Date: Sat, 19 Aug 2000 18:11:34 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: "Bill McMilleon" <billmcmilleon@home.com> Cc: questions@freebsd.org Subject: hardening my nat/firewall rules Message-ID: <14751.5158.782263.898054@guru.mired.org> In-Reply-To: <11900310@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill McMilleon writes: > # Always allow traffic on the local/private subnet > add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via xl0 I almost forgot - don't do this. Go back and open holes for individual services for the local net as well. The idea is that, should someone break into a system behind through the firewall (say your web server), or in larger installations through an external connection installed by somene else, you're not making their life any easier. This also gives you a chance to log the connections so you can watch for suspicious behavior. It's all part of the "All that is not permitted is denied" idea. You also might want to look at adding rules to throw out packets with bogus IP addresses - especially those coming from the outside world. I.e. (after the localhost rule): add deny all from any to 127.0.0.0/8 add deny all from 192.168.0.0/16 recv ep0 Note that 192.168.0.0/16 are the IPs your internal network uses, not just a generic unregistered network. The idea is to throw out packets claiming to be from your internal network showing up on the external interface. This probably requires tweaking, *especially* if your firewall isn't your router. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14751.5158.782263.898054>