Date: Sun, 16 Jun 2002 13:59:03 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: grimm <grimm@planetquake.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw-ntad-jail Message-ID: <20020616135903.B94357@blossom.cjclark.org> In-Reply-To: <20020616134201.529b01aa.grimm@planetquake.com>; from grimm@planetquake.com on Sun, Jun 16, 2002 at 01:42:01PM -0400 References: <20020616134201.529b01aa.grimm@planetquake.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 16, 2002 at 01:42:01PM -0400, grimm wrote:
[snip]
> #
> # my ipfw.rules (additional to rc.firewall defaults)
> #
> #make sure natd gets a hold of the packets prior to FIREWALL
> add 00320 divert natd all from any to any via xl0
> #
> #
> # from man 8 ipfw: allow only outbound TCP connections I've created
> add 00350 check-state
> add 00351 deny tcp from any to any in established
> add 00352 allow tcp from any to any out setup keep-state
[snip]
> # enable www server on dagobah (142.XX.XX.238)
> add 00700 allow tcp from any to any 80 in via xl0
> add 00701 allow tcp from any to any 80 out via xl0
> #
> #
> # enable ssh server on dagobah (142.XX.XX.238)
> add 00702 allow tcp from any to any 777 in via xl0
> add 00703 allow tcp from any to any 777 out via xl0
> #
> #
> # enable ssh server on darkside (142.XX.XX.238)
> add 00704 allow tcp from any to any 22 in via xl0
> add 00705 allow tcp from any to any 22 out via xl0
OK, some problems here. First, ITYM to have rules like,
add allow tcp from any to me 80 in via xl0
add allow tcp from me 80 to any out via xl0
No? Second, these won't work since you are blocking all TCP
connections that are not using 'keep-state' with rule 351.
But...
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00320 171 34652 divert 8668 ip from any to any via xl0
> 00350 0 0 check-state
> 00351 0 0 deny tcp from any to any in established
I don't see this rule incrementing.
> 00352 78 8668 allow tcp from any to any keep-state out setup
> 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0
> 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0
> 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0
> 00403 2 120 allow udp from any to any out
> 00600 0 0 allow icmp from any to any icmptype 3
> 00601 0 0 allow icmp from any to any icmptype 4
> 00602 0 0 allow icmp from any to any out icmptype 8
> 00603 0 0 allow icmp from any to any in icmptype 0
> 00604 0 0 allow icmp from any to any in icmptype 11
> 00700 3 144 allow tcp from any to any 80 in recv xl0
> 00701 0 0 allow tcp from any to any 80 out xmit xl0
> 00702 0 0 allow tcp from any to any 777 in recv xl0
> 00703 0 0 allow tcp from any to any 777 out xmit xl0
> 00704 0 0 allow tcp from any to any 22 in recv xl0
> 00705 0 0 allow tcp from any to any 22 out xmit xl0
> 65535 86 25238 deny ip from any to any
Always a good idea to add a,
65534 deny log ip from any to any
Or something like it to help debugging.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020616135903.B94357>