tue Jul 11 03:16:36 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F283416A4E0
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jul 2006 03:16:35 +0000 (UTC)
	(envelope-from nick@nickwithers.com)
Received: from mail.nickwithers.com (mail.manrags.com [203.219.206.74])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E3E8A43D5D
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jul 2006 03:16:34 +0000 (GMT)
	(envelope-from nick@nickwithers.com)
Received: from localhost (shmick.shmon.net [10.0.0.252])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.nickwithers.com (Postfix) with ESMTP id 5816F3A37A;
	Tue, 11 Jul 2006 13:16:22 +1000 (EST)
Date: Tue, 11 Jul 2006 13:16:21 +1000
From: Nick Withers <nick@nickwithers.com>
To: Ensel Sharon <user@dhp.com>
Message-Id: <20060711131621.2826f0b5.nick@nickwithers.com>
In-Reply-To: <Pine.LNX.4.21.0607101740470.12027-100000@shell.dhp.com>
References: <Pine.LNX.4.21.0607101740470.12027-100000@shell.dhp.com>
Organization: nickwithers.com
X-Mailer: Sylpheed version 2.2.6 (GTK+ 2.8.20; i386-portbld-freebsd6.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-nickwithers-MailScanner: Found to be clean
X-nickwithers-MailScanner-From: nick@nickwithers.com
Cc: freebsd-questions@freebsd.org
Subject: Re: Sanity-check for my (working) ipfw rules  please...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2006 03:16:36 -0000

On Mon, 10 Jul 2006 18:38:51 -0400 (EDT)
Ensel Sharon <user@dhp.com> wrote:

> 
> My individual hosts have a set of firewall rules on each of them that
> looks like this:
> 
> 
> /sbin/ipfw add 00010 allow ip from any to any via lo0
> /sbin/ipfw add 00020 deny ip from any to 127.0.0.0/8
>  
> /sbin/ipfw add 00100 count ip from any to any via em0 in
> /sbin/ipfw add 00100 count ip from any to any via em0 out

Note the double-up of rule numbers here... Don't know if you
care, but thought I'd point it out.

> /sbin/ipfw add 01000 allow tcp from any to any established
> 
> /sbin/ipfw add 01010 deny tcp from any to any tcpflags syn tcpoptions !mss
> /sbin/ipfw add 01011 deny icmp from any to any icmptypes
> 4,5,9,10,12,13,14,15,16,17,18
> /sbin/ipfw add 01012 deny tcp from any to any tcpflags syn,fin
> /sbin/ipfw add 01013 deny tcp from any to any tcpflags fin,psh,rst,urg
> 
> /sbin/ipfw add 02001 allow udp from 10.10.10.10 to any 53
> /sbin/ipfw add 02002 allow udp from any 53 to 10.10.10.10
> /sbin/ipfw add 02003 allow tcp from any to 10.10.10.10 21,22,80,443 setup
> /sbin/ipfw add 02009 deny ip from any to 10.10.10.10
> 
> 
> Easy.  Some standard loopback lines, count traffic on the interface, allow
> established, block out obvious offedners (xmas tree, syn/fin, etc.) and
> then open up the ports I need and block everything else.  Easy.  It works
> great.
> 
> Two questions:  is it appropriate to have line 01000 above all of my
> bad-behavior lines ?  That is, by allowing all established, is it possible
> that some of those bad tcp packetrs could be let in before they hit my
> bad-behavior block of ipfw rules ?  Or are all of those bad behaviors
> inconsistent with being an established tcp session ?

As Chuck Swiger pointed out in an earlier reply, you're
probably better off moving the rule down below your naughty
packet checking.

> Second, are there any other bad-behavior blocks I should put into my list?

How about:

deny tcp from any to any tcpflags fin,urg,psh
deny tcp from any to any tcpflags syn,fin,rst,ack
deny tcp from any to any tcpflags '!syn,!fin,!ack'

(rorted from a posting at
http://support.daemonnews.org/viewtopic.php?p=846, I have to
admit that I havent myself actually checked that these are
correct and therefore don't use them myself)

and

deny all from 10.0.0.0/8 to any in via <public interface>
deny all from 203.219.206.72/30 to any in via <internal interface>

deny all from any to 0.0.0.0/8 via <public interface>
deny all from any to 169.254.0.0/16 via <public interface>
deny all from any to 192.0.2.0/24 via <public interface>
deny all from any to 198.18.0.0/15 via <public interface>
deny all from any to 224.0.0.0/4 via <public interface>
deny all from any to 240.0.0.0/4 via <public interface>
deny all from any to 172.16.0.0 via <public interface>
deny all from any to 192.168.0.0/16 via <public interface>

deny all from 0.0.0.0/8 to any via <public interface>
deny all from 169.254.0.0/16 to any via <public interface>
deny all from 192.0.2.0/24 to any via <public interface>
deny all from 198.18.0.0/15 to any via <public interface>
deny all from 224.0.0.0/4 to any via <public interface>
deny all from 240.0.0.0/4 to any via <public interface>
deny all from 172.16.0.0 to any via <public interface>
deny all from 192.168.0.0/16 to any via <public interface>

> Thanks!
-- 
Nick Withers
email: nick@nickwithers.com
Web: http://www.nickwithers.com
Mobile: +61 414 397 446