Date: Fri, 5 May 2000 06:56:07 -0700 From: "Dan O'Connor" <dan@mostgraveconcern.com> To: "Marc Silver" <marcs@draenor.org> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Firewall Rules Message-ID: <019201bfb699$aa17c800$0200000a@danco>
next in thread | raw e-mail | index | archive | help
>Do you feel that userland ppp is as safe as the kernel firewalling >options? I would like to gain a better understanding. What are the >major differences between the two? As far as I know, they both work about the same. IPFW has more flexibility, with complexity being the trade off. These are the /etc/ppp/ppp.conf rules I used before I got my DSL line (and switched to IPFW/NATD): # Prevent ICMP, DNS (53), and NTP (123) from keeping the connection alive: set filter alive 0 deny icmp set filter alive 1 deny udp src eq 53 set filter alive 2 deny udp dst eq 53 set filter alive 3 deny udp src eq 123 set filter alive 4 deny udp dst eq 123 set filter alive 5 permit 0 0 # Prevent NTP (123) from causing a dialup: set filter dial 0 deny udp src eq 123 set filter dial 1 deny udp dst eq 123 set filter dial 2 permit 0 0 # Allow ident (113), ftp (20 & 21), SSH (22), SMTP (25), DNS (53), # HTTP (80) IN & OUT, POP3 (110), NNTP (119), NTP (123), HTTPS (443), # SOCKS (1080), CVS (5998, 5999), ICMP (ping) and traceroute (>33433). # Everything else is blocked by default: set filter in 0 permit tcp dst eq 113 set filter out 0 permit tcp src eq 113 set filter in 1 permit tcp src eq 20 dst gt 1023 set filter out 1 permit tcp dst eq 20 set filter in 2 permit tcp src eq 21 estab set filter out 2 permit tcp dst eq 21 set filter in 3 permit tcp src eq 22 set filter out 3 permit tcp dst eq 22 set filter in 4 permit tcp src eq 25 set filter out 4 permit tcp dst eq 25 set filter in 5 permit udp src eq 53 set filter out 5 permit udp dst eq 53 set filter in 6 permit tcp src eq 80 set filter out 6 permit tcp dst eq 80 set filter in 7 permit tcp dst eq 80 set filter out 7 permit tcp src eq 80 set filter in 8 permit tcp src eq 110 set filter out 8 permit tcp dst eq 110 set filter in 9 permit tcp src eq 119 set filter out 9 permit tcp dst eq 119 set filter in 10 permit udp src eq 123 set filter out 10 permit udp dst eq 123 set filter in 11 permit tcp src eq 443 set filter out 11 permit tcp dst eq 443 set filter in 12 permit udp src eq 443 set filter out 12 permit udp dst eq 443 set filter in 13 permit tcp src eq 1080 set filter out 13 permit tcp dst eq 1080 set filter in 14 permit udp src eq 1080 set filter out 14 permit udp dst eq 1080 set filter in 15 permit tcp src eq 5998 set filter out 15 permit tcp dst eq 5998 set filter in 16 permit tcp src eq 5999 set filter out 16 permit tcp dst eq 5999 set filter in 17 permit icmp set filter out 17 permit icmp set filter in 18 permit udp dst gt 33433 set filter out 18 permit udp src gt 33433 Hope they help! --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?019201bfb699$aa17c800$0200000a>