Date: Fri, 15 Jun 2001 09:49:31 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: Marcel Dijk <nascar24@home.nl> Cc: Evren Yurtesen <yurtesen@ispro.net.tr>, "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>, "Thomas T. Veldhouse" <veldy@veldy.net>, Jason DiCioccio <Jason.DiCioccio@Epylon.com>, freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now -> stateful rules Message-ID: <3B2A3C9B.2B10A6BF@globalstar.com> References: <Pine.BSF.4.33.0106130001350.63354-100000@finland.ispro.net.tr> <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> <3B28F5EE.509B1261@globalstar.com> <05b201c0f598$25819fa0$0900a8c0@windows>
next in thread | previous in thread | raw e-mail | index | archive | help
Marcel Dijk wrote: > > > Here is what I would do, > > > > # Pass loopback traffic > > add 100 allow ip from any to any via lo0 > > # Protect loopback address > > add 200 deny ip from 127.0.0.0/8 to any > > add 300 deny ip from any to 127.0.0.0/8 > > # Block spoofs > > add 400 deny ip from MY_IP to any in via ed0 > > # Check dynamic rules > > add 400 check-state > > # Make dynamic entries for all outgoing traffic > > add 500 allow tcp from MY_IP to any keep-state out via ed0 > > add 600 allow udp from MY_IP to any keep-state out via ed0 > > # Services we offer to the world > > add 650 allow log tcp from any to MY_IP 22,5617,10000 keep-state in > via ed0 > > # Just pass ICMP > > add 700 allow icmp from MY_IP to any out via ed0 > > # Allow ping replies and requests, and various error messages > > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > > # Pass everything on private LAN (do we have another interface? > > # Otherwise, these rules are dangerous) > > add 1000 allow ip from 192.168.0.0/16 to any > > add 1100 allow ip from any to 192.168.0.0/16 > > # Log the rejects that have fallen through > > add 65000 deny log ip from any to any > > -- > > > Crist J. Clark Network Security Engineer > > > crist.clark@globalstar.com Globalstar, L.P. > > > (408) 933-4387 FAX: (408) 933-4926 > > I have entered these lines in my rc.firewall.rules. I now can ping/www/etc. > ON the firewall, but the machines BEHIND the firewall (on the local LAN) > can't access the internet anymore. > > I am puzzled about what to do now. Sorry. I should have mentioned I wrote those off the top of my head. I didn't pull them from a working firewall, and I did not test them. Of course, if you used the exact rules above, your NAT problem is probably very simple... I didn't put in a divert(4) rule. ;) I'd slip in, add divert natd ip from any to any via ed0 Between the two '400' rules above (which I also misnumbered in my haste). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B2A3C9B.2B10A6BF>