Date: Thu, 4 May 2000 23:42:00 -0700 From: "Dan O'Connor" <dan@mostgraveconcern.com> To: "Marc Silver" <marcs@draenor.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: Firewall Rules Message-ID: <016c01bfb65d$aaf59c20$0200000a@danco>
next in thread | raw e-mail | index | archive | help
>I am currently working on some documentation on ipfw and natd with ppp. >The following rules are for a basic dialup firewall that will allow >connections on port 80. Are these rules sound, and if not, how could >they be improved? <snip> Are you talking about User-PPP? (I assume so, since you use 'tun0' in your rules.) You do know that ppp(8) has built-in NAT and filtering (which is easier than IPFW), so that you don't need IPFW and NATD? Anyway: >fwcmd="/sbin/ipfw" >$fwcmd -f flush >$fwcmd add divert natd all from any to any via tun0 >$fwcmd add allow ip from any to any via lo0 >$fwcmd add allow ip from any to any via fxp0 >$fwcmd add allow tcp from any to any out xmit tun0 setup >$fwcmd add allow tcp from any to any via tun0 established >$fwcmd add pass log tcp from any to any 80 setup This one will allow incoming connections to your web server. BTW, 'allow' and 'pass' are the same, is there a particular reason you changed terminology? Also, you probably won't want to log this, since web traffic generates huge amounts of connections, and your web server will log it all anyway... >$fwcmd add reset log tcp from any to any 113 in recv tun0 I'd remove the 'log' from this one also, since you'll get a lot of attempted connections here from sendmail... >$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 >$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0 >$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 >$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0 >$fwcmd add 65435 allow icmp from any to any You might consider adding '$fwcmd allow udp from any to any 33434-33463' if you want to let people do a traceroute to you... >$fwcmd add 65435 deny log ip from any to any You might want to also take a look at the anti-spoofing rules in the SIMPLE section of /etc/rc.firewall. Good Luck! --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?016c01bfb65d$aaf59c20$0200000a>