Date: Tue, 18 Dec 2007 11:34:20 +0200 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: freebsd-questions@freebsd.org Cc: Gore Jarold <gore_jarold@yahoo.com> Subject: Re: ipfw rules for all interfaces not working ... Message-ID: <200712181134.20695.nvass@teledomenet.gr> In-Reply-To: <349277.18679.qm@web63012.mail.re1.yahoo.com> References: <349277.18679.qm@web63012.mail.re1.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 17 December 2007 19:06:29 Gore Jarold wrote: > My main goal is to lock down my ipfw rules so that > when I run nmap, all I see is: > > Interesting ports on 192.168.0.10: > Not shown: 1677 closed ports > PORT STATE SERVICE > 22/tcp open ssh > MAC Address: 00:12:D8:A2:23:C2 > > Nmap finished: 1 IP address (1 host up) scanned in > 9.791 seconds > > So that means I will need to explicitly block all > ports except for the ones I have real servers running > on. > > That's easy. > > The problem is, this is a laptop and so sometimes iwi0 > exists and sometimes it doesn't, and sometimes xl0 > exists and sometimes it doesn't ... and that is why my > ipfw rules look like this: > > 00010 0 0 allow ip from any to any via lo0 > 00020 0 0 deny ip from any to 127.0.0.0/8 > 01000 18134 10505749 allow tcp from any to any > established > 04000 1498 84280 allow icmp from any to any > 04001 27 1728 allow tcp from any to any > dst-port 22 setup > 04008 0 0 deny log logamount 100 ip from > any to any recv all > 65535 15202 2569754 allow ip from any to any > > See - in rule 04008, I say to deny "ip from any to any > recv all" - so that no matter what interface(s) I have > up, and no matter what their addresses are, this one > deny rule will apply to them. > > THe problem is, it doesn't work. > > As you can see, the counter on that rule is zero, and > when I nmap the system I can see things like samba and > http, etc., even though the only port I am allowing > through is TCP 22. > > Why is this ? Because there is no "all" keyword :) ipfw tries to match an interface named "all" there. Check how these rules match your needs. The first one creates states for connections initiated by your machine to the world allowing related incoming traffic to come back. The second allows all to your TCP port 22. The third denies and logs everything else. ipfw add 1000 allow ip from me to any keep-state ipfw add 2000 allow tcp from any to me dst-port 22 ipfw add 3000 deny log logamount 0 ip from any to any The above ruleset is a minimal example. Modify as needed to limit logamount, allow ICMP etc. HTH, Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712181134.20695.nvass>