Date: Sun, 23 Dec 2007 06:04:02 -0800 (PST) From: Nash Nipples <trashy_bumper@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: IPFW: Blocking me out. How to debug? Message-ID: <644350.78923.qm@web36310.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help
Dear W.D.=0A=0Aoh come on. i have the same problem. cut and paste logic:=0A= =0A#!/bin/sh=0A#1. count packets=0A#2. allow everything on lo0 (loopback)= =0A#3. slow down and deny packets to buffer overflow enabled daemons=0A#3.5= to list all the buffer overflow enabled daemons use this sockstat -46ul=0A= #4. allow everything in and out on the Ethernet interface fxp0. Remember - = wires are long things!=0A#5. switch sshd to a different port like 55 and us= e keys to authenticate =0A#6. do ipfw show every morning=0A#7. do ipfw zero= every evening or as often as your boss wants that=0A#8. learn how to modif= y this script quickly just to plumb all the other things that leak=0A#9. yo= u cant block yourself out if you run this script with a trailing '&' e.g. s= h /etc/ipfw.rules &=0A#TODO: write a program that sends bills to customers= =0A#BUGS: it cant smile=0A=0Acmd=3D"/sbin/ipfw"=0Aext1=3D"fxp0"=0Agentlepor= ts=3D"21,25,514"=0A=0A#accounting=0A#i need these figures to see how bad th= ings are going=0A$cmd 100 count ip from any to any in via lo0=0A$cmd 110 co= unt ip from any to any out via lo0=0A$cmd 120 count ip from any to any in v= ia $ext1=0A=0A=0A=0A$cmd 130 count ip from any to any out via $ext1=0A=0A#i= f counters below grow too high u are screwed=0A #this counter should not v= ary much comparing to the next one=0A$cmd 210 count icmp from any to any ou= t via $ext1 =0A #if there is an obvious difference someone's digging holes= in the yard=0A $cmd 220 count icmp from any to any in via $ext1 =0A #to= o much of dns.=0A$cmd 230 count ip from any to any 53 out via $ext1=0A$cmd = 240 count ip from any to any 53 in via $ext1=0A=0A#if counters below grow t= oo high you have screwed someone else=0A#oh yes. someone's got mail.=0A$cmd= 300 count ip from any to any 25 out via $ext1=0A#which way did it go=0A$cm= d 310 count ip from any to any 25 via lo0=0A=0A#policy=0A$cmd 1000 allow al= l from any to any via lo0=0A/sbin/ipfw add 1110 pipe 1 ip from any to me $g= entleports in via $ext1=0A/sbin/ipfw pipe 1 config bw 1Kbit/s queue 1Kbytes= =0A=0A$cmd 1120 deny ip from any to me $gentleports in via $ext1=0A$cmd 113= 0 allow all from any to any via ext1=0A#you will wonder but the next rule s= till has a match=0A$cmd 1140 deny log all from any to any=0A=0AI'm sorry bu= t i cant draw pretty pictures to make it any more obvious=0A=0ANash=0A=0A= =0A----- Original Message ----=0AFrom: W. D. <WD@US-Webmasters.com>=0ATo: F= reeBSD-Security@FreeBSD.org=0ACc: Ian Smith <info@plot.uz>=0ASent: Friday, = December 21, 2007 9:30:11 AM=0ASubject: Re: IPFW: Blocking me out. How to = debug?=0A=0A=0AAt 05:45 12/20/2007, Ian Smith, wrote:=0A=0AThanks for your = reply Ian. This is the kind of =0Ainformation I am looking for.=0A=0A=0A>F= irstly, this really belongs over on freebsd-net@ if not =0A>freebsd-questio= ns@, but anyway ..=0A=0AI'll be glad to move it there if you would like. I= =0Afigured that since IPFW/Firewalls are security=0Arelated, that FreeBSD-S= ecurity would be the most=0Aappropriate place.=0A=0A=0A>On Thu, 20 Dec 2007= , W. D. wrote:=0A>=0A> > At 03:49 12/17/2007, Tuomo Latto wrote:=0A> > >W. = D. wrote:=0A> > >> How do I tell which rule is blocking me out? SSH *is* w= orking,=0A> > >> but others are not.=0A> > >=0A> > >It all depends on what = you mean by "blocking you out" and=0A "others".=0A>=0A>True; it's not reall= y clear what you're trying to do, whether this is=0A a=0A>single server wit= h a single net interface with no NAT or what, but=0A based=0A>on your prese= nt rules I'll have to make that assumption.=0A=0AOK, sorry. I guess I just= assumed that it would be obvious =0Athat this is a Web server. ("Never as= sume anything, my good =0Afellow" - Sherlock Holmes). =0A=0ABy the way, it= is/will be running Plesk server management=0Asoftware, if it matters:=0Aht= tp://www.swsoft.com/en/products/plesk/reqs/=0A=0AAlso, this server is on an= internal LAN before I subject=0Ait to the wild, untamed, InterWeb, with it= s dangerous=0Ainternets darting back and forth inside all of the tubes.=0A= =0A=0A> > >> # Loopback:=0A> > >> # Allow anything on the l= ocal loopback:=0A> > >> add allow all from any to any via lo0=0A> >= >> add deny ip from any to 127.0.0.0/8=0A> > >> add deny i= p from 127.0.0.0/8 to any=0A>=0A>Meaning, these rules are ok and not the pr= oblem. Ignore Mr. Nipples.=0A=0AWith a name like that, it's hard to take h= im seriously. ;^)=0A=0A=0A>=0A> > >> # Allow established connectio= ns:=0A> > >> add allow tcp from any to any established=0A>=0A>That'= s ok. It may help you in debugging what's happening to use:=0A>=0A> allow= [log] tcp from any to any in established=0A> allow [log] tcp from any to = any out established=0A=0AI assume here that "[log]" means to insert "log" f= or=0Adebugging like this:=0A=0A allow log tcp from any to any in establish= ed=0A allow log tcp from any to any out established=0A =0Arather than inc= luding the square brackets, "[" & "]",=0Acorrect?=0A=0AI have done that and= have included my latest ruleset=0Abelow.=0A=0A=0A=0A>and really, using 'an= y to any' without specifying on which interfaces=0A or=0A>whether 'any' is = your box or the outside world is a bit too general,=0A but=0A>moving on .. = =0A=0AOK. What should I do? I only plan on having one=0AEthernet interfac= e. What would be more secure?=0A=0A=0A=0A> > >> # Deny fragmented = packets:=0A> > >> add deny ip from any to any frag=0A=0A> > >> = # Show pings:=0A> > >> add count icmp from any to any icmptypes= 8 in=0A> > >=0A>=0A>That's inbound ping requests. Don't forget that 'inbo= und' means=0A coming=0A>into the firewall, not necessarily from the outside= world. Your own=0A>ping requests _from_ this box also have to both come i= n, and go out. =0A=0AHmmm. OK. Outbound Ping will be rarely used, but sho= uld=0Abe allowed. Isn't that included in the next rule?=0A=0A=0A> > >> = # Allow pings, ping replies, and host unreach:=0A> > >> add al= low icmp from any to any icmptypes 0,8,3=0A> > >=0A>=0A>Add icmptype 11 as = well if you want traceroutes to work ..=0A>=0A> > >> # Allow UDP tr= aceroutes:=0A> > >> add allow udp from any to any 33434-34458 in=0A= > > >> add allow udp from any 33434-34458 to any out=0A> > >=0A>=0A= >Ok, though udp rules are often better done statefully. See below.=0A>=0A>= > >> # Allow DNS with name server=0A> > >> add allow udp f= rom any to any domain out=0A> > >> add allow udp from any domain to= any in=0A> > >Nope.=0A>=0A>You want to watch out here. This allows udp pa= ckets from any address=0A>with source port 53 to connect with any open udp = port on your system,=0A>and allows the responses as well. It's a simple ma= tter using such as=0A>netcat to source packets from port 53. =0A=0AShould I= restrict it by specifically stating the service?=0AHow can I be safe? Wha= t would the rule look like? =0A=0A=0A>I gather from this that you're not ru= nning a DNS server yourself, but=0A>using upstream server/s? In that case = a stateful rule is safer:=0A=0AAgain, I apologize for not being clear. I w= ill be running=0ADNS on this box for the domains being hosted. So, it will= =0Abe polled whenever a request for a hosted domain is needed.=0A=0A=0A=0A>= allow udp from me to any 53 keep-state =0A>=0A>which allows after the ret= urn packets but denies connections not=0A>initiated from your box. =0A>=0A>= > >> # SSH=0A> > >> # Note that /etc/hosts.allow has rest= rictions=0A> > >> # on which IP addresses are allowed.=0A> > >> = #=0A> > >> # Allow SSH:=0A> > >> add allow tcp from a= ny to any ssh in setup=0A> > >=0A>=0A>By 'ssh working', I guess you mean ss= h connections to this box from=0A>elsewhere, rather than ssh connections fr= om this box? Not clear.=0A=0ASorry! I am using SSH into this box, since i= t is easier to=0Acut and paste for editing and configuration.=0A=0AI can't = really see a situation where I would normally need to SSH=0Aoutbound, can y= ou? I use the Windoze boxes for that.=0A=0A=0A> > >> # HTTP & HTTP= S:=0A> > >> add allow tcp from any to any https in setup=0A> > >> = add allow tcp from any to any http in setup=0A> > >=0A>=0A>So, you h= ave a webserver running on this box, listening on ports 80=0A and=0A>443? = You've verified with 'netstat -finet -a' that this is the case?=0A=0AYes:= =0A=0A# netstat -finet -a=0AActive Internet connections (including servers)= =0AProto Recv-Q Send-Q Local Address Foreign Address =0A (s= tate)=0Atcp4 0 0 192.168.1.109.ssh 192.168.1.107.3502 = =0A ESTABLISHED=0Atcp4 0 52 192.168.1.109.ssh 192.168.1.107= .2266 =0A ESTABLISHED=0Atcp4 0 0 *.poppassd *.* = =0A LISTEN=0Atcp4 0 0 *.ftp = *.* =0A LISTEN=0Atcp4 0 0 *.smtps = *.* =0A LISTEN=0Atcp4 0 0 *.smtp = *.* =0A LISTEN=0Atcp4 0 0 localhost.l= ocald.3000 *.* =0A LISTEN=0Atcp4 0 0 *.pop3s= *.* =0A LISTEN=0Atcp4 0 0 *.p= op3 *.* =0A LISTEN=0Atcp4 0 0 = *.imaps *.* =0A LISTEN=0Atcp4 0 = 0 *.imap *.* =0A LISTEN=0Atcp4 0= 0 *.8443 *.* =0A LISTEN=0Atcp4 = 0 0 *.8880 *.* =0A LISTEN=0Atcp4= 0 0 *.3306 *.* =0A LISTEN=0A= tcp4 0 0 localhost.locald.8005 *.* =0A LISTE= N=0Atcp4 0 0 *.9008 *.* =0A L= ISTEN=0Atcp4 0 0 *.8009 *.* = =0A LISTEN=0Atcp46 0 0 *.https *.* = =0A LISTEN=0Atcp46 0 0 *.http *.* = =0A LISTEN=0Atcp4 0 0 *.9080 *.* = =0A LISTEN=0Atcp4 0 0 *.8180 *.* = =0A LISTEN=0Atcp4 0 0 localhost.locald.postg *= .* =0A LISTEN=0Atcp4 0 0 localhost.locald.rnd= c *.* =0A LISTEN=0Atcp4 0 0 localhost.locald= .domai *.* =0A LISTEN=0Atcp4 0 0 192.168.1.10= 9.domain *.* =0A LISTEN=0Atcp4 0 0 *.ssh = *.* =0A LISTEN=0Audp4 0 0 192.= 168.1.109.24889 ns1.ournameserver.net.53=0Audp4 0 0 *.51750 = *.*=0Audp4 0 0 localhost.locald.domai *.*=0Audp4= 0 0 192.168.1.109.domain *.*=0Audp4 0 0 *.syslog= *.*=0A=0A=0A=0A=0A>=0A> > >> # Mail: SMTP & IMAP:=0A= > > >> add allow tcp from any to any smtp in setup=0A> > >> = add allow tcp from any to any imap in setup=0A> > >=0A>=0A>You're running = SMTP and IMAP servers, verified as above?=0A>=0A>You see, this also allows = you (as 'any') to connect to any outside=0A SMTP=0A>server too. It really = helps to differentiate connections into your=0A box=0A>from those you're ma= king to outside boxes, which these don't do.=0A> =0A>Have a close look at t= he 'simple' section in rc.firewall. =0A=0AI have scanned various versions = of "rc.firewall". I kinda understand=0Awhat is going on, but there are so = many places that seem anti-intuitive=0Ato me.=0A=0AAlso, what are the diffe= rences between running a script and loading=0Athese rules on bootup? =0A=0A= =0A=0A>There are=0A>advantages to running a script such as that rather than= rules in a=0A file,=0A>like variable substitution, at least while getting = it all working=0A right. =0A=0AI have mixed feelings about variables. I gu= ess they make=0Ait easier if you change a network card or IP addresses--you= =0Aonly have to do it in one place. =0A=0AHowever, a search and replace co= mmand doesn't take much=0Atime at all. Also, they add a level of complexit= y to=0Aa situation that (to me) is complex enough already.=0AAnd, I wonder = if by not using variables, I can save a=0Afew microseconds when processing = traffic. ;^)=0A=0A=0A=0A> > >> # FTP:=0A> > >> add allow t= cp from any to any ftp in setup=0A> > >> add allow tcp from any to = any ftp\-data in setup=0A> > >> add allow tcp from any ftp\-data to= any setup out=0A> > >=0A>=0A>Mmm, I prefer using and enforcing FTP passive= mode, but YMMV.=0A=0AHow would I do that? This guy doesn't think it's eve= n =0Apossible:=0Ahttp://tinyurl.com/2z6ynr=0A =0A=0A> > >> # Allow = NTP in and out=0A> > >> add allow udp from any ntp to 128.252.19.1 = ntp out=0A> > >> add allow udp from 128.252.19.1 ntp to any ntp in= =0A> > >=0A>=0A>Unless running a time service for other boxes, something li= ke:=0A>=0A> allow udp from me to any ntp keep-state # or to a specific ser= ver=0A=0AWell, I think that since NTP is such a minimal user=0Aof resources= , that I would like to rely on this=0Abox for the correct time. That way, = I don't have=0Ato bug the stratum 1 boxes. Shall I use my original?=0A=0A= =0A>=0A> > >> # Deny and log everything else:=0A> > >> add = deny log all from any to any=0A> > >Bingo!=0A>=0A>Ok, so you got rid of int= erface 'all', great.=0A=0AIs this better?=0A=0A add deny log ip from any t= o any=0A =0AIf so, I just don't understand this. Here is what the=0A"Fine= Manual" says:=0A=0A =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A protocol: = [not] protocol-name | protocol-number=0A An IP protocol specified by numbe= r or name (for a complete list=0A see /etc/protocols), or one of the follo= wing keywords:=0A=0A ip4 | ipv4=0A Matches IPv4 packets.=0A=0A i= p6 | ipv6=0A Matches IPv6 packets.=0A=0A ip | all=0A Match= es any packet.=0A =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A = =0AAccording to this, "ip" and "all" are synonymous. Criminy!=0AWhat am I = missing here?=0A =0A=0A=0A> > >"ipfw -a list" may also help (packet counts= ).=0A>=0A>It's only a short ruleset, it may help us if you show the output = of=0A say=0A>'ipfw -t show' (or ipfw -at list, same thing), if you're still= having=0A>problems, but see below re 'inness' and 'outness'.=0A>=0A> > I'v= e been banging my head against this for the past few=0A> > days. I don't g= et it. =0A> > =0A> > My understanding of the way this is supposed to work = is=0A> > that:=0A> > =0A> > # HTTP & HTTPS:=0A> > add allow tcp from an= y to any https in setup=0A> > add allow tcp from any to any http in setup= =0A> > =0A> > should let initial HTTP & HTTPS requests through,=0A> > and t= hat:=0A> > =0A> > # Allow established connections:=0A> > add allow tcp fr= om any to any established=0A>=0A>Not quite. Looks like you're allowing htt= p/https setup packets in=0A (ie,=0A>into the firewall) but not letting them= out (of the firewall, to the=0A>webserver). For example in the 'simple' r= uleset mentioned, we have:=0A>=0A> # Allow access to our WWW=0A> = ${fwcmd} add pass tcp from any to ${oip} 80 setup=0A>=0A> # Reje= ct&Log all setup of incoming connections from the=0A outside=0A> ${f= wcmd} add deny log tcp from any to any in via ${oif} setup=0A>=0A> #= Allow setup of any other TCP connection=0A> ${fwcmd} add pass tcp f= rom any to any setup=0A=0AI really don't get the above rule. Isn't it sayi= ng that=0A*any* kind of TCP connection can come in or go out initially?=0A= =0A=0A=0A>Note there's no 'in' or 'out' on the port 80 rule, so this allows= the=0A>packets on both the in and out pass of the firewall. Also, the IP = is=0A>specified as our IP - 'me' will do fine if it's just this box. =0A=0A= In my set, should I include some "out" rules like this:=0A=0A add allow tc= p from any to any https out setup=0A add allow tcp from any to any http ou= t setup=0A =0A=0A>=0A> > should allow connections that are "setup" to =0A> = > continue. Do I need a "check-state" or "keep-state"=0A> > statement some= where?=0A>=0A>No, though you can use stateful TCP rules if you want to, in = which=0A case=0A>you'll want to DENY established connections. Personally I= find=0A relying=0A>on the TCP state established by using 'setup' and 'esta= blished' fine=0A for=0A>TCP, but tend to use keep-state for UDP and some IC= MP rules. =0A=0AThat sounds reasonable.=0A=0A=0A> > I don't understand what= is wrong with the last rule:=0A> > =0A> > # Deny and log everything else= :=0A> > add deny log all from any to any=0A> > =0A> > My understanding is= that anything that doesn't match=0A> > the previous rules will match this = one and hence=0A> > be logged and denied. Is this not correct?=0A>=0A>That= 's correct. Aren't you seeing any? Try show rather than tell.=0A=0AShowin= g:=0A=0A# ipfw -a -S -N -t list=0A00100 688 173384 Thu Dec 20 15:32:17 20= 07 set 0 allow log logamount=0A 10 ip from any to any via lo0=0A00200 0 = 0 set 0 deny log logamount 10=0A ip from any = to 127.0.0.0/8=0A00300 0 0 set 0 deny log = logamount 10=0A ip from 127.0.0.0/8 to any=0A00400 4344 1712050 Fri Dec 21 = 00:23:37 2007 set 0 allow log logamount=0A 10 tcp from any to any establish= ed=0A00500 0 0 set 0 deny log logamount 10= =0A ip from any to any frag=0A00600 4 240 Wed Dec 19 23:05:31 2007 s= et 0 count icmp from any=0A to any icmptypes 8 in=0A00700 8 480 Wed = Dec 19 23:05:31 2007 set 0 allow log logamount=0A 10 icmp from any to any i= cmptypes 0,3,8=0A00800 0 0 set 0 allow log= logamount 10=0A udp from any to any dst-port 33434-34458 in=0A00900 0 = 0 set 0 allow log logamount 10=0A udp from any= 33434-34458 to any out=0A01000 366 24038 Fri Dec 21 00:02:00 2007 set 0= allow log logamount=0A 10 udp from any to any dst-port domain out=0A01100 = 364 59582 Fri Dec 21 00:02:00 2007 set 0 allow log logamount=0A 10 udp f= rom any domain to any in=0A01200 1 48 Thu Dec 20 16:49:47 2007 set = 0 allow log logamount=0A 10 tcp from any to any dst-port ssh in setup=0A013= 00 0 0 set 0 allow log logamount 10=0A tcp= from any to any dst-port https in setup=0A01400 6 288 Thu Dec 20 14= :43:38 2007 set 0 allow log logamount=0A 10 tcp from any to any dst-port ht= tp in setup=0A01500 98 6272 Fri Dec 21 00:02:00 2007 set 0 allow log l= ogamount=0A 10 tcp from any to any dst-port http=0A01600 1 64 Thu D= ec 20 15:25:01 2007 set 0 allow log logamount=0A 10 tcp from any to any dst= -port https=0A01700 0 0 set 0 allow log lo= gamount 10=0A tcp from any to any dst-port smtp in setup=0A01800 0 = 0 set 0 allow log logamount 10=0A tcp from any to = any dst-port imap in setup=0A01900 43 2064 Wed Dec 19 23:16:18 2007 se= t 0 allow log logamount=0A 10 tcp from any to any dst-port ftp in setup=0A0= 2000 0 0 set 0 allow log logamount 10=0A t= cp from any to any dst-port ftp-data in setup=0A02100 0 0 = set 0 allow log logamount 10=0A tcp from any ftp-data to an= y setup out=0A02200 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log l= ogamount=0A 10 udp from any ntp to navobs1.wustl.edu dst-port ntp out=0A023= 00 100 7600 Thu Dec 20 23:47:00 2007 set 0 allow log logamount=0A 10 ud= p from navobs1.wustl.edu ntp to any dst-port ntp in=0A02400 2058 226123 Fr= i Dec 21 00:17:20 2007 set 0 deny log logamount 10=0A ip from any to any=0A= 65535 7 909 Wed Dec 19 22:58:29 2007 set 31 deny ip from any to=0A a= ny=0A=0ALot of stuff being denied. I think some of that=0Ais my HTTP and H= TTPS initial requests. What to do?=0A=0A>=0A> > Again, I am having a great= deal of difficulty=0A> > understanding why these rules don't work as expec= ted.=0A> > I've scoured the 'Net and printed out just about=0A> > every coh= erent ruleset out there.=0A> > =0A> > Besides adding the "log" keyword on a= ll of the rules,=0A> > these are the debugging tools I have been using:=0A>= > =0A> > ipfw disable firewall=0A> > ipfw -f flush=0A> > ipfw enable= firewall=0A> > /etc/rc.d/ipfw start=0A> > ipfw -a -S -N -t list=0A> > = ipfw list =0A> > tail -f /var/log/ipfw/ipfw.log=0A> > tcpdump= -i nve0 'proto \tcp && port http'=0A netstat -finet -a=0A> > =0A> > C= ould anyone please throw this tired dog a bone?=0A>=0A>Getting the two-pass= nature of ipfw understood seems to be your main=0A>difficulty. =0A=0AI wo= uld definitely agree with you. I am completely lost.=0A=0ABy "two-pass" do= you mean "in" to the firewall, and then=0A"in" to the webserver, and anoth= er "two-pass": "out" from the=0Awebserver, and "out" from the firewall?=0A= =0A=0A>I know it was for me back then. Have a look at the section=0A>in ip= fw(8) regarding packet flows, and although it sounds trite, RTFM=0A>about 1= 0 times :)=0A>=0A>Cheers, Ian=0A=0ALove the "Fine Manual" --not! Just not = enough examples for=0Ame to understand everything. Too much abstraction--A= AArrrrgh!=0A=0AAm using this link, since "man ipfw" doesn't work on 6.2. (= I dare=0Asomeone to explain to me how to get it to work):=0Ahttp://www.free= bsd.org/cgi/man.cgi?query=3Dipfw&sektion=3D8=0A=0AThanks for your help, Ian= . Would appreciate it if you would=0Akick my butt in the proper direction = again.=0A=0AAny other takers/kickers?=0A=0A=0ALatest grope in the dark:=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A# ipfw.rules=0A# ipfw firewall ru= leset=0A# 2007 Dec 20=0A=0A# By default, everything is denied access. You= =0A# need to specifically allow something for it=0A# to work.=0A=0A# Loopba= ck: =0A# Allow anything on the local loopback:=0Aadd allow log all from any= to any via lo0=0A=0A# Disallow spoofed access to local:=0Aadd deny log ip = from any to 127.0.0.0/8=0Aadd deny log ip from 127.0.0.0/8 to any=0A=0A# Al= low established connections:=0Aadd allow log tcp from any to any establishe= d=0A=0A# Deny fragmented packets:=0Aadd deny log ip from any to any frag=0A= =0A# Show pings:=0Aadd count icmp from any to any icmptypes 8 in=0A=0A# All= ow pings, ping replies, and host unreach:=0Aadd allow log icmp from any to = any icmptypes 0,8,3=0A=0A# Allow UDP traceroutes:=0Aadd allow log udp from = any to any 33434-34458 in=0Aadd allow log udp from any 33434-34458 to any o= ut=0A=0A# Allow DNS with name server=0Aadd allow log udp from any to any do= main out=0Aadd allow log udp from any domain to any in=0A=0A# SSH=0A# Note= that /etc/hosts.allow has restrictions=0A# on which IP addresses are allo= wed.=0A#=0A# Allow SSH:=0Aadd allow log tcp from any to any ssh in setup=0A= =0A# HTTP & HTTPS:=0Aadd allow log tcp from any to any https in setup=0Aadd= allow log tcp from any to any http in setup=0A=0Aadd allow log tcp from an= y to any dst-port 80=0Aadd allow log tcp from any to any dst-port 443=0A=0A= # Mail: SMTP & IMAP:=0Aadd allow log tcp from any to any smtp in setup=0Aad= d allow log tcp from any to any imap in setup=0A=0A# FTP:=0Aadd allow log t= cp from any to any ftp in setup=0Aadd allow log tcp from any to any ftp\-da= ta in setup=0Aadd allow log tcp from any ftp\-data to any setup out=0A=0A# = Allow NTP in and out=0Aadd allow log udp from any ntp to 128.252.19.1 ntp o= ut=0Aadd allow log udp from 128.252.19.1 ntp to any ntp in=0A=0A=0A# Deny a= nd log everything else:=0A# add deny log all from any to any=0Aadd deny log= ip from any to any=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=0A=0A=0A= =0A=0AStart Here to Find It Fast!=99 ->=0A http://www.US-Webmasters.com/bes= t-start-page/=0A$8.77 Domain Names -> http://domains.us-webmasters.com/=0A= =0A_______________________________________________=0Afreebsd-security@freeb= sd.org mailing list=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-sec= urity=0ATo unsubscribe, send any mail to=0A "freebsd-security-unsubscribe@f= reebsd.org"=0A=0A=0A=0A=0A=0A=0A _____________________________________= _______________________________________________=0ANever miss a thing. Make= Yahoo your home page. =0Ahttp://www.yahoo.com/r/hs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?644350.78923.qm>