Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Oct 2005 12:12:21 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        Eric F Crist <ecrist@secure-computing.net>
Cc:        freebsd questions <freebsd-questions@freebsd.org>
Subject:   Re: RFC: my firewall ruleset(s)
Message-ID:  <435BB665.70001@mac.com>
In-Reply-To: <1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65@secure-computing.net>
References:  <1440F1E5-DC5A-4C7B-AC72-8ECBEC7B4A65@secure-computing.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Eric F Crist wrote:
> Hey all.  I'm relatively new to shell scripting and I'm looking for  
> some comments on my firewall script.
> 
> Comments on either the ipfw rules themselves or on my scripting lack  of 
> ability would be appreciated.

Ugh.  :-)  IPFW knows how to increment rule numbers all by itself; you can get 
rid of the "rulenum1=`expr $rulenum1 + 50`" stuff.

The breakdown of sh functions like setup_loopback, setup_keepstate, setup_ntp 
is fine if you want to play with shell scripts, but it scatters your IPFW rules 
into different places.  I'd rather see something that closely resembles what 
"ipfw list" gives you.

You could chain several ports together into a list rather than listing them all 
seperately as individual rules, IPFW will end up doing less work.

You have anti-spoofing for the lookback, lo0 interface, but not for your other 
interfaces.  You should add anti-spoofing rules, and also block strict and 
loose source routing [1]:

# Stop strict and loose source routing
add deny log all from any to any ipoptions ssrr
add deny log all from any to any ipoptions lsrr

You should give some thought to ICMP filtering.  Consider something like:

add allow icmp from any to any icmptypes 0,3,4,8,11,12

You should use the log command more when developing a ruleset, to see what 
traffic you are blocking or permitting, until you've gotten your rules and 
network finalized.

-- 
-Chuck

[1]: This is known to hackers as the "how to go through a firewall as if it 
wasn't there" IP option if you don't block these.  :-)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?435BB665.70001>