From owner-freebsd-stable@FreeBSD.ORG Sat May 24 05:57:55 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E0755DE8 for ; Sat, 24 May 2014 05:57:54 +0000 (UTC) Received: from The.ie (The.ie [172.245.218.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "the.ie", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B51872CCD for ; Sat, 24 May 2014 05:57:54 +0000 (UTC) Received: from The.ie (lrizzo@localhost [127.0.0.1]) by The.ie (8.14.8/8.14.8) with ESMTP id s4O5vYxt069408 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 23 May 2014 22:57:40 -0700 (PDT) (envelope-from Lucius.Rizzo@The.ie) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=the.ie; s=signed-mail; t=1400911063; bh=SUI2a5s0Z4bm7laKcTO5N8pE0ansoHVkioSKYEqteS8=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Gz/YJtLRDupt25orknLNKcYQ/gmv6cvgHAoS3guslPsstKBUr673lzXZvW4Rvji/p 9753fNiC7X7QH0G3RQJBZrErWKHi0cddzi3MVPvy7BuC8g4BlbFE/85hNeEtHyiEGW 8CMVbIEcn8o8W92ADnwRxneeczsyc05mKBZ8P2l+RCHMaDnFxTPBm58xiuWuK102UQ PCHia3F3chqhk5rFCpvc+Iehb2l3oDLozr3erHQhJ4HDP7xaWE3rLotUR+CFROs9mA Fl4oaY4EjXeKS5B2noxjMNLelTMBYRAisRD9XZaBpEQ87uwHM+fBnUa4MXdQ6aqEd/ EbTemucQf8s+w== Received: (from lrizzo@localhost) by The.ie (8.14.8/8.14.8/Submit) id s4O5vXU5069407; Fri, 23 May 2014 22:57:33 -0700 (PDT) (envelope-from Lucius.Rizzo@The.ie) X-Authentication-Warning: The.ie: lrizzo set sender to Lucius.Rizzo@The.ie using -f Date: Fri, 23 May 2014 22:57:33 -0700 From: Lucius Rizzo To: David Noel Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <20140524055733.GA69376@The.ie> References: <20140520070926.GA92183@The.ie> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="A6N2fC+uXW/VQSAv" Content-Disposition: inline In-Reply-To: X-Homepage: http://Lucius.Tel/ User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-1 required=5 tests=ALL_TRUSTED X-Abuse-Report-To: Please send any abuse of our services to abuse at The.ie. The.ie is a part of The.Marketing Inc. We do not send unsolicited mail. X-Scanned-By: MIMEDefang 2.74 on 172.245.218.25 Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2014 05:57:55 -0000 --A6N2fC+uXW/VQSAv Content-Type: multipart/mixed; boundary="r5Pyd7+fXNt84Ff3" Content-Disposition: inline --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * David Noel [2014-05-24 00:31]: > On 5/23/14, David Noel wrote: > > On 5/20/14, Lucius Rizzo wrote: > >> If you use any of the firewalls, and have interesting > >> or even optimized rule sets, I would really like to see them :) > > > > I'll post them shortly. > > >=20 > Let me know if I missed anything. Thank you! This actually helps. I have a set of IPFilter rules that I plunk on my FreeBSD servers running on cloud. I use IPFilter with ssguard-ipfilter. (See Attached) Seems like consesus is that pf is perhaps the best choice moving forward.= =20=20 --=20 | _o _ |_)o_ _ _=20=20 |_|_|(_||_|_> | \|/_/_(_) - Lucius.Tel -------------------------------------- ++ Your digestive system is your body's Fun House, whereby food goes on a l= ong, ++ ++ dark, scary ride, taking all kinds of unexpected twists and turns, being= ++ ++ attacked by vicious secretions along the way, and not knowing until the = last ++ ++ minute whether it will be turned into a useful body part or ejected into= the ++ ++ Dark Hole by Mister Sphincter. We Americans live in a nation where the = ++ ++ medical-care system is second to none in the world, unless you count may= be ++ ++ 25 or 30 little scuzzball countries like Scotland that we could vaporize= in ++ ++ seconds if we felt like it. ++ ++ -- Dave Barry, "Stay Fit & Healthy Until You're Dead" ++ --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipf.rules" # pass out quick from any to any pass in from any to any # block in log quick on vtnet0 proto icmp from any to any icmp-type redir block in log quick on vtnet0 proto tcp/udp all with short block in log quick on vtnet0 from any to any with ipopts # block in log quick on vtnet0 from 192.168.4.0/24 to any block in log quick on vtnet0 from localhost to any block in log quick on vtnet0 from 0.0.0.0/32 to any block in log quick on vtnet0 from 255.255.255.255/32 to any # # block in on vtnet0 proto udp from any to any block in log on vtnet0 proto udp from any to any port = sunrpc block in log on vtnet0 proto udp from any to any port = 2049 pass in on vtnet0 proto udp from any to any port = domain pass in on vtnet0 proto udp from any to any port = talk pass in on vtnet0 proto udp from any to any port = ntalk # # block return-rst in log on vtnet0 proto tcp from any to any flags S/SA block return-rst in on vtnet0 proto tcp from any to any port = auth flags S/SA # pass in on vtnet0 proto tcp from any to any port 1024 >< 5000 pass in on vtnet0 proto tcp from any port = ftp-data to any port 1024 >< 5000 # pass in quick from any to any port = smtp pass in quick from any to any port = www pass in quick from any to any port = ssh pass in quick from any to any port = 443 ##sshguard-begin## block in quick proto tcp from 61.19.247.185 to any block in quick proto tcp from 220.177.198.62 to any block in quick proto tcp from 211.234.100.203 to any block in quick proto tcp from 112.220.198.102 to any block in quick proto tcp from 61.174.49.104 to any block in quick proto tcp from 112.206.228.98 to any block in quick proto tcp from 220.177.198.51 to any ##sshguard-end## --r5Pyd7+fXNt84Ff3-- --A6N2fC+uXW/VQSAv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTgDTNAAoJEDTEFvl1pMrQbRcP/RB0a9tw28KVNcm6CJUULOYX Xs3HWiHNPXLpEgUxoPdDOrgoMYQHDN8Ql2k6ce+dKRYQ8EPf2cuOdKfGAl+Ykkfc FGNCtNp8CLaxwA2KByN+Oz2FXuH1LlyKGiru8MOQOAQ7LSLPJnnLRiXqhVLckNU6 AZbkXyM0yLATAUQSbdaIezqe8u3ZfZWS3pbd6a+hcyEv9ZYS1XKcNNPy6M+Nevv2 u9OUV5dr3aCRf1rmo995GLV/8q56jGKwf1S6MyDKgxmEiGOnmr0IyTgWnkllaDKU V+LqavmxCMB0SDG7qsM4W14cMYIDyC/PK2+XgiDk0710k9WwIg34SDNbx4qMDxKh QySFu3Ccxk9kF7HNt92vUia2+8vIZmzsPTMgA6RAFKcuyiGe+TcTqC0knOUz8KsR B6TmUOOziKTgi6lUli0JjGv0nNWRAPgG6lIRfZm706fqNLgVkAl/9oH3mPbMeKoK N3yZjiiaKeWEzKwalcpCdXZJ5GEJpjSCN79HNL+B+AKho4YroBcacMrlAACO14I8 HsNbk2rJ6Cv0rpuw9oa4xhdxQEUpq9g7yDncAxewScuwdQ82vaoYl8ZhVrgsX7CF d+KmssqFz8j6NDb8q61uqmhx2sVR0Mn1L8xF6KQxusEg2cwiyTuRxQROnclJVM45 eBKi19IRB4PrnQQqosK7 =Xwmf -----END PGP SIGNATURE----- --A6N2fC+uXW/VQSAv--