From owner-freebsd-security Thu Oct 26 16:59: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx2.roble.com [206.40.34.15]) by hub.freebsd.org (Postfix) with ESMTP id 74E7A37B479 for ; Thu, 26 Oct 2000 16:58:56 -0700 (PDT) Received: from localhost (marquis@localhost) by roble.com with ESMTP id e9QNwtU21687 for ; Thu, 26 Oct 2000 16:58:55 -0700 (PDT) Date: Thu, 26 Oct 2000 16:58:55 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: request for example rc.firewall script In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Brezny [mailto:peter@sysadmin-inc.com] wrote: > I'm working on adding the rules needed to rc.firewall under the 'simple' > sections to allow the script to function as a firewall/nat router for a > small network with private ip's in the 10.x.x.x range. You may or may not want to use the rc.firewall scripts directly. We more often roll our own, as a matter of due diligence, and use rc.local to call a script like the following. #!/bin/sh - /sbin/ipfw -q flush ## outgoing /sbin/ipfw add 110 allow ip from 10.1.1.0/24 to any via ed2 /sbin/ipfw add 110 allow ip from 204.69.218.85/32 to any via ed1 ## localhost /sbin/ipfw add 120 allow all from any to any via lo0 /sbin/ipfw add 121 deny ip from any to 127.0.0.0/8 /sbin/ipfw add 122 deny ip from 127.0.0.0/8 to any ## netbios /sbin/ipfw add 130 deny udp from any to any 135-139 /sbin/ipfw add 130 deny tcp from any to any 135-139 ############################################################### BLKHL=/usr/local/etc/blackhole_ips if [ -s $BLKHL ]; then for ip in `egrep -v '(^$|^#)' $BLKHL` ; do /sbin/ipfw add 1000 deny ip from $ip to any done else echo "ERROR: $BLKHL not found" fi ############################################################### ## rfc1918 /sbin/ipfw add 8998 deny ip from 10.0.0.0/8 to any /sbin/ipfw add 8998 deny ip from 172.16.0.0/12 to any /sbin/ipfw add 8998 deny ip from 192.168.0.0/16 to any /sbin/ipfw add 8998 deny ip from 128.0.0.0/16 to any ## ip-options (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options) /sbin/ipfw add 9000 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr ## icmp types /sbin/ipfw add 9800 allow icmp from any to any icmptypes 0,3,4,8,11 /sbin/ipfw add 9900 deny log icmp from any to any ## kernel default = allow This, however, lacks some filters recommended by other organizations (for the IOS/PIX literate): Recommended by SANS: access-list 150 deny ip 0.0.0.0 0.255.255.255 any access-list 150 deny ip 10.0.0.0 0.255.255.255 any access-list 150 deny ip 127.0.0.0 0.255.255.255 any access-list 150 deny ip 169.254.0.0 0.0.255.255 any access-list 150 deny ip 172.16.0.0 0.15.255.255 any access-list 150 deny ip 192.0.2.0 0.0.0.255 any access-list 150 deny ip 192.168.0.0 0.0.255.255 any access-list 150 deny ip 224.0.0.0 15.255.255.255 any access-list 150 deny ip 240.0.0.0 7.255.255.255 any access-list 150 deny ip 248.0.0.0 7.255.255.255 any access-list 150 deny ip 255.255.255.255 0.0.0.0 any Recommended by Paul Vixie: access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message