From owner-freebsd-security Thu May 4 23:47:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id C36F537B683 for ; Thu, 4 May 2000 23:47:39 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id XAA18082; Thu, 4 May 2000 23:46:41 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Message-ID: <016c01bfb65d$aaf59c20$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: "Marc Silver" , Subject: Re: Firewall Rules Date: Thu, 4 May 2000 23:42:00 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I am currently working on some documentation on ipfw and natd with ppp. >The following rules are for a basic dialup firewall that will allow >connections on port 80. Are these rules sound, and if not, how could >they be improved? Are you talking about User-PPP? (I assume so, since you use 'tun0' in your rules.) You do know that ppp(8) has built-in NAT and filtering (which is easier than IPFW), so that you don't need IPFW and NATD? Anyway: >fwcmd="/sbin/ipfw" >$fwcmd -f flush >$fwcmd add divert natd all from any to any via tun0 >$fwcmd add allow ip from any to any via lo0 >$fwcmd add allow ip from any to any via fxp0 >$fwcmd add allow tcp from any to any out xmit tun0 setup >$fwcmd add allow tcp from any to any via tun0 established >$fwcmd add pass log tcp from any to any 80 setup This one will allow incoming connections to your web server. BTW, 'allow' and 'pass' are the same, is there a particular reason you changed terminology? Also, you probably won't want to log this, since web traffic generates huge amounts of connections, and your web server will log it all anyway... >$fwcmd add reset log tcp from any to any 113 in recv tun0 I'd remove the 'log' from this one also, since you'll get a lot of attempted connections here from sendmail... >$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 >$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 >$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 >$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 >$fwcmd add 65435 allow icmp from any to any You might consider adding '$fwcmd allow udp from any to any 33434-33463' if you want to let people do a traceroute to you... >$fwcmd add 65435 deny log ip from any to any You might want to also take a look at the anti-spoofing rules in the SIMPLE section of /etc/rc.firewall. Good Luck! --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message