Date: Wed, 23 Dec 1998 17:02:20 -0800 From: Mike Thompson <miket@dnai.com> To: freebsd-security@FreeBSD.ORG Subject: IPFW configuration question Message-ID: <199812240103.RAA17365@dnai.com>
next in thread | raw e-mail | index | archive | help
Hello everyone, As part of securing a couple of FreeBSD 2.2.7 servers to be placed on the Internet, it was suggested that I use "ipfw" as an additional security measure. In doing this I thought I would pass the script I developed to configure the FreeBSD kernel firewall these servers to this e-mail list for comments. Basically, I only want access to our DNS, Apache and secure shell to get through. This script was derived from the simple scripts provided in rc.firewall and with some embellishment by myself. The only thing that I believe is missing is that I would also like to enable traceroute to work from the server to help diagnose Internet delay problems. I guess I also have to let ICMP packets through to do this, but I would have another script to do only when I am actually on the system. Any comments would be appreciated. Not being a system admin I am just trying to cover as many bases as I can and trying to err on the side of caution. Thanks, Mike Thompson ------------------------------------------------------------- ############ # Set quiet mode fwcmd="/sbin/ipfw -q" ############ # Flush out the list before we begin. $fwcmd -f flush ############ # Start with default rules that we would only want # to change in rare cases. $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 # Allow ssh through. $fwcmd add pass tcp from any to any 22 # Allow access to our DNS. $fwcmd add pass tcp from any to any 53 setup # Allow access to our WWW. $fwcmd add pass tcp from any to any 80 setup # Allow TCP through if setup succeeded. $fwcmd add pass tcp from any to any established # Reject all setup of incoming connections from the outside. $fwcmd add deny tcp from any to any in via fxp0 setup # Allow setup of any other TCP connection. $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world. $fwcmd add pass udp from any 53 to any $fwcmd add pass udp from any to any 53 # Everything else is denied as default. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812240103.RAA17365>