Date: Thu, 26 Oct 2000 16:58:55 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <Pine.BSF.4.21.0010261643110.21438-100000@roble.com> In-Reply-To: <bulk.11209.20001025153412@hub.freebsd.org>
index | next in thread | previous in thread | raw e-mail
Peter Brezny [mailto:peter@sysadmin-inc.com] wrote:
> I'm working on adding the rules needed to rc.firewall under the 'simple'
> sections to allow the script to function as a firewall/nat router for a
> small network with private ip's in the 10.x.x.x range.
You may or may not want to use the rc.firewall scripts directly.
We more often roll our own, as a matter of due diligence, and use
rc.local to call a script like the following.
#!/bin/sh -
/sbin/ipfw -q flush
## outgoing
/sbin/ipfw add 110 allow ip from 10.1.1.0/24 to any via ed2
/sbin/ipfw add 110 allow ip from 204.69.218.85/32 to any via ed1
## localhost
/sbin/ipfw add 120 allow all from any to any via lo0
/sbin/ipfw add 121 deny ip from any to 127.0.0.0/8
/sbin/ipfw add 122 deny ip from 127.0.0.0/8 to any
## netbios
/sbin/ipfw add 130 deny udp from any to any 135-139
/sbin/ipfw add 130 deny tcp from any to any 135-139
###############################################################
BLKHL=/usr/local/etc/blackhole_ips
if [ -s $BLKHL ]; then
for ip in `egrep -v '(^$|^#)' $BLKHL` ; do
/sbin/ipfw add 1000 deny ip from $ip to any
done
else
echo "ERROR: $BLKHL not found"
fi
###############################################################
## rfc1918
/sbin/ipfw add 8998 deny ip from 10.0.0.0/8 to any
/sbin/ipfw add 8998 deny ip from 172.16.0.0/12 to any
/sbin/ipfw add 8998 deny ip from 192.168.0.0/16 to any
/sbin/ipfw add 8998 deny ip from 128.0.0.0/16 to any
## ip-options (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)
/sbin/ipfw add 9000 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr
## icmp types
/sbin/ipfw add 9800 allow icmp from any to any icmptypes 0,3,4,8,11
/sbin/ipfw add 9900 deny log icmp from any to any
## kernel default = allow
This, however, lacks some filters recommended by other organizations
(for the IOS/PIX literate):
Recommended by SANS:
access-list 150 deny ip 0.0.0.0 0.255.255.255 any
access-list 150 deny ip 10.0.0.0 0.255.255.255 any
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip 169.254.0.0 0.0.255.255 any
access-list 150 deny ip 172.16.0.0 0.15.255.255 any
access-list 150 deny ip 192.0.2.0 0.0.0.255 any
access-list 150 deny ip 192.168.0.0 0.0.255.255 any
access-list 150 deny ip 224.0.0.0 15.255.255.255 any
access-list 150 deny ip 240.0.0.0 7.255.255.255 any
access-list 150 deny ip 248.0.0.0 7.255.255.255 any
access-list 150 deny ip 255.255.255.255 0.0.0.0 any
Recommended by Paul Vixie:
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255
access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255
access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255
access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255
access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255
access-list 100 deny ip any 255.255.255.128 0.0.0.127
access-list 100 permit ip any any
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010261643110.21438-100000>