Date: Tue, 11 Jul 2006 13:16:21 +1000 From: Nick Withers <nick@nickwithers.com> To: Ensel Sharon <user@dhp.com> Cc: freebsd-questions@freebsd.org Subject: Re: Sanity-check for my (working) ipfw rules please... Message-ID: <20060711131621.2826f0b5.nick@nickwithers.com> In-Reply-To: <Pine.LNX.4.21.0607101740470.12027-100000@shell.dhp.com> References: <Pine.LNX.4.21.0607101740470.12027-100000@shell.dhp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Jul 2006 18:38:51 -0400 (EDT) Ensel Sharon <user@dhp.com> wrote: > > My individual hosts have a set of firewall rules on each of them that > looks like this: > > > /sbin/ipfw add 00010 allow ip from any to any via lo0 > /sbin/ipfw add 00020 deny ip from any to 127.0.0.0/8 > > /sbin/ipfw add 00100 count ip from any to any via em0 in > /sbin/ipfw add 00100 count ip from any to any via em0 out Note the double-up of rule numbers here... Don't know if you care, but thought I'd point it out. > /sbin/ipfw add 01000 allow tcp from any to any established > > /sbin/ipfw add 01010 deny tcp from any to any tcpflags syn tcpoptions !mss > /sbin/ipfw add 01011 deny icmp from any to any icmptypes > 4,5,9,10,12,13,14,15,16,17,18 > /sbin/ipfw add 01012 deny tcp from any to any tcpflags syn,fin > /sbin/ipfw add 01013 deny tcp from any to any tcpflags fin,psh,rst,urg > > /sbin/ipfw add 02001 allow udp from 10.10.10.10 to any 53 > /sbin/ipfw add 02002 allow udp from any 53 to 10.10.10.10 > /sbin/ipfw add 02003 allow tcp from any to 10.10.10.10 21,22,80,443 setup > /sbin/ipfw add 02009 deny ip from any to 10.10.10.10 > > > Easy. Some standard loopback lines, count traffic on the interface, allow > established, block out obvious offedners (xmas tree, syn/fin, etc.) and > then open up the ports I need and block everything else. Easy. It works > great. > > Two questions: is it appropriate to have line 01000 above all of my > bad-behavior lines ? That is, by allowing all established, is it possible > that some of those bad tcp packetrs could be let in before they hit my > bad-behavior block of ipfw rules ? Or are all of those bad behaviors > inconsistent with being an established tcp session ? As Chuck Swiger pointed out in an earlier reply, you're probably better off moving the rule down below your naughty packet checking. > Second, are there any other bad-behavior blocks I should put into my list? How about: deny tcp from any to any tcpflags fin,urg,psh deny tcp from any to any tcpflags syn,fin,rst,ack deny tcp from any to any tcpflags '!syn,!fin,!ack' (rorted from a posting at http://support.daemonnews.org/viewtopic.php?p=846, I have to admit that I havent myself actually checked that these are correct and therefore don't use them myself) and deny all from 10.0.0.0/8 to any in via <public interface> deny all from 203.219.206.72/30 to any in via <internal interface> deny all from any to 0.0.0.0/8 via <public interface> deny all from any to 169.254.0.0/16 via <public interface> deny all from any to 192.0.2.0/24 via <public interface> deny all from any to 198.18.0.0/15 via <public interface> deny all from any to 224.0.0.0/4 via <public interface> deny all from any to 240.0.0.0/4 via <public interface> deny all from any to 172.16.0.0 via <public interface> deny all from any to 192.168.0.0/16 via <public interface> deny all from 0.0.0.0/8 to any via <public interface> deny all from 169.254.0.0/16 to any via <public interface> deny all from 192.0.2.0/24 to any via <public interface> deny all from 198.18.0.0/15 to any via <public interface> deny all from 224.0.0.0/4 to any via <public interface> deny all from 240.0.0.0/4 to any via <public interface> deny all from 172.16.0.0 to any via <public interface> deny all from 192.168.0.0/16 to any via <public interface> > Thanks! -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060711131621.2826f0b5.nick>