From owner-freebsd-security Tue Jul 25 16:29: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 8BEAF37BAE5 for ; Tue, 25 Jul 2000 16:28:54 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 13D109EE02; Tue, 25 Jul 2000 16:28:29 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 0FB729B001; Tue, 25 Jul 2000 16:28:29 -0700 (PDT) Date: Tue, 25 Jul 2000 16:28:29 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 25 Jul 2000, Mike Hoskins wrote: > Aye... A thoroughly-commeneted 'dynamic' rc.firewall option may be the > best thing to come out of all this. And, along those lines... Comments on the following, please. It attempts to mimic 'simple' as closely as possible and use compatible terminology for ease of comparison. -mrh *** rc.firewall.orig Tue Jul 25 15:33:17 2000 --- rc.firewall Tue Jul 25 16:25:33 2000 *************** *** 225,230 **** --- 225,288 ---- # config file. ;; + [Dd][Yy][Nn][Aa][Mm][Ii][Cc]) + ############ + # This is a prototype setup for a minimal dynamic firewall. It + # uses the check-state and keep-state options to allow dynamically- + # generated rules for inside clients. Configure this machine as a + # name, mail and ntp server and point inside clients at it. + ############ + + # Set these to your outside interface, network, netmask and ip + oif="ed0" + onet="192.0.2.0" + omask="255.255.255.240" + oip="192.0.2.1" + + # Set these to your inside interface, network, netmask and ip + iif="ed1" + inet="192.0.2.16" + imask="255.255.255.240" + iip="192.0.2.17" + + # NOTE: We assume the inside network is trusted. You may want + # to add more granular control for inside clients with specific + # denys. As is, any connection initiated by an inside client + # is allowed. + + # This is a stateful firewall with dynamically-generated rules. + # Check the dynamically-generated rules first. + ${fwcmd} add check-state + + # Allow dynamically-generated rules to be created for our + # inside clients. Upon a match, the firewall will create + # an explicit, dynamic rule matching bidirectional traffic + # between source and destination IP/port using the same + # protocol. The rule has a lifetime controlled by + # sysctl(8) variables as described in the 'SYSCTL VARIABLES' + # section of ipfw(8). + ${fwcmd} add allow ip from ${oip} to any keep-state + ${fwcmd} add allow ip from ${inet}:{$imask} to any keep-state + + # Allow setup of incoming email + ${fwcmd} add pass tcp from any to ${oip} 25 setup + + # Allow access to our WWW + ${fwcmd} add pass tcp from any to ${oip} 80 setup + + # Allow DNS queries out in the world + ${fwcmd} add pass udp from any 53 to ${oip} + ${fwcmd} add pass udp from ${oip} to any 53 + + # Allow NTP queries out in the world + ${fwcmd} add pass udp from any 123 to ${oip} + ${fwcmd} add pass udp from ${oip} to any 123 + + # Everything else is denied by default, unless the + # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel + # config file. + ;; + [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message