Date: Tue, 25 Jul 2000 16:28:29 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: Stephen Montgomery-Smith <stephen@math.missouri.edu> Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <Pine.BSF.4.21.0007251622410.28594-100000@snafu.adept.org> In-Reply-To: <Pine.BSF.4.21.0007251529120.28446-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jul 2000, Mike Hoskins wrote:
> Aye... A thoroughly-commeneted 'dynamic' rc.firewall option may be the
> best thing to come out of all this.
And, along those lines... Comments on the following, please. It attempts
to mimic 'simple' as closely as possible and use compatible terminology
for ease of comparison.
-mrh
*** rc.firewall.orig Tue Jul 25 15:33:17 2000
--- rc.firewall Tue Jul 25 16:25:33 2000
***************
*** 225,230 ****
--- 225,288 ----
# config file.
;;
+ [Dd][Yy][Nn][Aa][Mm][Ii][Cc])
+ ############
+ # This is a prototype setup for a minimal dynamic firewall. It
+ # uses the check-state and keep-state options to allow dynamically-
+ # generated rules for inside clients. Configure this machine as a
+ # name, mail and ntp server and point inside clients at it.
+ ############
+
+ # Set these to your outside interface, network, netmask and ip
+ oif="ed0"
+ onet="192.0.2.0"
+ omask="255.255.255.240"
+ oip="192.0.2.1"
+
+ # Set these to your inside interface, network, netmask and ip
+ iif="ed1"
+ inet="192.0.2.16"
+ imask="255.255.255.240"
+ iip="192.0.2.17"
+
+ # NOTE: We assume the inside network is trusted. You may want
+ # to add more granular control for inside clients with specific
+ # denys. As is, any connection initiated by an inside client
+ # is allowed.
+
+ # This is a stateful firewall with dynamically-generated rules.
+ # Check the dynamically-generated rules first.
+ ${fwcmd} add check-state
+
+ # Allow dynamically-generated rules to be created for our
+ # inside clients. Upon a match, the firewall will create
+ # an explicit, dynamic rule matching bidirectional traffic
+ # between source and destination IP/port using the same
+ # protocol. The rule has a lifetime controlled by
+ # sysctl(8) variables as described in the 'SYSCTL VARIABLES'
+ # section of ipfw(8).
+ ${fwcmd} add allow ip from ${oip} to any keep-state
+ ${fwcmd} add allow ip from ${inet}:{$imask} to any keep-state
+
+ # Allow setup of incoming email
+ ${fwcmd} add pass tcp from any to ${oip} 25 setup
+
+ # Allow access to our WWW
+ ${fwcmd} add pass tcp from any to ${oip} 80 setup
+
+ # Allow DNS queries out in the world
+ ${fwcmd} add pass udp from any 53 to ${oip}
+ ${fwcmd} add pass udp from ${oip} to any 53
+
+ # Allow NTP queries out in the world
+ ${fwcmd} add pass udp from any 123 to ${oip}
+ ${fwcmd} add pass udp from ${oip} to any 123
+
+ # Everything else is denied by default, unless the
+ # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
+ # config file.
+ ;;
+
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
;;
*)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007251622410.28594-100000>