From owner-freebsd-security Tue Oct 5 8: 7:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from jacuzzi.local.mindstep.com (modemcable156.106-200-24.mtl.mc.videotron.net [24.200.106.156]) by hub.freebsd.org (Postfix) with SMTP id 366AC14D66 for ; Tue, 5 Oct 1999 08:07:06 -0700 (PDT) (envelope-from patrick-fl-security@mindstep.com) Received: (qmail 824 invoked from network); 5 Oct 1999 06:15:18 -0000 Received: from unknown (HELO patrak) (192.168.10.25) by jacuzzi.local.mindstep.com with SMTP; 5 Oct 1999 06:15:18 -0000 Message-ID: <007b01bf0f43$1a125de0$190aa8c0@local.mindstep.com> Reply-To: "Patrick Bihan-Faou" From: "Patrick Bihan-Faou" To: Subject: Re: default rc.firewall Date: Tue, 5 Oct 1999 11:05:46 -0400 Organization: MindStep Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, Sorry for the long delay in that post (from the original thread), but I had some problems with my mailer... This message is about the appropriatness of the current rc.firewall script. I would like to have as many suggestions as possible... Thanks, Patrick. ----- Original Message ----- From: Brett Glass Sent: Friday, September 24, 1999 3:06 PM Subject: Re: default rc.firewall > The default rc.firewall's "simple" ruleset lets through so little that it > is not a good default for most users -- especially users who are creating > a NAT router. (Of course, it does not work at all unless you set the > variables near the beginning of the ruleset properly.) [...] > Remember that if you have more than one external IP you will > need to duplicate many rules. On that note, I don't really like the fact that you have to modify the "rc.firewall" script to set up even a "simple" firewall. I worked a bit on a new version of the "rc.firewall" script that takes all its configuration from variables that you set in rc.conf. I guess that the script does not qualify as simple anymore, but I think this is a bit cleaner. A couple of examples: We are using (like many other I guess) FreeBSD as a NAT gateway on a cable-modem connection. I modified the rc.firewall script to use variables such as: firewall_public_if="vr0" firewall_private_if="ed0" firewall_allow_active_ftp="YES" firewall_allow_incoming_tcp="80,21,20" firewall_allow_incoming_tcp_log="22" And it sets up the proper rules: ipfw add allow tcp from any to any 20 setup in recv $oif ipfw add allow tcp from any to $oip 80,21,20 setup in recv $oif ipfw add allow log tcp from any to $oip 22 setup in recv $oif Where $oif, $oip etc are recovered automatically from ifconfig. The other advantage is that when we get a new IP address through DHCP from our cable provider, we only need to re-run the rc.firewall script and all the rules are updated to match the new IP address. I still need to clean up a few issues with my rc.firewall script, but overall I believe that it would be a great enhancement to the current distribution. Any thoughts ? Patrick. -- MindStep Corporation www.mindstep.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message