From owner-freebsd-questions@freebsd.org Fri Nov 17 13:22:14 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7E64DDA25E for ; Fri, 17 Nov 2017 13:22:14 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 65E7366BB0 for ; Fri, 17 Nov 2017 13:22:13 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id vAHDM9l8071093; Sat, 18 Nov 2017 00:22:09 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 18 Nov 2017 00:22:09 +1100 (EST) From: Ian Smith To: javocado cc: freebsd-questions@freebsd.org Subject: Re: IPFW: Why can I add port numbers to established and what does that do ? In-Reply-To: Message-ID: <20171117234726.H72828@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Nov 2017 13:22:15 -0000 In freebsd-questions Digest, Vol 702, Issue 7, Message: 13 On Thu, 16 Nov 2017 16:07:47 -0800 javocado wrote: > I think you misunderstand what I am asking - you have explained why a > "established" rule is needed in the ruleset. You are correct and it is > something (an established rule) that I always use. You also use 'from any to any' without specifying whether inbound to, or outbound from your machine, which can be dangerous unless elsewhere protected in your ruleset. I would suggest studying /etc/rc.firewall as several long-proven sets of ipfw rules, written and maintained by our skilled security people. The 'client' ruleset might suit you out of the box, or with small modifications. For example, it shows allowing for running a mail server, but is otherwise restrictive on what inbound connections are allowed, but unrestrictive in what you can do outbound. > What I am saying is: I just noticed that you can specify a port number in > the established rule: > > > allow tcp from any to any 22 established > > > ... which I don't understand. In fact, I think it is a bug, but I am > asking to make sure. It doesn't seem like specifying a port in the > established rule makes any sense ... You can specify ports, or port ranges, or tables of ports, or addresses, interfaces, etc., on any TCP rule. 'established' is just a qualifier, meaning only that a packet does not have the SYN bit set (ie, is not a 'setup' packet). I use several rules that deny (or in some cases allow) established packets from a) certain networks or addresses in tables; and b) on certain ports to internal addresses that do not handle such traffic. Do not be mislead by the IPFW Handbook page, or the rulesets there; read ipfw(8) and prosper. At least start from a basically secure framework, even before you need to understand how it all works. Thanks Chris Gordon for showing how ssh connections work .. cheers, Ian