From owner-freebsd-security  Tue Jan 25 14:36:41 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id 88AE214D45
	for <freebsd-security@FreeBSD.org>; Tue, 25 Jan 2000 14:36:36 -0800 (PST)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA71995;
	Tue, 25 Jan 2000 14:32:40 -0800 (PST)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200001252232.OAA71995@gndrsh.dnsmgr.net>
Subject: Re: more complete ipfw rules
In-Reply-To: <388D7516.C4EB676@rug.ac.be> from Tony Voet at "Jan 25, 2000 11:04:06 am"
To: Tony.Voet@rug.ac.be (Tony Voet)
Date: Tue, 25 Jan 2000 14:32:40 -0800 (PST)
Cc: freebsd-security@FreeBSD.org
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> The Mad Scientist wrote:
> > 
> > I have this commented-out line in my ruleset.
> > #$fwcmd add 550 deny log ip from 169.254.0.0/16 to any in via ${out_if}
> > Don't quite remember what it's for.  I hope it's not another wasted class
> > B.  Can anyone enlighten me?
> 
> This IETF draft answers your question:
> 
> http://www.ietf.org/internet-drafts/draft-manning-dsua-01.txt

And that draft produces the following patch for review:

Index: rc.firewall
===================================================================
RCS file: /home/ncvs/src/etc/rc.firewall,v
retrieving revision 1.28
diff -u -r1.28 rc.firewall
--- rc.firewall	1999/12/04 01:27:51	1.28
+++ rc.firewall	2000/01/25 22:30:08
@@ -110,9 +110,9 @@
 	############
 
 	# set these to your network and netmask and ip
-	net="192.168.4.0"
+	net="192.0.2.0"
 	mask="255.255.255.0"
-	ip="192.168.4.17"
+	ip="192.0.2.1"
 
 	# Allow any traffic to or from my own net.
 	${fwcmd} add pass all from ${ip} to ${net}:${mask}
@@ -155,27 +155,39 @@
 
 	# set these to your outside interface network and netmask and ip
 	oif="ed0"
-	onet="192.168.4.0"
-	omask="255.255.255.0"
-	oip="192.168.4.17"
+	onet="192.0.2.0"
+	omask="255.255.255.240"
+	oip="192.0.2.1"
 
 	# set these to your inside interface network and netmask and ip
 	iif="ed1"
-	inet="192.168.3.0"
-	imask="255.255.255.0"
-	iip="192.168.3.17"
+	inet="192.0.2.16"
+	imask="255.255.255.240"
+	iip="192.0.2.17"
 
 	# Stop spoofing
 	${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
 	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
 
 	# Stop RFC1918 nets on the outside interface
-	${fwcmd} add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
-	${fwcmd} add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
-	${fwcmd} add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
-	${fwcmd} add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
-	${fwcmd} add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
-	${fwcmd} add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
+	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
+	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
+	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
+	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
+	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
+	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
+
+	# Stop draft-manning-dsua-01.txt nets on the outside interface
+	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
+	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
+	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
+	${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
+	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
+	${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
+	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
+	${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
+	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
+	${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
 
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message