Date: Sun, 11 Jun 2000 10:21:07 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Greg Hormann <ghormann@alumni.indiana.edu> Cc: security@FreeBSD.ORG Subject: Re: Setting up simple firewall with ipfw Message-ID: <200006111721.e5BHLiX06847@cwsys.cwsent.com> In-Reply-To: Your message of "Sat, 10 Jun 2000 13:37:50 EDT." <Pine.BSF.4.05.10006101131490.1436-100000@hormann.tzo.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.05.10006101131490.1436-100000@hormann.tzo.cc>, Greg Horm ann writes: > > I'm try to setup a simple little firewall for my stand alone FreeBSD-4.0 > box. Most of what I want seems to be working, but I'm having a few > problems I would appreciate some help with. (I'm *extremely* new to > firewalls.) > > > > 1) This box obtains its internet address via dhcp. Because of that, I've > been using "any to any via ed0". This box is dual homed, and at some > point in time I'd like to use natd to make this box a gateway for my > internal network. Is there a more secure way to set things up when using > dhcp? You can modify dhclient-script to alter your firewall whenever you get a new IP address via DHCP. > > > > 2) I can't get logging working to help me trouble shoot my problems. > (IPFIREWALL_VERBOSE is in the kernel.) -- It may works, and I don't know > where to look for it. Its not appear on the console, and after looking > and the man page, i still couldn't figure it out. > > sysctl net.inet.ip.fw returns: > > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.one_pass: 1 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 0 > net.inet.ip.fw.dyn_max: 1000 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 20 > net.inet.ip.fw.dyn_rst_lifetime: 5 > net.inet.ip.fw.dyn_short_lifetime: 5 > > > > > 3) I'm having trouble getting ftp/ssh traffic through my firewall. (I can > get out, but not in.) When trying to ftp or ssh in, I receive "TCP/IP > Failure" > > I currently have the following rules: (Remember, I'm using dhcp hence so > many "any to any" > > 00100 108 7771 allow tcp from any to any via ed0 established > 00100 114 15516 allow ip from any to any via lo0 > 00200 1 44 allow tcp from any to any 25 via ed0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 allow tcp from any to any 23 via ed0 > 00400 0 0 allow tcp from any to any 22 setup > 00500 0 0 allow udp from any to any 22 > 00600 0 0 allow tcp from any 22 to any > 00700 0 0 allow tcp from any to any 20 via ed0 > 00800 0 0 allow tcp from any to any 21 via ed0 > 00900 0 0 allow tcp from any to any 80 via ed0 > 01000 0 0 allow tcp from any to any 220 via ed0 > 01100 0 0 allow tcp from any to any 546 > 01200 0 0 allow udp from any to any 56 > 01300 4 176 allow tcp from any to any 110 > 01400 5 220 deny log tcp from any to any 1-1024 via ed0 > 65000 14 1701 allow ip from any to any > 65535 6 672 deny ip from any to any I'm not sure what you're trying to accomplish here -- the 22/udp is confusing, unless you want to allow PC Anywhere through. The FTP protocol is an abortion. You have a choice of passive or PORT FTP. Depending on the direction you will require opening up your firewall to the world or the worlds firewalls need to be opened up to FTP to you. In my IPFW and ipchains firewalls I specify that my users behind those firewall must use passive FTP as clients to get out. As FTP servers are a security risk I usually put them on a DMZ or exterior network. A packet filter with an FTP application proxy might let you have the best of both worlds. It just happens that IP Filter comes with FreeBSD as well. Even then, running an world accessible FTP server behind your firewall, IMO, is a still big risk, unless you're offering services to customers behind your firewall who themselves are also behind another firewall, onion ring approach of firewalls within firewalls within firewalls where outside rings have no access to or a very limited access to a set of services on the inside. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006111721.e5BHLiX06847>