Date: Wed, 17 Jul 2002 17:29:55 +1000 From: Mark.Andrews@isc.org To: Bart Matthaei <bart@dreamflow.nl> Cc: Mark D <markd@cogeco.ca>, security@FreeBSD.ORG Subject: Re: ipfw and it's glory... Message-ID: <200207170729.g6H7TtJe081341@drugs.dv.isc.org> In-Reply-To: Your message of "Wed, 17 Jul 2002 09:03:49 %2B0200." <20020717070349.GA38299@heresy.dreamflow.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> > --Nq2Wo0NMKNjxTN9z > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Tue, Jul 16, 2002 at 06:46:38PM -0400, Mark D wrote: > [snip] > > Alright, here we go... I plan to run http, ftp, ssh, smtp, and > > pop on a lan box (I'm going to treat it as a real box - just so I can be > > ready for when I do this in the future). I'd like http, ftp, pop, and > > smtp to be open to anyone and for ssh connections to be only allowed > > when I add the rule (to allow that specific host). > >=20 > > I've read the man pages on ipfw and some other documents but am > > still confused. Here is what I've put together so far (go easy on me); > >=20 > > allow ip from trusted-ip-addy-1 to any > > allow ip from trusted-ip-addy-2 to any > > allow log tcp from any to any established > > allow log tcp from trusted-ip-addy-1 to any 22 in setup > > allow log udp from internal-addy to any 53 > > allow log udp from any 53 to internal-addy > > allow log tcp from any to internal-addy 80,21,110,15 setup > > - > > 65535 deny ip from any to any > > First of all. Avoid using ip adresses when adressing the "self"-box. > Use 'me' instead.=20 > > Second, here's a basic setup that works for your situation: > > # Allow "local" traffic > ipfw add allow all from any to any via lo0 > > # Allow all outgoing trafic > ipfw add allow all from any to any out This is a bad idea. You should only allow out what you will accept back in. If you don't you will eventually be guilty of pounding some poor server because you havn't allowed the answers to come back. > # Allow IP fragments (for more info, see ipfw manpage) > ipfw add allow all from any to any frag > > # Allow established tcp connections > ipfw add allow tcp from any to any established > > # Allow tcp connections to the box > 1024 (In order to make > # various clients work on the box) > ipfw add pass tcp from any to me 1024-65535 setup > > # Allow udp connections to the box > 1024 (same shit) > ipfw add pass udp from any to me 1024-65535 > > # Allow dns querys > ipfw add allow udp from any to any 53 > > # Allow the trusted ip's to the ssh port > ipfw add allow tcp from $trusted_ip1 to me 22 > ipfw add allow tcp from $trusted_ip2 to me 22 > > # Allow ftp, smtp, http and pop and auth (I'm sure you want that) > ipfw add allow tcp from any to me 21,25,80,110,113 setup > > # I've added auth. If you don't want auth, make sure to reset all > #traffic going to port 113, or ident lookups to your box will time-out. > #use 'reset tcp from any to me 113' > > # Allow icmptypes 0 3 8 and 11 > ipfw add allow icmp from any to any icmptypes 0,3,8,11 > > # Deny everything else > ipfw add deny all from any to any > > This is a basic setup. Add more rules for specific network setups. > ipfw isn't difficult, you just need to figure the syntax and specific > options out. > > Cheers, > > Bart > > --=20 > Bart Matthaei bart@dreamflow.nl=20 > > If at first you don't succeed, redefine success. > > --Nq2Wo0NMKNjxTN9z > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (FreeBSD) > > iD8DBQE9NRbVQLMKY3ENEPcRAga6AKCaAvmjL5u2WP1c75ddouBmQ8+SxgCfW4Xc > TAZ3hJSVmUNUSR8wLo0riaI= > =UKxo > -----END PGP SIGNATURE----- > > --Nq2Wo0NMKNjxTN9z-- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207170729.g6H7TtJe081341>