Date: Wed, 2 Jun 2004 23:47:42 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: bryan cassidy <linux_kinda_guy@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Ruleset Help Message-ID: <20040602204742.GA4543@gothmog.gr> In-Reply-To: <20040601073810.72095.qmail@web21504.mail.yahoo.com> References: <20040601073810.72095.qmail@web21504.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-06-01 00:38, bryan cassidy <linux_kinda_guy@yahoo.com> wrote:
> Hello. Running FreeBSD 4.10. After I reboot with my new ipfw.rules I
> can't load any webpages. I didn't try by IP address cause I can't
> remember any off top at the moment. Here is my following setup
Looking at the mangled rules, that your mailer has awfully mutilated,
I can't see any rule for allowing port 80 connections.
No web surfing for you then :P
But let's see what you're getting out of your firewall ruleset.
[-- Cleaned up ruleset --]
> add 00300 deny log tcp from any to any 515 in recv xl0
> add 00301 deny tcp from any to any 7101 in recv xl0
> add 00302 deny log tcp from any to any 6000 in recv xl0
> add 00303 allow log tcp from any to any 113 in recv xl0 setup
> # --- DNS
> add 00310 allow tcp from 205.152.133.254 to any in recv xl0
> add 00311 allow tcp from 205.152.132.235 to any in recv xl0
> add 00320 allow udp from 205.152.133.254 53 to any in recv xl0
> add 00321 allow udp from 205.152.132.235 53 to any in recv xl0
> # --- deny below port 1000
> add 00399 deny log tcp from any to any 0-1000 in recv xl0 setup
This should probably be 1024, if you want to protect all the
"privileged" port numbers.
> # --- ntpdate
> add 00403 allow udp from 123 to any 123 in recv xl0
> # --- deny UDP connections
> add 00499 deny log udp from any to any in recv xl0
Why? Let the default firewall rule (block all from any to any) catch
these too. Special deny rules aren't really necessary here, unless you
really want to pessimize everything and all other protocols (by forcing
them to be checked against yet another rule that they won't match with)
just to get faster UDP connection drops of lots of stuff that you don't
need anyway (you've already taken care of DNS, which is about the only
thing that UDP is useful for these days for me).
> # --- Log netbus ( haha )
> add 00500 deny log tcp from any to any 12345 in recv xl0
> add 00501 deny log tcp from any to any 20034 in recv xl0
> # --- Let my ISP ping me!
> add 00600 allow icmp from 205.152.133.254 to any in recv xl0
> add 00601 allow icmp from 205.152.132.235 to any in recv xl0
> # --- Log ICMP echos and dest
> add 00610 allow log icmp from any to any in recv xl0 icmptype 3
> add 00610 allow log icmp from any to any in recv xl0 icmptype 8
Note, BTW, that you are mixing allow and deny rules in the same
firewall. It's a good idea to pick one of the following styles of
filtering and stick with it:
open firewall
-------------
This allows everything except what is explicitly denied.
The general look of the ruleset is something like this:
block this
block that
block another
allow all the rest
closed firewall
---------------
This blocks everything, except what is explicitly allowed.
It looks like this:
allow this
allow that
allow another
block all the rest
A short sample firewall of this style, one that I used to have on my
dialup workstation at home when I still used ipfw can be seen here:
http://students.ceid.upatras.gr/~keramida/ipfw/dialup.ipfw
> First. Things I will be running. I will be running Apache+PHP later on
> when I get my box more secure
The question you should ask yourself when you're writing those rulesets
is... "Do you want these to be visible to the world?"
> but for now I will be running Postfox for my MTA,
It's Postfix, thanks :)
> I want to be able to send and recieve e-mails and any other *basic*
> things everyone would want on a everyday basis ya know?
Just make sure you don't block any "outgoing" connection. That should
take care of most protocols. Only FTP and DCC sends on IRC will need
special care to work on your "closed" sort of firewall, but that's for
another post to discuss if you're still interested.
- Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040602204742.GA4543>