Date: Sat, 18 Nov 2017 00:22:09 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: javocado <javocado@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW: Why can I add port numbers to established and what does that do ? Message-ID: <20171117234726.H72828@sola.nimnet.asn.au> In-Reply-To: <mailman.92.1510920002.34354.freebsd-questions@freebsd.org> References: <mailman.92.1510920002.34354.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 702, Issue 7, Message: 13 On Thu, 16 Nov 2017 16:07:47 -0800 javocado <javocado@gmail.com> wrote: > I think you misunderstand what I am asking - you have explained why a > "established" rule is needed in the ruleset. You are correct and it is > something (an established rule) that I always use. You also use 'from any to any' without specifying whether inbound to, or outbound from your machine, which can be dangerous unless elsewhere protected in your ruleset. I would suggest studying /etc/rc.firewall as several long-proven sets of ipfw rules, written and maintained by our skilled security people. The 'client' ruleset might suit you out of the box, or with small modifications. For example, it shows allowing for running a mail server, but is otherwise restrictive on what inbound connections are allowed, but unrestrictive in what you can do outbound. > What I am saying is: I just noticed that you can specify a port number in > the established rule: > > > allow tcp from any to any 22 established > > > ... which I don't understand. In fact, I think it is a bug, but I am > asking to make sure. It doesn't seem like specifying a port in the > established rule makes any sense ... You can specify ports, or port ranges, or tables of ports, or addresses, interfaces, etc., on any TCP rule. 'established' is just a qualifier, meaning only that a packet does not have the SYN bit set (ie, is not a 'setup' packet). I use several rules that deny (or in some cases allow) established packets from a) certain networks or addresses in tables; and b) on certain ports to internal addresses that do not handle such traffic. Do not be mislead by the IPFW Handbook page, or the rulesets there; read ipfw(8) and prosper. At least start from a basically secure framework, even before you need to understand how it all works. Thanks Chris Gordon for showing how ssh connections work .. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171117234726.H72828>