Date: Fri, 15 Jun 2001 14:38:56 +0200 From: "Marcel Dijk" <nascar24@home.nl> To: "Crist Clark" <crist.clark@globalstar.com>, "Evren Yurtesen" <yurtesen@ispro.net.tr>, "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>, "Thomas T. Veldhouse" <veldy@veldy.net>, "Jason DiCioccio" <Jason.DiCioccio@Epylon.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: IPFW almost works now -> stateful rules Message-ID: <05b201c0f598$25819fa0$0900a8c0@windows> References: <Pine.BSF.4.33.0106130001350.63354-100000@finland.ispro.net.tr> <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> <3B28F5EE.509B1261@globalstar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Here is what I would do, > > # Pass loopback traffic > add 100 allow ip from any to any via lo0 > # Protect loopback address > add 200 deny ip from 127.0.0.0/8 to any > add 300 deny ip from any to 127.0.0.0/8 > # Block spoofs > add 400 deny ip from MY_IP to any in via ed0 > # Check dynamic rules > add 400 check-state > # Make dynamic entries for all outgoing traffic > add 500 allow tcp from MY_IP to any keep-state out via ed0 > add 600 allow udp from MY_IP to any keep-state out via ed0 > # Services we offer to the world > add 650 allow log tcp from any to MY_IP 22,5617,10000 keep-state in via ed0 > # Just pass ICMP > add 700 allow icmp from MY_IP to any out via ed0 > # Allow ping replies and requests, and various error messages > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > # Pass everything on private LAN (do we have another interface? > # Otherwise, these rules are dangerous) > add 1000 allow ip from 192.168.0.0/16 to any > add 1100 allow ip from any to 192.168.0.0/16 > # Log the rejects that have fallen through > add 65000 deny log ip from any to any > -- > > Crist J. Clark Network Security Engineer > > crist.clark@globalstar.com Globalstar, L.P. > > (408) 933-4387 FAX: (408) 933-4926 I have entered these lines in my rc.firewall.rules. I now can ping/www/etc. ON the firewall, but the machines BEHIND the firewall (on the local LAN) can't access the internet anymore. I am puzzled about what to do now. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05b201c0f598$25819fa0$0900a8c0>