From owner-freebsd-security Wed Jan 3 10:45:42 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 10:45:37 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 9BC0537B400 for ; Wed, 3 Jan 2001 10:45:36 -0800 (PST) Received: from wkst ([209.16.228.146]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id NAA04626; Wed, 3 Jan 2001 13:50:27 -0500 Reply-To: From: "Peter Brezny" To: Cc: Subject: RE: statefull packet filter together with natd question Date: Wed, 3 Jan 2001 13:44:35 -0800 Message-ID: <001501c075ce$5de6e660$14011e0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is very similar to what i came up with. http://www.bsdtoday.com/2000/December/Features359.html Peter Brezny SysAdmin Services Inc. -----Original Message----- From: darren@nighttide.net [mailto:darren@nighttide.net] Sent: Tuesday, January 02, 2001 6:09 PM To: Steven Kehlet Cc: Rene de Vries; Luigi Rizzo; freebsd-security@FreeBSD.ORG Subject: Re: statefull packet filter together with natd question On Tue, 2 Jan 2001, Steven Kehlet wrote: > [ moved from -hackers to -security ] > > For whatever it's worth, I struggled with this same problem for an > entire day before giving up and using ipfilter. It seems to me > that there is a fundamental problem with using the ipfw stateful > rules and natd (as I'm sure you discovered yourself): the ordering Perhaps I'm missing the gist of the problem (not enough details here) but I don't haven't seen any problems with this under 4.2-Stable, (haven't used natd with a 5-Current system yet).... Sample rule set follows. Let me know if you (or anyone for that matter) see any problems with this. #!/bin/sh fwcmd="/sbin/ipfw" oif="ppp0" oip="a.b.c.d" iif="dc0" iip="10.a.b.c" imk="10.a.b.c/8" $fwcmd -f flush # loopback has to work $fwcmd add allow all from any to any via lo0 # disallow spoofing of loopback $fwcmd add deny log all from any to 127.0.0.0/8 # disallow spoofing of our address $fwcmd add deny log ip from $oip to any in via $oif # no private space address should cross the outside interface $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif # divert the the outside interface $fwcmd add divert natd all from any to any via $oif # allow all established sessions $fwcmd add allow tcp from any to any established # we want to allow some connections to originate outside $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup # allow required ICMP $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12 # allow udp dns queries $fwcmd add allow udp from any to any 53 $fwcmd add allow udp from any 53 to any # allow traceroute $fwcmd add allow udp from any to $oip 33400-33499 via $oif # allow smb traffic $fwcmd add allow udp from any to any 137-139 via $iif # dynamic rule set $fwcmd add check-state # let this machine talk to anyone $fwcmd add allow ip from $oip to any keep-state out via $oif # allow any traffic from the inner network to any $fwcmd add allow ip from $imk to any keep-state via $iif # deny everything else $fwcmd add 65435 deny log logamount 1000 ip from any to any ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message