Date: Tue, 6 Feb 2018 19:07:29 +0200 From: Christos Chatzaras <chris@cretaforce.gr> To: freebsd-ipfw@freebsd.org Subject: Recommendations for my rules Message-ID: <AD14758D-8585-4944-B63D-F5627BBA9449@cretaforce.gr>
next in thread | raw e-mail | index | archive | help
Can someone with experience with ipfw have a look to these rules?
I want to have incoming + outgoing:
FTP (passive + active)
SSH
MySQL
DNS
WWW (http + https)
MAIL (smtps + submission)
Only incoming:
MAIL (pop3, imap, pop3s, imaps)
SNMP
Only outgoing:
MAIL (smtp for some specific users to avoid direct telnet connections to =
port 25 from other users)
#!/bin/sh
# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd=3D"ipfw -q add "
cmd2=3D"ipfw -q "
pif=3D`ifconfig -l | awk '{ print $1 }'`
# Allow loopback and deny loopback spoofing
$cmd 00010 allow ip from any to any via lo0
$cmd 00020 deny ip from any to 127.0.0.0/8
$cmd 00030 deny ip from 127.0.0.0/8 to any
# Checks stateful rules
$cmd 00050 check-state
$cmd 00060 deny tcp from any to any established
# SSHGUARD
$cmd 01000 reset ip from 'table(22)' to any
# NTP
$cmd 01005 allow udp from any to any dst-port 123 out via $pif =
keep-state
# ICMP
$cmd 01010 allow icmp from any to any out via $pif keep-state
$cmd 01011 allow icmp from any to any in via $pif
# FTP
$cmd 10001 allow tcp from me to any dst-port 21 out via $pif setup =
keep-state
$cmd 10002 allow tcp from any 20 to me in via $pif setup keep-state
$cmd 10003 allow tcp from me to any dst-port 49152-65535 out via $pif =
keep-state
$cmd 10004 allow tcp from any to me 21 in via $pif setup keep-state
$cmd 10004 allow tcp from me 20,21 to any out via $pif keep-state
$cmd 10006 allow tcp from any to me 50000-51000 in via $pif setup =
keep-state
# SSH
$cmd 10010 allow tcp from any to me dst-port 22 in via $pif setup =
keep-state
$cmd 10011 allow tcp from me to any dst-port 22 out via $pif setup =
keep-state
# DNS
$cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup =
keep-state
$cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state
$cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup =
keep-state
$cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state
# SNMP
$cmd 10026 allow udp from any to me dst-port 161 in via $pif keep-state
# EPP
$cmd 10027 allow tcp from me to any dst-port 700 out via $pif setup =
keep-state
# WWW
$cmd 10030 allow tcp from me to any dst-port 80 out via $pif setup =
keep-state
$cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup =
keep-state
$cmd 10032 allow tcp from any to me dst-port 80 in via $pif setup =
keep-state
$cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup =
keep-state
# MAIL
$cmd 10039 allow tcp from any to me dst-port 25 in via $pif setup =
keep-state
$cmd 10040 allow tcp from me to any dst-port 25 uid root out via $pif =
setup keep-state
$cmd 10041 allow tcp from me to any dst-port 25 uid postfix out via $pif =
setup keep-state
$cmd 10042 allow tcp from me to any dst-port 25 uid filter out via $pif =
setup keep-state
$cmd 10044 allow tcp from any to me dst-port 465 in via $pif setup =
keep-state
$cmd 10045 allow tcp from me to any dst-port 465 out via $pif setup =
keep-state
$cmd 10046 allow tcp from any to me dst-port 587 in via $pif setup =
keep-state
$cmd 10047 allow tcp from me to any dst-port 587 out via $pif setup =
keep-state
$cmd 10048 allow tcp from any to me dst-port 110 in via $pif setup =
keep-state
$cmd 10049 allow tcp from any to me dst-port 995 in via $pif setup =
keep-state
$cmd 10050 allow tcp from any to me dst-port 143 in via $pif setup =
keep-state
$cmd 10051 allow tcp from any to me dst-port 993 in via $pif setup =
keep-state
# MYSQL
$cmd 10100 allow tcp from me to any dst-port 3306 out via $pif setup =
keep-state
$cmd 10101 allow tcp from any to me dst-port 3306 in via $pif setup =
keep-state
# WHOIS OUTGOING
$cmd 10200 allow tcp from me to any dst-port 43 out via $pif setup =
keep-state
# Deny everything else, and log it
$cmd 56599 deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AD14758D-8585-4944-B63D-F5627BBA9449>