Date: Fri, 27 Oct 2000 19:14:14 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Peter Brezny <peter@sysadmin-inc.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: input on ipfw ruleset desired Message-ID: <20001027191414.C75251@149.211.6.64.reflexcom.com> In-Reply-To: <000d01c0406c$98a88340$47010a0a@fire.sysadmininc.com>; from peter@sysadmin-inc.com on Fri, Oct 27, 2000 at 07:21:11PM -0400 References: <000d01c0406c$98a88340$47010a0a@fire.sysadmininc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 27, 2000 at 07:21:11PM -0400, Peter Brezny wrote: > Hello everyone, > > if you have the time, please have a look at the ruleset below and let me > know if i've missed something. I want to protect an internal network with > this. If there is any tweaking that could be done to tighten it up or make > it more efficient, i'd welcome the input. > > Thanks for your comments. Yes, I have more remarks. First, I hope you left some things out. If not, you've broken your loopback. That is not a Good Thing. Second, your gateway cannot talk directly to the internal machines, bug or feature (although it can respond to sessions they initiate)? Also, you did not mention natd before. Rather than just let spoofs fall through the rules to the default deny, I like to kill them before they reach natd. They could potentially confuse the translation table and the very clever attacker could possibly get natd to modify the packets so they pass later rules. > a.b.c.d = external ip > w.x.y.z/24 = private inside ip range > oif = outside interface > iif = inside interface # Let loopback work pass all from any to any via lo0 # Stop loopback spoofs up front, shouldn't be needed, but does not hurt deny log all from any to 127.0.0.0/8 # Stop spoofs from hitting the divert rule # Note that this next rule might make noise in the logs when you hear # your own broadcasts deny log ip from a.b.c.d to any recv via oif deny log ip from w.x.y.z/24 to any recv via oif > divert ip from any to any via oif > check-state > allow ip from a.b.c.d to any keep-state out xmit oif > allow ip from w.x.y.z/24 to any keep-state in recv iif > allow tcp from NS1 to a.b.c.d 53 keep-state > allow tcp from any to a.b.c.d 22,25,80,443 keep-state > deny log logamount 50 ip from any to any > deny ip from any to any A final note, 50 is not going to be enough for any real-world network. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001027191414.C75251>