Date: Tue, 5 Oct 1999 11:05:46 -0400 From: "Patrick Bihan-Faou" <patrick-fl-security@mindstep.com> To: <freebsd-security@freebsd.org> Subject: Re: default rc.firewall Message-ID: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com>
next in thread | raw e-mail | index | archive | help
Hi All, Sorry for the long delay in that post (from the original thread), but I had some problems with my mailer... This message is about the appropriatness of the current rc.firewall script. I would like to have as many suggestions as possible... Thanks, Patrick. ----- Original Message ----- From: Brett Glass <brett@lariat.org> Sent: Friday, September 24, 1999 3:06 PM Subject: Re: default rc.firewall > The default rc.firewall's "simple" ruleset lets through so little that it > is not a good default for most users -- especially users who are creating > a NAT router. (Of course, it does not work at all unless you set the > variables near the beginning of the ruleset properly.) [...] > Remember that if you have more than one external IP you will > need to duplicate many rules. On that note, I don't really like the fact that you have to modify the "rc.firewall" script to set up even a "simple" firewall. I worked a bit on a new version of the "rc.firewall" script that takes all its configuration from variables that you set in rc.conf. I guess that the script does not qualify as simple anymore, but I think this is a bit cleaner. A couple of examples: We are using (like many other I guess) FreeBSD as a NAT gateway on a cable-modem connection. I modified the rc.firewall script to use variables such as: firewall_public_if="vr0" firewall_private_if="ed0" firewall_allow_active_ftp="YES" firewall_allow_incoming_tcp="80,21,20" firewall_allow_incoming_tcp_log="22" And it sets up the proper rules: ipfw add allow tcp from any to any 20 setup in recv $oif ipfw add allow tcp from any to $oip 80,21,20 setup in recv $oif ipfw add allow log tcp from any to $oip 22 setup in recv $oif Where $oif, $oip etc are recovered automatically from ifconfig. The other advantage is that when we get a new IP address through DHCP from our cable provider, we only need to re-run the rc.firewall script and all the rules are updated to match the new IP address. I still need to clean up a few issues with my rc.firewall script, but overall I believe that it would be a great enhancement to the current distribution. Any thoughts ? Patrick. -- MindStep Corporation www.mindstep.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007b01bf0f43$1a125de0$190aa8c0>