From owner-freebsd-security Wed Jan 3 13:27: 1 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 13:26:55 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id B7B9F37B400 for ; Wed, 3 Jan 2001 13:26:53 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.1/8.11.1) with ESMTP id f03LQkx26186; Wed, 3 Jan 2001 16:26:46 -0500 (EST) (envelope-from darren@nighttide.net) Date: Wed, 3 Jan 2001 16:26:46 -0500 (EST) From: Darren Henderson Sender: To: Peter Brezny Cc: Subject: RE: statefull packet filter together with natd question In-Reply-To: <001501c075ce$5de6e660$14011e0a@sysadmininc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, its very similar. I borrowed from a number of sources, including your web site. It was a great help. I hadn't kept the references unfortunately. Apologies for that. My main point was that the natd and dynamic rules weren't mutually exclusive. On Wed, 3 Jan 2001, Peter Brezny wrote: > This is very similar to what i came up with. > > http://www.bsdtoday.com/2000/December/Features359.html > > > > Peter Brezny > SysAdmin Services Inc. > > > -----Original Message----- > From: darren@nighttide.net [mailto:darren@nighttide.net] > Sent: Tuesday, January 02, 2001 6:09 PM > To: Steven Kehlet > Cc: Rene de Vries; Luigi Rizzo; freebsd-security@FreeBSD.ORG > Subject: Re: statefull packet filter together with natd question > > > On Tue, 2 Jan 2001, Steven Kehlet wrote: > > > [ moved from -hackers to -security ] > > > > For whatever it's worth, I struggled with this same problem for an > > entire day before giving up and using ipfilter. It seems to me > > that there is a fundamental problem with using the ipfw stateful > > rules and natd (as I'm sure you discovered yourself): the ordering > > Perhaps I'm missing the gist of the problem (not enough details here) but > I don't haven't seen any problems with this under 4.2-Stable, (haven't > used natd with a 5-Current system yet).... Sample rule set follows. Let me > know if you (or anyone for that matter) see any problems with this. > > > #!/bin/sh > > fwcmd="/sbin/ipfw" > > oif="ppp0" > oip="a.b.c.d" > iif="dc0" > iip="10.a.b.c" > imk="10.a.b.c/8" > > $fwcmd -f flush > > # loopback has to work > $fwcmd add allow all from any to any via lo0 > > # disallow spoofing of loopback > $fwcmd add deny log all from any to 127.0.0.0/8 > > # disallow spoofing of our address > $fwcmd add deny log ip from $oip to any in via $oif > > # no private space address should cross the outside interface > $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif > $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif > $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif > $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif > $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif > $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif > > # stop draft-manning-dsua-01.txt nets on the outside interface > $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif > $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif > $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif > $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif > $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif > $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif > $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif > $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif > $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif > $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif > > # divert the the outside interface > $fwcmd add divert natd all from any to any via $oif > > # allow all established sessions > $fwcmd add allow tcp from any to any established > > # we want to allow some connections to originate outside > $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup > > # allow required ICMP > $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12 > > # allow udp dns queries > $fwcmd add allow udp from any to any 53 > $fwcmd add allow udp from any 53 to any > > # allow traceroute > $fwcmd add allow udp from any to $oip 33400-33499 via $oif > > # allow smb traffic > $fwcmd add allow udp from any to any 137-139 via $iif > > # dynamic rule set > $fwcmd add check-state > > # let this machine talk to anyone > $fwcmd add allow ip from $oip to any keep-state out via $oif > > # allow any traffic from the inner network to any > $fwcmd add allow ip from $imk to any keep-state via $iif > > # deny everything else > $fwcmd add 65435 deny log logamount 1000 ip from any to any > > > ______________________________________________________________________ > Darren Henderson darren@nighttide.net > > Help fight junk e-mail, visit http://www.cauce.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message