From owner-freebsd-questions Sun Aug 20 1:11:43 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom0-038.telepath.com [216.14.0.38]) by hub.freebsd.org (Postfix) with SMTP id 29A2E37B422 for ; Sun, 20 Aug 2000 01:11:35 -0700 (PDT) Received: (qmail 77783 invoked by uid 100); 20 Aug 2000 08:11:34 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14751.37558.138117.824578@guru.mired.org> Date: Sun, 20 Aug 2000 03:11:34 -0500 (CDT) To: Steve Lewis Cc: Bill McMilleon , questions@FreeBSD.ORG Subject: Re: hardening my nat/firewall rules In-Reply-To: References: <14751.2479.923607.828576@guru.mired.org> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Steve Lewis writes: > On Sat, 19 Aug 2000, Mike Meyer wrote: > > > # I didn't know how to proceed here, but this works for now > > > add allow ip from any to any > > No. Never. The safe behavior is to deny everything you don't > > specifically allow, not to allow everything you don't specifically > > deny. > > Use "add deny log ip from any to any" as the last rule. This turns off > > everything else, and logs what happened. Check the logs regularly. If > > something doesn't work, check the logs to see what's being blocked, > > and then enable that. > while defaulting to deny is safer, that doesn't make any sense to just > replace his rule without forethought because at no point does he > allow/pass any packets IIRC... he always skips to the divert. Now he has > to add rules to allow any packets which were skiped before... THEN he can > add the default deny rule. All correct - you can't replace it without possibly breaking something. On the other hand, doing that replace and watching the log if something fails is the quickest way to find something you had overlooked. This way is safer, which is why it qualifies as "hardening". > am I missing anything? Actually, we both did. If the default is to divert everything to natd, then the default for ipfw doesn't matter. I'd make it "deny all" just because the exposure if you goof is lower. I've not dealt with natd much, so I skipped it. However, in this case I'd say take the same route - deny and log everything you don't explicitly allow.