From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 09:08:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FDD137B401 for ; Sun, 20 Apr 2003 09:08:50 -0700 (PDT) Received: from maggiore.iperbole.bologna.it (maggiore.iperbole.bologna.it [193.207.0.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2E8043FBD for ; Sun, 20 Apr 2003 09:08:49 -0700 (PDT) (envelope-from saf3850@iperbole.bologna.it) Received: (from httpd@localhost)SAA18250; Sun, 20 Apr 2003 18:10:01 +0200 (MET DST) Date: Sun, 20 Apr 2003 18:10:01 +0200 (MET DST) From: saf3850 Message-Id: <200304201610.SAA18250@maggiore.iperbole.bologna.it> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit User-Agent: IMP/PHP3 Imap webMail Program 2.0.11 Sender: saf3850@iperbole.bologna.it Subject: sghsrth X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: saf3850@iperbole.bologna.it List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 16:08:52 -0000 erheryhr From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 09:09:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5708237B401 for ; Sun, 20 Apr 2003 09:09:34 -0700 (PDT) Received: from maggiore.iperbole.bologna.it (maggiore.iperbole.bologna.it [193.207.0.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3ED2F43FA3 for ; Sun, 20 Apr 2003 09:09:33 -0700 (PDT) (envelope-from saf3850@iperbole.bologna.it) Received: (from httpd@localhost)SAA18411; Sun, 20 Apr 2003 18:10:45 +0200 (MET DST) Date: Sun, 20 Apr 2003 18:10:45 +0200 (MET DST) From: saf3850 Message-Id: <200304201610.SAA18411@maggiore.iperbole.bologna.it> To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit User-Agent: IMP/PHP3 Imap webMail Program 2.0.11 Sender: saf3850@iperbole.bologna.it Subject: sfghrgh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: saf3850@iperbole.bologna.it List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 16:09:34 -0000 dfgdfgh From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 09:45:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD85C37B401 for ; Sun, 20 Apr 2003 09:45:28 -0700 (PDT) Received: from s-smtp-osl-01.bluecom.no (s-smtp-osl-01.bluecom.no [62.101.193.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08CE943F75 for ; Sun, 20 Apr 2003 09:45:28 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (tromso-dhcp-234-175.bluecom.no [62.101.234.175]) by s-smtp-osl-01.bluecom.no (Postfix) with ESMTP id 366BA16352C; Sun, 20 Apr 2003 18:45:56 +0200 (CEST) From: "Erik Paulsen Skålerud" To: , Date: Sun, 20 Apr 2003 18:43:09 +0200 Message-ID: <005101c3075b$ecdb28b0$0a00000a@yes.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <200304201610.SAA18411@maggiore.iperbole.bologna.it> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: RE: sfghrgh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 16:45:29 -0000 You need a new keyboard.. > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of saf3850 > Sent: Sunday, April 20, 2003 6:11 PM > To: security@freebsd.org > Subject: sfghrgh > > > dfgdfgh > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 10:17:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0ECB837B401 for ; Sun, 20 Apr 2003 10:17:15 -0700 (PDT) Received: from grayson.netsweng.com (grayson.netsweng.com [207.235.77.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13D2043F3F for ; Sun, 20 Apr 2003 10:17:14 -0700 (PDT) (envelope-from anderson@netsweng.com) Received: from trantor.stuart.netsweng.com (h244.91.213.151.ip.alltel.net [151.213.91.244]) by grayson.netsweng.com (8.12.9/8.12.7) with ESMTP id h3KHHCoQ049710 for ; Sun, 20 Apr 2003 13:17:12 -0400 (EDT) (envelope-from anderson@netsweng.com) Date: Sun, 20 Apr 2003 13:17:13 -0400 (EDT) From: Stuart Anderson X-X-Sender: anderson@trantor.stuart.netsweng.com To: freebsd-security@freebsd.org In-Reply-To: <20030419211017.GA51146@xor.obsecurity.org> Message-ID: <20030420112223.L87664@trantor.stuart.netsweng.com> References: <20030411111302.G4749@cvs.imp.ch> <20030411115522.I6045@odysseus.silby.com> <20030419081650.GA92898@xor.obsecurity.org> <20030419211017.GA51146@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 17:17:15 -0000 On Sat, 19 Apr 2003, Kris Kennaway wrote: > Hmm, OK. From the point of view of the FreeBSD port this is a POLA > violation..it should just use CFLAGS like everything else is supposed > to. Well, the modules are a little bit different. They are supposed to be built in an OS neutral manner, almost a semi cross build setup. Blindly picking up the hosts CFLAG setting often won't do the right thing, hence the use of a different VARIABLE name. Note that the default it to set MODCFLAGS to CFLAGS, but the hook is there for when that is not the right thing to do. The X build system explicitely sets CFLAGS to a set value in every Makefile. This is just the way it has been done for 15+ years. The variable CDEBUGFLAGS can be used to pass in extra stuff. The two options for getting the ports idea of CFLAGS passed into the build are to either pass it in as CDEBUGFLAGS, or capture it during the package configuration, and set it in XFree86s host.def file so it will be built into all of the Makefiles. This has probably wandered far enough off topic for this list by now 8-). Stuart Stuart R. Anderson anderson@netsweng.com Network & Software Engineering http://www.netsweng.com/ 1024D/37A79149: 0791 D3B8 9A4C 2CDC A31F BD03 0A62 E534 37A7 9149 From owner-freebsd-security@FreeBSD.ORG Sun Apr 20 22:45:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F04A37B401; Sun, 20 Apr 2003 22:45:10 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82D5643FE3; Sun, 20 Apr 2003 22:45:07 -0700 (PDT) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (kost [213.184.65.82])h3L5j3Af044591; Mon, 21 Apr 2003 13:45:04 +0800 (KRAST) (envelope-from eugen@grosbein.pp.ru) Message-ID: <3EA383E4.B9069203@grosbein.pp.ru> Date: Mon, 21 Apr 2003 13:38:44 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: security@freebsd.org Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit cc: net@freebsd.org Subject: ipfw1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 05:45:10 -0000 Hi! May somebody look at http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/51132 ? It looks like ipfw1 has serious bug in the ruleset processing. Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Mon Apr 21 08:55:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C03ED37B401; Mon, 21 Apr 2003 08:55:14 -0700 (PDT) Received: from grosbein.pp.ru (D00015.dialonly.kemerovo.su [213.184.66.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAB2F43FB1; Mon, 21 Apr 2003 08:55:08 -0700 (PDT) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (smmsp@localhost [127.0.0.1]) by grosbein.pp.ru (8.12.9/8.12.7) with ESMTP id h3LFsX7Y001886; Mon, 21 Apr 2003 23:54:42 +0800 (KRAST) (envelope-from eugen@grosbein.pp.ru) Received: (from eugen@localhost) by grosbein.pp.ru (8.12.9/8.12.9/Submit) id h3LFqDoX001852; Mon, 21 Apr 2003 23:52:13 +0800 (KRAST) Date: Mon, 21 Apr 2003 23:52:13 +0800 From: Eugene Grosbein To: Luigi Rizzo Message-ID: <20030421235213.B1818@grosbein.pp.ru> References: <3EA383E4.B9069203@grosbein.pp.ru> <20030421064302.A98117@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030421064302.A98117@xorpc.icir.org>; from rizzo@icir.org on Mon, Apr 21, 2003 at 06:43:02AM -0700 cc: net@freebsd.org cc: security@freebsd.org Subject: Re: ipfw1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 15:55:15 -0000 On Mon, Apr 21, 2003 at 06:43:02AM -0700, Luigi Rizzo wrote: > > May somebody look at http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/51132 ? > > It looks like ipfw1 has serious bug in the ruleset processing. > > on a side note, i would have been more specific and said "ipfw1 has > a serious bug in processing "not me" rules. > Granted, your way of stating the problem attracted my attention for > this time, but next time i might well think "ok it might be something > minor..." :) Ok, I've got it. However, I try to never bother people in this way when a problem is minor. Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Mon Apr 21 11:02:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD90A37B415 for ; Mon, 21 Apr 2003 11:02:47 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B5CC43F85 for ; Mon, 21 Apr 2003 11:02:46 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3LI2kUp038562 for ; Mon, 21 Apr 2003 11:02:46 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3LI2jdU038515 for security@freebsd.org; Mon, 21 Apr 2003 11:02:45 -0700 (PDT) Date: Mon, 21 Apr 2003 11:02:45 -0700 (PDT) Message-Id: <200304211802.h3LI2jdU038515@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 18:02:48 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 07:09:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 255E437B401 for ; Fri, 25 Apr 2003 07:09:20 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-17-67.abo.wanadoo.fr [81.48.127.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BE6B43FCB for ; Fri, 25 Apr 2003 07:09:18 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3PE9Hut020214 for ; Fri, 25 Apr 2003 16:09:17 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: freebsd-security@freebsd.org Date: Fri, 25 Apr 2003 16:09:17 +0200 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304251609.17393.ajacoutot@lphp.org> Subject: firewalling help/audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2003 14:09:20 -0000 Hi ! First of all, I am sorry if this is not the list for that, but I've been learning (a little bit...) a way to implement a freeBSD firewall. So far I came up with a set of rules I would like to show you for commenting. I am sure there're a lot of errors and/or stupid rules (I am not sure the rules order is good for what I need) and I would be really pleased if one could have a look at it... otherwise, please ignore my mail (it is big !). Basically, I have a 192.168.0.0/24 network connected to a gateway that has a dynamic IP. I would like the network and the gateway itself to do whatever they want and in the meantime filter everything from the outside except for specified services (http, ftp...) and share the internet connexion. I understand it is a very basic configuration but I would like to be sure not to make any mistake. Thanks a lot in advance. Antoine Here is my ruleset: #!/bin/sh # Firewall Command fwcmd="/sbin/ipfw" # Flush out the list before we begin. ${fwcmd} -f flush # Stop spoofing ${fwcmd} add deny all from 192.168.0.0:255.255.255.0 to any in via tun0 ### ${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via vr0 ### Disabled --> dynamic @ip # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via tun0 ${fwcmd} add deny all from any to 172.16.0.0/12 via tun0 ${fwcmd} add deny all from any to 192.168.0.0/16 via tun0 ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 # Stop draft-manning-dsua-03.txt nets ${fwcmd} add deny all from any to 0.0.0.0/8 via tun0 ${fwcmd} add deny all from any to 169.254.0.0/16 via tun0 ${fwcmd} add deny all from any to 192.0.2.0/24 via tun0 ${fwcmd} add deny all from any to 224.0.0.0/4 via tun0 ${fwcmd} add deny all from any to 240.0.0.0/4 via tun0 ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 # Setup Loopback ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # Network Address Translation. ${fwcmd} add divert natd all from any to any via tun0 # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 # Stop draft-manning-dsua-03.txt nets ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 # Allow firewall outbound for everything ${fwcmd} add pass all from any to any via vr0 # Stateful rules & allow everything from our net ${fwcmd} add check-state ${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any setup keep-state ${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any keep-state # Deny suspicious packets $fwcmd add deny log tcp from any to any in tcpflags syn,fin # Allow some icmp ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ### --> should we deny this ? ${fwcmd} add pass all from any to any frag # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 ${fwcmd} add pass tcp from any to me in via tun0 20,21,22,25,53,80,110 setup ${fwcmd} add pass udp from any to me in via tun0 53 # Reject & log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via tun0 setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Deny everything else ${fwcmd} add deny ip from any to any From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 10:48:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9676437B401 for ; Fri, 25 Apr 2003 10:48:07 -0700 (PDT) Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 2476543F3F for ; Fri, 25 Apr 2003 10:48:07 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20030425174806.92494.qmail@web10107.mail.yahoo.com> Received: from [68.5.49.41] by web10107.mail.yahoo.com via HTTP; Fri, 25 Apr 2003 10:48:06 PDT Date: Fri, 25 Apr 2003 10:48:06 -0700 (PDT) From: twig les To: Antoine Jacoutot , freebsd-security@freebsd.org In-Reply-To: <200304251609.17393.ajacoutot@lphp.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: firewalling help/audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2003 17:48:07 -0000 I'm no ipfw guru, but you seem to have a bunch of duplicate rules in the 2nd 1918 and draft-manning-dsua-03 sections. --- Antoine Jacoutot wrote: > Hi ! > > First of all, I am sorry if this is not the list for that, but > I've been > learning (a little bit...) a way to implement a freeBSD > firewall. > So far I came up with a set of rules I would like to show you > for commenting. > I am sure there're a lot of errors and/or stupid rules (I am > not sure the > rules order is good for what I need) and I would be really > pleased if one > could have a look at it... otherwise, please ignore my mail > (it is big !). > Basically, I have a 192.168.0.0/24 network connected to a > gateway that has a > dynamic IP. I would like the network and the gateway itself to > do whatever > they want and in the meantime filter everything from the > outside except for > specified services (http, ftp...) and share the internet > connexion. > I understand it is a very basic configuration but I would like > to be sure not > to make any mistake. > > Thanks a lot in advance. > > Antoine > > Here is my ruleset: > > #!/bin/sh > # Firewall Command > fwcmd="/sbin/ipfw" > > # Flush out the list before we begin. > ${fwcmd} -f flush > > # Stop spoofing > ${fwcmd} add deny all from 192.168.0.0:255.255.255.0 to any in > via tun0 > ### ${fwcmd} add deny all from ${outside_net}:${outside_mask} > to any in via > vr0 ### Disabled --> dynamic @ip > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from any to 10.0.0.0/8 via tun0 > ${fwcmd} add deny all from any to 172.16.0.0/12 via tun0 > ${fwcmd} add deny all from any to 192.168.0.0/16 via tun0 > ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 > ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 > > # Stop draft-manning-dsua-03.txt nets > ${fwcmd} add deny all from any to 0.0.0.0/8 via tun0 > ${fwcmd} add deny all from any to 169.254.0.0/16 via tun0 > ${fwcmd} add deny all from any to 192.0.2.0/24 via tun0 > ${fwcmd} add deny all from any to 224.0.0.0/4 via tun0 > ${fwcmd} add deny all from any to 240.0.0.0/4 via tun0 > ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 > ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 > ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 > > # Setup Loopback > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > # Network Address Translation. > ${fwcmd} add divert natd all from any to any via tun0 > > # Stop RFC1918 nets on the outside interface > ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 > ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 > ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0 > ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0 > > # Stop draft-manning-dsua-03.txt nets > ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 > ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 > ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0 > ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0 > ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0 > ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0 > ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0 > > # Allow firewall outbound for everything > ${fwcmd} add pass all from any to any via vr0 > > # Stateful rules & allow everything from our net > ${fwcmd} add check-state > ${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any > setup keep-state > ${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any > keep-state > > # Deny suspicious packets > $fwcmd add deny log tcp from any to any in tcpflags syn,fin > > # Allow some icmp > ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12 > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through ### --> should we deny > this ? > ${fwcmd} add pass all from any to any frag > > # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 > ${fwcmd} add pass tcp from any to me in via tun0 > 20,21,22,25,53,80,110 setup > ${fwcmd} add pass udp from any to me in via tun0 53 > > # Reject & log all setup of incoming connections from the > outside > ${fwcmd} add deny log tcp from any to any in via tun0 setup > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > # Deny everything else > ${fwcmd} add deny ip from any to any > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 11:01:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07DF437B401 for ; Fri, 25 Apr 2003 11:01:39 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-17-67.abo.wanadoo.fr [81.48.127.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5723143FA3 for ; Fri, 25 Apr 2003 11:01:37 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3PI1Zut021756; Fri, 25 Apr 2003 20:01:35 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: twig les , freebsd-security@freebsd.org Date: Fri, 25 Apr 2003 20:01:36 +0200 User-Agent: KMail/1.5.1 References: <20030425174806.92494.qmail@web10107.mail.yahoo.com> In-Reply-To: <20030425174806.92494.qmail@web10107.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304252001.36568.ajacoutot@lphp.org> Subject: Re: firewalling help/audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2003 18:01:39 -0000 On Friday 25 April 2003 19:48, twig les wrote: > I'm no ipfw guru, but you seem to have a bunch of duplicate > rules in the 2nd 1918 and draft-manning-dsua-03 sections. Well, I just followed what was in /etc/rc.firewall, they duplicate the rules when there's NAT. Thanks. Antoine From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 17:15:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18D3F37B401 for ; Fri, 25 Apr 2003 17:15:12 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-7-10.abo.wanadoo.fr [217.128.208.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26DF443F85 for ; Fri, 25 Apr 2003 17:15:10 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3Q0Egut023307; Sat, 26 Apr 2003 02:14:42 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: freebsd-security@freebsd.org, Lowell Gilbert , simon@nitro.dk Date: Sat, 26 Apr 2003 02:14:44 +0200 User-Agent: KMail/1.5.1 References: <200304251609.17393.ajacoutot@lphp.org> <44he8me6nx.fsf@be-well.ilk.org> In-Reply-To: <44he8me6nx.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304260214.44092.ajacoutot@lphp.org> Subject: Re: firewalling help/audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2003 00:15:12 -0000 > Okay, good. I suspect that the machines on the inside network will > have trouble using UDP to the outside world, but you probably won't > care. Hi, thanks a lot to Lowell and Simon who helped me a lot cleaning and reconfiguring my firewall rulesets. After some work, I came up with the much shorter following ruleset, I think this should work ok now. I know that pop3 is not a secure protocol, but it is my first ruleset under FreeBSD and I would like to achieve this before securing the services themselves. I will post this to -questions too, as someone recommended me. Once again, thanks a lot. Antoine #!/bin/sh # Firewall Command fwcmd="/sbin/ipfw" # Flush out the list before we begin. ${fwcmd} -f flush # Network Address Translation ${fwcmd} add divert natd all from any to any via tun0 # Setup Loopback ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # Stop spoofing ${fwcmd} add deny all from 192.168.0.0/24 to any in via tun0 ### The following rule is disabled since we have a dynamic @ip #${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via vr0 # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via tun0 ${fwcmd} add deny all from any to 172.16.0.0/12 via tun0 ${fwcmd} add deny all from any to 192.168.0.0/16 via tun0 # Stop draft-manning-dsua-03.txt nets ${fwcmd} add deny all from any to 0.0.0.0/8 via tun0 ${fwcmd} add deny all from any to 169.254.0.0/16 via tun0 ${fwcmd} add deny all from any to 192.0.2.0/24 via tun0 ${fwcmd} add deny all from any to 224.0.0.0/4 via tun0 ${fwcmd} add deny all from any to 240.0.0.0/4 via tun0 # From man 8 ipfw: allow only outbound TCP connections I've created ${fwcmd} add check-state ${fwcmd} add deny tcp from any to any in established ${fwcmd} add allow tcp from any to any out setup keep-state # Allow firewall and local network to do everything ${fwcmd} add pass all from me to any ${fwcmd} add pass all from 192.168.0.0/24 to any # Deny & log suspicious packets (like nmap scans) $fwcmd add deny log tcp from any to any in tcpflags syn,fin # Allow the following icmp: echo reply (0) destination unreachable (3) # source quench (4) echo request (8) time-to-live exceeded (11) # IP header bad (12) ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12 # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 # find a way to allow FTP inbound ${fwcmd} add pass tcp from any to me 22,25,53,80,110 in via tun0 setup ${fwcmd} add pass udp from any to me 53 in via tun0 # Reject & log everything else ${fwcmd} add deny log ip from any to any