From owner-freebsd-hackers Thu Jan 16 15:42:40 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C63037B401 for ; Thu, 16 Jan 2003 15:42:38 -0800 (PST) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F0BC43ED8 for ; Thu, 16 Jan 2003 15:42:37 -0800 (PST) (envelope-from babolo@aaz.links.ru) Received: from aaz.links.ru (aaz.links.ru [193.125.152.37]) by aaz.links.ru (8.12.6/8.12.6) with ESMTP id h0GNiIiI002531; Fri, 17 Jan 2003 02:44:19 +0300 (MSK) (envelope-from babolo@aaz.links.ru) Received: (from babolo@localhost) by aaz.links.ru (8.12.6/8.12.6/Submit) id h0GNiIZk002530; Fri, 17 Jan 2003 02:44:18 +0300 (MSK) Message-Id: <200301162344.h0GNiIZk002530@aaz.links.ru> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <15911.15011.409213.712266@emerger.yogotech.com> To: Nate Williams Date: Fri, 17 Jan 2003 02:44:18 +0300 (MSK) From: "."@babolo.ru Cc: "."@babolo.ru, Josh Brooks , Sean Chittenden , freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Try this simple ruleset: > > > > possible deny log tcp from any to any setup tcpoptions !mss > > > > ipfw add allow ip from any to any out > > ipfw add allow ip from any to your.c.net{x,y,z,so on...} > > ipfw add deny log ip from any to any > > I'd limit these to the outside interface, for performance rules. > > # Whatever the interface is... > outif="fxp0" > ipfw add allow ip from any to any out via ${outif} > ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif} > ipfw add deny log ip from any to any via ${outif} > > etc... Your above ruleset seems to be correct ... if add some rule for outcoming traffic. I was too fast and keep in mind only incoming traffic. Effectivity depends on number of interfaces. If I remember right, one external and one internal. If such, the ruleset without interfaces defined for allow rules is not worse then without interfaces IMHO. > Or, you could do. > # The internal interface is not filtered > intif="fxp1" > ipfw add allow all from any to any via ${inif} > > # Everything else only applies to the external interface > ipfw add allow ip from any to any out > ipfw add allow ip from any to your.c.net{x,y,z,so on...} > ipfw add deny log ip from any to any Agreed > Nate > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message -- @BABOLO http://links.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message