From owner-freebsd-security  Fri Oct 27 19:14:26 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 03B9237B4CF
	for <freebsd-security@freebsd.org>; Fri, 27 Oct 2000 19:14:20 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Fri, 27 Oct 2000 19:12:55 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9S2EE244330;
	Fri, 27 Oct 2000 19:14:14 -0700 (PDT)
	(envelope-from cjc)
Date: Fri, 27 Oct 2000 19:14:14 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Peter Brezny <peter@sysadmin-inc.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: input on ipfw ruleset desired
Message-ID: <20001027191414.C75251@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <000d01c0406c$98a88340$47010a0a@fire.sysadmininc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <000d01c0406c$98a88340$47010a0a@fire.sysadmininc.com>; from peter@sysadmin-inc.com on Fri, Oct 27, 2000 at 07:21:11PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Oct 27, 2000 at 07:21:11PM -0400, Peter Brezny wrote:
> Hello everyone,
> 
> if you have the time, please have a look at the ruleset below and let me
> know if i've missed something.  I want to protect an internal network with
> this.  If there is any tweaking that could be done to tighten it up or make
> it more efficient, i'd welcome the input.
> 
> Thanks for your comments.

Yes, I have more remarks. First, I hope you left some things out. If
not, you've broken your loopback. That is not a Good Thing. Second,
your gateway cannot talk directly to the internal machines, bug or
feature (although it can respond to sessions they initiate)? Also, you
did not mention natd before. Rather than just let spoofs fall through
the rules to the default deny, I like to kill them before they reach
natd. They could potentially confuse the translation table and the
very clever attacker could possibly get natd to modify the packets so
they pass later rules.

> a.b.c.d = external ip
> w.x.y.z/24 = private inside ip range
> oif = outside interface
> iif = inside interface

  # Let loopback work
  pass all from any to any via lo0
  # Stop loopback spoofs up front, shouldn't be needed, but does not hurt
  deny log all from any to 127.0.0.0/8
  # Stop spoofs from hitting the divert rule
  # Note that this next rule might make noise in the logs when you hear
  # your own broadcasts
  deny log ip from a.b.c.d to any recv via oif
  deny log ip from w.x.y.z/24 to any recv via oif
> divert ip from any to any via oif
> check-state
> allow ip from a.b.c.d to any keep-state out xmit oif
> allow ip from w.x.y.z/24 to any keep-state in recv iif
> allow tcp from NS1 to a.b.c.d 53 keep-state
> allow tcp from any to a.b.c.d 22,25,80,443 keep-state
> deny log logamount 50 ip from any to any
> deny ip from any to any

A final note, 50 is not going to be enough for any real-world
network.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message