Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 17 Jul 2002 07:28:16 -0500
From:      Greg Panula <greg.panula@dolaninformation.com>
To:        markd@cogeco.ca
Cc:        freebsd-security@freebsd.org
Subject:   Re: ipfw and it's glory...
Message-ID:  <3D3562E0.A204EE05@dolaninformation.com>
References:  <000101c22d1a$a54d6e70$6401a8c0@promethium>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Mark D wrote:
> 
> Hello,
> 
>         First, I hope this is appropriate for this list, if not I'll
> gladly repost. I thought this could be a freebsd-questions question, but
> hey, I took a chance.
> 
>         Alright, here we go... I plan to run http, ftp, ssh, smtp, and
> pop on a lan box (I'm going to treat it as a real box - just so I can be
> ready for when I do this in the future). I'd like http, ftp, pop, and
> smtp to be open to anyone and for ssh connections to be only allowed
> when I add the rule (to allow that specific host).
> 
>         I've read the man pages on ipfw and some other documents but am
> still confused. Here is what I've put together so far (go easy on me);
> 
>    allow ip from trusted-ip-addy-1 to any
>    allow ip from trusted-ip-addy-2 to any
>    allow log tcp from any to any established
>    allow log tcp from trusted-ip-addy-1 to any 22 in setup
>    allow log udp from internal-addy to any 53
>    allow log udp from any 53 to internal-addy
>    allow log tcp from any to internal-addy 80,21,110,15 setup
>    -
>    65535 deny ip from any to any
> 
>         So... I'm not sure if that is the best approach (maybe adding a
> 'check state' here and a 'established' there ;p), but I'm hoping the
> subscribers of this list could give me some insight on securing it
> properly and only allowing in/out what I've specified above.
> 
>         I thank you in advance.
> 

Here's my two bits... suitable for cut&paste into /etc/rc.firewall even.

[Mm][Aa][Rr][Kk])
pip="<public ip addres, e.g. 4.4.4.4>"
pnic="<public nic, e.g. fxp0>"
t1="<trusted address, e.g. 30.30.30.30>"
t2="<trusted address>"

# allow traffic to flow unrestricted across the loopback interface
${fwcmd} add allow ip from any to any via lo0

# allow certain icmp traffic to flow to&from the box
# optional but useful
${fwcmd} add allow icmp from any to ${pip} icmptype 0,3,4,8,11,12
${fwcmd} add allow icmp from ${pip} to any icmptype 0,3,4,8,11,12

# check the state table
${fwcmd} add 10000 check-state

# allow in certain services(ftp,smtp,http,pop3)
# and add it to the state table
${fwcmd} add allow tcp from any to ${pip} 21,25,80,110 keep-state in via
${pnic}

# allow outbound dns queries from the box
${fwcmd} add allow udp from ${pip} to any 53 keep-state out via ${pnic}

# allow inbound ssh traffic from trusted addresses
${fwcmd} add allow tcp from ${t1} to ${pip} 22 keep-state in via ${pnic}
${fwcmd} add allow tcp from ${t2} to ${pip} 22 keep-state in via ${pnic}

# deny and log the rest
${fwcmd} add 65000 deny log ip from any to any
	echo firewall ruleset mark loaded
	;;

Then in /etc/rc.conf just add
firewall_enable="YES"
firewall_type="MARK"
firewall_logging="YES"

good luck,
  greg

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?3D3562E0.A204EE05>