Date: Tue, 11 Jul 2006 13:42:31 +1000 From: Nick Withers <nick@nickwithers.com> To: user@dhp.com Cc: freebsd-questions@freebsd.org Subject: Re: Sanity-check for my (working) ipfw rules please... Message-ID: <20060711134231.903ad3bb.nick@nickwithers.com> In-Reply-To: <20060711131621.2826f0b5.nick@nickwithers.com> References: <Pine.LNX.4.21.0607101740470.12027-100000@shell.dhp.com> <20060711131621.2826f0b5.nick@nickwithers.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Jul 2006 13:16:21 +1000 Nick Withers <nick@nickwithers.com> wrote: > On Mon, 10 Jul 2006 18:38:51 -0400 (EDT) > Ensel Sharon <user@dhp.com> wrote: > > > > > My individual hosts have a set of firewall rules on each of them that > > looks like this: (snip) > > Second, are there any other bad-behavior blocks I should put into my list? > > How about: > > deny tcp from any to any tcpflags fin,urg,psh > deny tcp from any to any tcpflags syn,fin,rst,ack > deny tcp from any to any tcpflags '!syn,!fin,!ack' > > (rorted from a posting at > http://support.daemonnews.org/viewtopic.php?p=846, I have to > admit that I havent myself actually checked that these are > correct and therefore don't use them myself) > > and > > deny all from 10.0.0.0/8 to any in via <public interface> > deny all from 203.219.206.72/30 to any in via <internal interface> Sorry - 203.219.206.72/30 is the network address for my public interface. > deny all from any to 0.0.0.0/8 via <public interface> > deny all from any to 169.254.0.0/16 via <public interface> > deny all from any to 192.0.2.0/24 via <public interface> > deny all from any to 198.18.0.0/15 via <public interface> > deny all from any to 224.0.0.0/4 via <public interface> > deny all from any to 240.0.0.0/4 via <public interface> > deny all from any to 172.16.0.0 via <public interface> > deny all from any to 192.168.0.0/16 via <public interface> > > deny all from 0.0.0.0/8 to any via <public interface> > deny all from 169.254.0.0/16 to any via <public interface> > deny all from 192.0.2.0/24 to any via <public interface> > deny all from 198.18.0.0/15 to any via <public interface> > deny all from 224.0.0.0/4 to any via <public interface> > deny all from 240.0.0.0/4 to any via <public interface> > deny all from 172.16.0.0 to any via <public interface> > deny all from 192.168.0.0/16 to any via <public interface> ...and these actually probably aren't all that appropriate for your situation (i.e., internal client rules, rather than Internet <-> LAN router) > > Thanks! Hope this is at least vaguely useful, and sorry for any misleading / inappropriate information! -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060711134231.903ad3bb.nick>