Date: Sat, 26 Apr 2003 02:14:44 +0200 From: Antoine Jacoutot <ajacoutot@lphp.org> To: freebsd-security@freebsd.org, Lowell Gilbert <freebsd-security-local@be-well.no-ip.com>, simon@nitro.dk Subject: Re: firewalling help/audit Message-ID: <200304260214.44092.ajacoutot@lphp.org> In-Reply-To: <44he8me6nx.fsf@be-well.ilk.org> References: <200304251609.17393.ajacoutot@lphp.org> <44he8me6nx.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Okay, good. I suspect that the machines on the inside network will
> have trouble using UDP to the outside world, but you probably won't
> care.
Hi, thanks a lot to Lowell and Simon who helped me a lot cleaning and
reconfiguring my firewall rulesets.
After some work, I came up with the much shorter following ruleset, I think
this should work ok now.
I know that pop3 is not a secure protocol, but it is my first ruleset under
FreeBSD and I would like to achieve this before securing the services
themselves.
I will post this to -questions too, as someone recommended me.
Once again, thanks a lot.
Antoine
#!/bin/sh
# Firewall Command
fwcmd="/sbin/ipfw"
# Flush out the list before we begin.
${fwcmd} -f flush
# Network Address Translation
${fwcmd} add divert natd all from any to any via tun0
# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Stop spoofing
${fwcmd} add deny all from 192.168.0.0/24 to any in via tun0
### The following rule is disabled since we have a dynamic @ip
#${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via vr0
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
${fwcmd} add deny all from any to 192.168.0.0/16 via tun0
# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
${fwcmd} add deny all from any to 240.0.0.0/4 via tun0
# From man 8 ipfw: allow only outbound TCP connections I've created
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any in established
${fwcmd} add allow tcp from any to any out setup keep-state
# Allow firewall and local network to do everything
${fwcmd} add pass all from me to any
${fwcmd} add pass all from 192.168.0.0/24 to any
# Deny & log suspicious packets (like nmap scans)
$fwcmd add deny log tcp from any to any in tcpflags syn,fin
# Allow the following icmp: echo reply (0) destination unreachable (3)
# source quench (4) echo request (8) time-to-live exceeded (11)
# IP header bad (12)
${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
# find a way to allow FTP inbound
${fwcmd} add pass tcp from any to me 22,25,53,80,110 in via tun0 setup
${fwcmd} add pass udp from any to me 53 in via tun0
# Reject & log everything else
${fwcmd} add deny log ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304260214.44092.ajacoutot>