Date: Mon, 24 Jan 2000 20:51:27 -0800 From: The Mad Scientist <madscientist@thegrid.net> To: freebsd-security@freebsd.org Subject: Re: more complete ipfw rules Message-ID: <4.1.20000124201245.00962220@mail.thegrid.net> In-Reply-To: <3.0.5.32.20000124151825.01c3d100@staff.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:18 PM 1/24/00 -0500, you wrote:
>
>With all the recent talk of flooding etc, I decided to go over my ipfw
>rules on my two border routers to a) make sure I am not letting in things I
>dont need, and b) to be a good net citizen and not allow source addresses
>to leave my network that dont belong here.
>
>With ${oif} being my outside interface,
>
>I had been using that stuff in
>
> # Stop RFC1918 nets on the outside interface
>
>But what about multicast addresses ? I am not running any multicast
>applications. Should there not also be
>
> $fwcmd add deny all from 224.0.0.0/8 to any via ${oif}
>
>and I was also wondering about
>
> $fwcmd add deny all from 0.0.0.0/8 to any via ${oif}
> $fwcmd add deny all from 255.0.0.0/8 to any via ${oif}
>
>and I dont want outside connections with a source address of the loopback
>
> $fwcmd add deny all from 127.0.0.0/8 to any in recv ${oif}
Don't forget about
$fwcmd add 100 allow all from any to any via lo0
$fwcmd add 200 deny log all from any to 127.0.0.0/8
>but I am not sure if this will do what I want it to do. Are there any
>others ? What about icmp? Just redirects ?
$fwcmd add 2000 allow icmp from any to any icmptypes ${icmpallow}
where
icmpallow="0,3,4,5,11,12,14,16,18"
this varies by what types of icmp you would like to let in. These types
are pretty much all replies.
loose and strict source routing isn't illegal, but usually used for subversion.
$fwcmd add 500 deny log ip from any to any in via ${out_if} ipoptions lsrr,ssrr
I have this commented-out line in my ruleset.
#$fwcmd add 550 deny log ip from 169.254.0.0/16 to any in via ${out_if}
Don't quite remember what it's for. I hope it's not another wasted class
B. Can anyone enlighten me?
watchtower:/root# whois -a 169.254.0.0
Internet Assigned Numbers Authority (IANA)
(NETBLK-LINKLOCAL)
For use with Link Local Networks
Information Sciences Institute
University of Southern California
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
Netname: LINKLOCAL
Netblock: 169.254.0.0 - 169.254.255.255
hth,
-Dean
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.20000124201245.00962220>