From owner-freebsd-questions@FreeBSD.ORG  Tue Jun 15 19:55:13 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1A64016A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Jun 2004 19:55:13 +0000 (GMT)
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B7F0343D46
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Jun 2004 19:55:12 +0000 (GMT)
	(envelope-from nullentropy@lineone.net)
Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230])
	by smtp.nildram.co.uk (Postfix) with ESMTP id A3533257339
	for <freebsd-questions@freebsd.org>;
	Tue, 15 Jun 2004 20:54:39 +0100 (BST)
Message-ID: <40CF53FA.7070308@lineone.net>
Date: Tue, 15 Jun 2004 20:54:34 +0100
From: Robert Downes <nullentropy@lineone.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7) Gecko/20040608
X-Accept-Language: en, fr, en-us
MIME-Version: 1.0
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Firewall rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2004 19:55:13 -0000

I'm obviously missing something...

I've read as much about IPFW and firewall packet filtering as I can, and 
I"m still happy with these very simple rules:

su-2.05b# ipfw -a list
00100  16  1144 divert 8668 ip from any to any in via rl0
00200  17   964 divert 8668 ip from any to any out via rl0
00300   0     0 check-state
00400  32  3296 allow ip from me to me
00500  21  1268 allow ip from 192.168.0.0/24 to any keep-state
00600 274 25875 allow ip from 192.168.1.0/24 to any keep-state
00700   2    96 deny log ip from any to any
65535   4   429 deny ip from any to any

Now, having seen plenty of examples of huge lists of rules, I'm 
obviously not seeing something that is apparent to others.

I've tested my network using the grc.com ShieldsUp! port probing system. 
It informs me that every one of the first 1056 ports is stealthed (i.e. 
does not even reply to probes). In fact, the only thing it complains 
about is the fact that my IP replies to ICPM ping requests (though I 
don't understand how).

The above rules only allow replies to IPs and ports on my network that 
establish a connection first. I'm not running any net services, so I 
don't need to allow any unsolicited inbound connections. All the 
machines on my network seem to be able to fetch mail, browse web pages, 
ping, and nslookup machines on the Internet at large. And my 
/var/log/security file shows that dozens of random connections to ports 
135 and 445 have been dropped.

So, what am I missing? What gaping hole have I left open?
-- 
Bob