From owner-freebsd-security Wed Jul 17 5:28:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8966D37B400 for ; Wed, 17 Jul 2002 05:28:18 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id BEA5D43E42 for ; Wed, 17 Jul 2002 05:28:17 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 95619 invoked by uid 0); 17 Jul 2002 12:28:17 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 0.330122 secs); 17 Jul 2002 12:28:17 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: markd@cogeco.ca,freebsd-security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 0.330122 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 17 Jul 2002 12:28:16 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 17 Jul 2002 07:28:16 -0500 Message-ID: <3D3562E0.A204EE05@dolaninformation.com> Date: Wed, 17 Jul 2002 07:28:16 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: markd@cogeco.ca Cc: freebsd-security@freebsd.org Subject: Re: ipfw and it's glory... References: <000101c22d1a$a54d6e70$6401a8c0@promethium> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mark D wrote: > > Hello, > > First, I hope this is appropriate for this list, if not I'll > gladly repost. I thought this could be a freebsd-questions question, but > hey, I took a chance. > > Alright, here we go... I plan to run http, ftp, ssh, smtp, and > pop on a lan box (I'm going to treat it as a real box - just so I can be > ready for when I do this in the future). I'd like http, ftp, pop, and > smtp to be open to anyone and for ssh connections to be only allowed > when I add the rule (to allow that specific host). > > I've read the man pages on ipfw and some other documents but am > still confused. Here is what I've put together so far (go easy on me); > > allow ip from trusted-ip-addy-1 to any > allow ip from trusted-ip-addy-2 to any > allow log tcp from any to any established > allow log tcp from trusted-ip-addy-1 to any 22 in setup > allow log udp from internal-addy to any 53 > allow log udp from any 53 to internal-addy > allow log tcp from any to internal-addy 80,21,110,15 setup > - > 65535 deny ip from any to any > > So... I'm not sure if that is the best approach (maybe adding a > 'check state' here and a 'established' there ;p), but I'm hoping the > subscribers of this list could give me some insight on securing it > properly and only allowing in/out what I've specified above. > > I thank you in advance. > Here's my two bits... suitable for cut&paste into /etc/rc.firewall even. [Mm][Aa][Rr][Kk]) pip="" pnic="" t1="" t2="" # allow traffic to flow unrestricted across the loopback interface ${fwcmd} add allow ip from any to any via lo0 # allow certain icmp traffic to flow to&from the box # optional but useful ${fwcmd} add allow icmp from any to ${pip} icmptype 0,3,4,8,11,12 ${fwcmd} add allow icmp from ${pip} to any icmptype 0,3,4,8,11,12 # check the state table ${fwcmd} add 10000 check-state # allow in certain services(ftp,smtp,http,pop3) # and add it to the state table ${fwcmd} add allow tcp from any to ${pip} 21,25,80,110 keep-state in via ${pnic} # allow outbound dns queries from the box ${fwcmd} add allow udp from ${pip} to any 53 keep-state out via ${pnic} # allow inbound ssh traffic from trusted addresses ${fwcmd} add allow tcp from ${t1} to ${pip} 22 keep-state in via ${pnic} ${fwcmd} add allow tcp from ${t2} to ${pip} 22 keep-state in via ${pnic} # deny and log the rest ${fwcmd} add 65000 deny log ip from any to any echo firewall ruleset mark loaded ;; Then in /etc/rc.conf just add firewall_enable="YES" firewall_type="MARK" firewall_logging="YES" good luck, greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message