Date: Sat, 26 Apr 2003 02:14:44 +0200 From: Antoine Jacoutot <ajacoutot@lphp.org> To: freebsd-security@freebsd.org, Lowell Gilbert <freebsd-security-local@be-well.no-ip.com>, simon@nitro.dk Subject: Re: firewalling help/audit Message-ID: <200304260214.44092.ajacoutot@lphp.org> In-Reply-To: <44he8me6nx.fsf@be-well.ilk.org> References: <200304251609.17393.ajacoutot@lphp.org> <44he8me6nx.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Okay, good. I suspect that the machines on the inside network will > have trouble using UDP to the outside world, but you probably won't > care. Hi, thanks a lot to Lowell and Simon who helped me a lot cleaning and reconfiguring my firewall rulesets. After some work, I came up with the much shorter following ruleset, I think this should work ok now. I know that pop3 is not a secure protocol, but it is my first ruleset under FreeBSD and I would like to achieve this before securing the services themselves. I will post this to -questions too, as someone recommended me. Once again, thanks a lot. Antoine #!/bin/sh # Firewall Command fwcmd="/sbin/ipfw" # Flush out the list before we begin. ${fwcmd} -f flush # Network Address Translation ${fwcmd} add divert natd all from any to any via tun0 # Setup Loopback ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # Stop spoofing ${fwcmd} add deny all from 192.168.0.0/24 to any in via tun0 ### The following rule is disabled since we have a dynamic @ip #${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via vr0 # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via tun0 ${fwcmd} add deny all from any to 172.16.0.0/12 via tun0 ${fwcmd} add deny all from any to 192.168.0.0/16 via tun0 # Stop draft-manning-dsua-03.txt nets ${fwcmd} add deny all from any to 0.0.0.0/8 via tun0 ${fwcmd} add deny all from any to 169.254.0.0/16 via tun0 ${fwcmd} add deny all from any to 192.0.2.0/24 via tun0 ${fwcmd} add deny all from any to 224.0.0.0/4 via tun0 ${fwcmd} add deny all from any to 240.0.0.0/4 via tun0 # From man 8 ipfw: allow only outbound TCP connections I've created ${fwcmd} add check-state ${fwcmd} add deny tcp from any to any in established ${fwcmd} add allow tcp from any to any out setup keep-state # Allow firewall and local network to do everything ${fwcmd} add pass all from me to any ${fwcmd} add pass all from 192.168.0.0/24 to any # Deny & log suspicious packets (like nmap scans) $fwcmd add deny log tcp from any to any in tcpflags syn,fin # Allow the following icmp: echo reply (0) destination unreachable (3) # source quench (4) echo request (8) time-to-live exceeded (11) # IP header bad (12) ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12 # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 # find a way to allow FTP inbound ${fwcmd} add pass tcp from any to me 22,25,53,80,110 in via tun0 setup ${fwcmd} add pass udp from any to me 53 in via tun0 # Reject & log everything else ${fwcmd} add deny log ip from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304260214.44092.ajacoutot>