Date: Sun, 08 Feb 1998 00:23:16 +0000 From: "Aaron D. Gifford" <agifford@infowest.com> To: questions@FreeBSD.ORG Subject: Simple ipfw filter for my dial-up FreeBSD box Message-ID: <34DCFAF4.576BB4D1@infowest.com>
next in thread | raw e-mail | index | archive | help
Hello,
I've been trying to get my ipfw list tuned just right, and so I'm
looking for suggestions/comments. My current ipfw list is lsted below.
My ISP-assigned dynamic IP is stored in the $ip variable, the name of
the external dial-up interface (tun0) is in $extern, and the loopback
interface (lo0) is in $loop.
I'm also wondering what I should add to permit ping to work correctly.
What sort of icmp permit lines are other folks using?
Finally, I absolutely HATE the way udp DNS queries are permitted (and
NTP udp communication) in my list below. Any suggestions?
Thanks in advance!
Aaron out.
# ====== HERE IT IS =====
#
# First deny obviously spoofed packets:
/sbin/ipfw add deny log all from 127.0.0.1 to any via ${extern}
/sbin/ipfw add deny log all from ${ip} to any in via ${extern}
/sbin/ipfw add deny log all from 192.168.0.0:255.255.0.0 to any
/sbin/ipfw add deny log all from 172.16.0.0:255.240.0.0 to any
/sbin/ipfw add deny log all from 10.0.0.0:255.0.0.0 to any
# Pass all other localhost traffic:
/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 via ${loop}
/sbin/ipfw add pass all from ${ip} to 127.0.0.1 via ${loop}
/sbin/ipfw add pass all from 127.0.0.1 to ${ip} via ${loop}
/sbin/ipfw add pass all from ${ip} to ${ip} via ${loop}
# Pass any already established TCP connections:
/sbin/ipfw add pass tcp from any to any established
# Pass outgoing new TCP session setup packets:
/sbin/ipfw add pass tcp from ${ip} to any setup
# Pass new incoming SSH connections:
/sbin/ipfw add pass tcp from any to ${ip} 22 in via ${extern} setup
# Pass new incoming HTTP connections:
/sbin/ipfw add pass tcp from any to ${ip} 80 in via ${extern} setup
# Pass incoming TCP connections to my DNS server:
/sbin/ipfw add pass tcp from any to ${ip} 53 in via ${extern} setup
# Deny all other TCP connection setup attempts:
/sbin/ipfw add deny log tcp from any to any in via ${extern} setup
# Pass outgoing DNS queries:
/sbin/ipfw add pass udp from ${ip} to any 53 out via ${extern}
# Pass incoming DNS replies:
# (This sure is ugly! It allows someone to do a udp portscan from port
53.)
/sbin/ipfw add pass udp from any 53 to ${ip} in via ${extern}
# Pass outgoing NTP queries:
/sbin/ipfw add pass udp from ${ip} to any 123 out via ${extern}
# Pass incoming NTP replies:
# (This sure is ugly! It allows someone to do a udp portscan from port
123.)
/sbin/ipfw add pass udp from any 123 to ${ip} in via ${extern}
# I wish I had some good permit lines here to allow outgoing
# ping packets the returning replies -- ICMP something or other???
# Toast EVERYTHING else:
/sbin/ipfw add deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34DCFAF4.576BB4D1>