From owner-freebsd-security Sun May 7 6:11:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id 7423637B530 for ; Sun, 7 May 2000 06:11:46 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grimreaper.grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.9.3/8.9.3) with ESMTP id PAA18519; Sun, 7 May 2000 15:11:37 +0200 (SAST) (envelope-from mark@grimreaper.grondar.za) Message-Id: <200005071311.PAA18519@grimreaper.grondar.za> To: Marc Silver Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules References: <20000505080928.Q80532@draenor.org> In-Reply-To: <20000505080928.Q80532@draenor.org> ; from Marc Silver "Fri, 05 May 2000 08:09:28 +0200." Date: Sun, 07 May 2000 15:11:37 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am currently working on some documentation on ipfw and natd with ppp. > The following rules are for a basic dialup firewall that will allow > connections on port 80. Are these rules sound, and if not, how could > they be improved? OK... > fwcmd="/sbin/ipfw" > $fwcmd -f flush > $fwcmd add divert natd all from any to any via tun0 Depends on what you are doing with natd. > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via fxp0 OK. NP. Anyone internal can do anything. > $fwcmd add allow tcp from any to any out xmit tun0 setup Any outgoing TCP connections are accepted. > $fwcmd add allow tcp from any to any via tun0 established Any established TCP connections are OK. Works with above rule. > $fwcmd add pass log tcp from any to any 80 setup Allow incoming port 80. > $fwcmd add reset log tcp from any to any 113 in recv tun0 Kill port 113 traffic and log it. So far, so good. > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 > $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 > $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 You want to allow DNS, and this will do it, but it will allow an attacker to attack you by setting his source (ephemeral) port to 53. Just be aware of this; there is probably not much you can do with ipfw - you need a firewall that can hold UDP state. Also - why the duplicates? > $fwcmd add 65435 allow icmp from any to any Allow ICMP. Why? > $fwcmd add 65435 deny log ip from any to any Kill everything else. Good. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message