From owner-freebsd-questions@FreeBSD.ORG Tue Jul 11 03:42:43 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A5AA16A4DD for ; Tue, 11 Jul 2006 03:42:43 +0000 (UTC) (envelope-from nick@nickwithers.com) Received: from mail.nickwithers.com (mail.manrags.com [203.219.206.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7831A43D45 for ; Tue, 11 Jul 2006 03:42:42 +0000 (GMT) (envelope-from nick@nickwithers.com) Received: from localhost (shmick.shmon.net [10.0.0.252]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nickwithers.com (Postfix) with ESMTP id C414B3AAA6; Tue, 11 Jul 2006 13:42:31 +1000 (EST) Date: Tue, 11 Jul 2006 13:42:31 +1000 From: Nick Withers To: user@dhp.com Message-Id: <20060711134231.903ad3bb.nick@nickwithers.com> In-Reply-To: <20060711131621.2826f0b5.nick@nickwithers.com> References: <20060711131621.2826f0b5.nick@nickwithers.com> Organization: nickwithers.com X-Mailer: Sylpheed version 2.2.6 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-nickwithers-MailScanner: Found to be clean X-nickwithers-MailScanner-From: nick@nickwithers.com Cc: freebsd-questions@freebsd.org Subject: Re: Sanity-check for my (working) ipfw rules please... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2006 03:42:43 -0000 On Tue, 11 Jul 2006 13:16:21 +1000 Nick Withers wrote: > On Mon, 10 Jul 2006 18:38:51 -0400 (EDT) > Ensel Sharon wrote: > > > > > My individual hosts have a set of firewall rules on each of them that > > looks like this: (snip) > > Second, are there any other bad-behavior blocks I should put into my list? > > How about: > > deny tcp from any to any tcpflags fin,urg,psh > deny tcp from any to any tcpflags syn,fin,rst,ack > deny tcp from any to any tcpflags '!syn,!fin,!ack' > > (rorted from a posting at > http://support.daemonnews.org/viewtopic.php?p=846, I have to > admit that I havent myself actually checked that these are > correct and therefore don't use them myself) > > and > > deny all from 10.0.0.0/8 to any in via > deny all from 203.219.206.72/30 to any in via Sorry - 203.219.206.72/30 is the network address for my public interface. > deny all from any to 0.0.0.0/8 via > deny all from any to 169.254.0.0/16 via > deny all from any to 192.0.2.0/24 via > deny all from any to 198.18.0.0/15 via > deny all from any to 224.0.0.0/4 via > deny all from any to 240.0.0.0/4 via > deny all from any to 172.16.0.0 via > deny all from any to 192.168.0.0/16 via > > deny all from 0.0.0.0/8 to any via > deny all from 169.254.0.0/16 to any via > deny all from 192.0.2.0/24 to any via > deny all from 198.18.0.0/15 to any via > deny all from 224.0.0.0/4 to any via > deny all from 240.0.0.0/4 to any via > deny all from 172.16.0.0 to any via > deny all from 192.168.0.0/16 to any via ...and these actually probably aren't all that appropriate for your situation (i.e., internal client rules, rather than Internet <-> LAN router) > > Thanks! Hope this is at least vaguely useful, and sorry for any misleading / inappropriate information! -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446