Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Feb 2018 19:07:29 +0200
From:      Christos Chatzaras <chris@cretaforce.gr>
To:        freebsd-ipfw@freebsd.org
Subject:   Recommendations for my rules
Message-ID:  <AD14758D-8585-4944-B63D-F5627BBA9449@cretaforce.gr>

Next in thread | Raw E-Mail | Index | Archive | Help
Can someone with experience with ipfw have a look to these rules?

I want to have incoming + outgoing:

FTP (passive + active)
SSH
MySQL
DNS
WWW (http + https)
MAIL (smtps + submission)

Only incoming:

MAIL (pop3, imap, pop3s, imaps)
SNMP

Only outgoing:

MAIL (smtp for some specific users to avoid direct telnet connections to =
port 25 from other users)




#!/bin/sh

# Flush all rules before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd=3D"ipfw -q add "
cmd2=3D"ipfw -q "

pif=3D`ifconfig -l | awk '{ print $1 }'`

# Allow loopback and deny loopback spoofing
$cmd 00010 allow ip from any to any via lo0
$cmd 00020 deny ip from any to 127.0.0.0/8
$cmd 00030 deny ip from 127.0.0.0/8 to any

# Checks stateful rules
$cmd 00050 check-state
$cmd 00060 deny tcp from any to any established

# SSHGUARD
$cmd 01000 reset ip from 'table(22)' to any

# NTP
$cmd 01005 allow udp from any to any dst-port 123 out via $pif =
keep-state

# ICMP
$cmd 01010 allow icmp from any to any out via $pif keep-state
$cmd 01011 allow icmp from any to any in via $pif

# FTP
$cmd 10001 allow tcp from me to any dst-port 21 out via $pif setup =
keep-state
$cmd 10002 allow tcp from any 20 to me in via $pif setup keep-state
$cmd 10003 allow tcp from me to any dst-port 49152-65535 out via $pif =
keep-state
$cmd 10004 allow tcp from any to me 21 in via $pif setup keep-state
$cmd 10004 allow tcp from me 20,21 to any out via $pif keep-state
$cmd 10006 allow tcp from any to me 50000-51000 in via $pif setup =
keep-state

# SSH
$cmd 10010 allow tcp from any to me dst-port 22 in via $pif setup =
keep-state
$cmd 10011 allow tcp from me to any dst-port 22 out via $pif setup =
keep-state

# DNS
$cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup =
keep-state
$cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state
$cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup =
keep-state
$cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state

# SNMP
$cmd 10026 allow udp from any to me dst-port 161 in via $pif keep-state

# EPP
$cmd 10027 allow tcp from me to any dst-port 700 out via $pif setup =
keep-state

# WWW
$cmd 10030 allow tcp from me to any dst-port 80 out via $pif setup =
keep-state
$cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup =
keep-state
$cmd 10032 allow tcp from any to me dst-port 80 in via $pif setup =
keep-state
$cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup =
keep-state

# MAIL
$cmd 10039 allow tcp from any to me dst-port 25 in via $pif setup =
keep-state
$cmd 10040 allow tcp from me to any dst-port 25 uid root out via $pif =
setup keep-state
$cmd 10041 allow tcp from me to any dst-port 25 uid postfix out via $pif =
setup keep-state
$cmd 10042 allow tcp from me to any dst-port 25 uid filter out via $pif =
setup keep-state
$cmd 10044 allow tcp from any to me dst-port 465 in via $pif setup =
keep-state
$cmd 10045 allow tcp from me to any dst-port 465 out via $pif setup =
keep-state
$cmd 10046 allow tcp from any to me dst-port 587 in via $pif setup =
keep-state
$cmd 10047 allow tcp from me to any dst-port 587 out via $pif setup =
keep-state
$cmd 10048 allow tcp from any to me dst-port 110 in via $pif setup =
keep-state
$cmd 10049 allow tcp from any to me dst-port 995 in via $pif setup =
keep-state
$cmd 10050 allow tcp from any to me dst-port 143 in via $pif setup =
keep-state
$cmd 10051 allow tcp from any to me dst-port 993 in via $pif setup =
keep-state

# MYSQL
$cmd 10100 allow tcp from me to any dst-port 3306 out via $pif setup =
keep-state
$cmd 10101 allow tcp from any to me dst-port 3306 in via $pif setup =
keep-state

# WHOIS OUTGOING
$cmd 10200 allow tcp from me to any dst-port 43 out via $pif setup =
keep-state

# Deny everything else, and log it
$cmd 56599 deny log all from any to any





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AD14758D-8585-4944-B63D-F5627BBA9449>