Date: Sun, 08 Feb 1998 00:23:16 +0000 From: "Aaron D. Gifford" <agifford@infowest.com> To: questions@FreeBSD.ORG Subject: Simple ipfw filter for my dial-up FreeBSD box Message-ID: <34DCFAF4.576BB4D1@infowest.com>
next in thread | raw e-mail | index | archive | help
Hello, I've been trying to get my ipfw list tuned just right, and so I'm looking for suggestions/comments. My current ipfw list is lsted below. My ISP-assigned dynamic IP is stored in the $ip variable, the name of the external dial-up interface (tun0) is in $extern, and the loopback interface (lo0) is in $loop. I'm also wondering what I should add to permit ping to work correctly. What sort of icmp permit lines are other folks using? Finally, I absolutely HATE the way udp DNS queries are permitted (and NTP udp communication) in my list below. Any suggestions? Thanks in advance! Aaron out. # ====== HERE IT IS ===== # # First deny obviously spoofed packets: /sbin/ipfw add deny log all from 127.0.0.1 to any via ${extern} /sbin/ipfw add deny log all from ${ip} to any in via ${extern} /sbin/ipfw add deny log all from 192.168.0.0:255.255.0.0 to any /sbin/ipfw add deny log all from 172.16.0.0:255.240.0.0 to any /sbin/ipfw add deny log all from 10.0.0.0:255.0.0.0 to any # Pass all other localhost traffic: /sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1 via ${loop} /sbin/ipfw add pass all from ${ip} to 127.0.0.1 via ${loop} /sbin/ipfw add pass all from 127.0.0.1 to ${ip} via ${loop} /sbin/ipfw add pass all from ${ip} to ${ip} via ${loop} # Pass any already established TCP connections: /sbin/ipfw add pass tcp from any to any established # Pass outgoing new TCP session setup packets: /sbin/ipfw add pass tcp from ${ip} to any setup # Pass new incoming SSH connections: /sbin/ipfw add pass tcp from any to ${ip} 22 in via ${extern} setup # Pass new incoming HTTP connections: /sbin/ipfw add pass tcp from any to ${ip} 80 in via ${extern} setup # Pass incoming TCP connections to my DNS server: /sbin/ipfw add pass tcp from any to ${ip} 53 in via ${extern} setup # Deny all other TCP connection setup attempts: /sbin/ipfw add deny log tcp from any to any in via ${extern} setup # Pass outgoing DNS queries: /sbin/ipfw add pass udp from ${ip} to any 53 out via ${extern} # Pass incoming DNS replies: # (This sure is ugly! It allows someone to do a udp portscan from port 53.) /sbin/ipfw add pass udp from any 53 to ${ip} in via ${extern} # Pass outgoing NTP queries: /sbin/ipfw add pass udp from ${ip} to any 123 out via ${extern} # Pass incoming NTP replies: # (This sure is ugly! It allows someone to do a udp portscan from port 123.) /sbin/ipfw add pass udp from any 123 to ${ip} in via ${extern} # I wish I had some good permit lines here to allow outgoing # ping packets the returning replies -- ICMP something or other??? # Toast EVERYTHING else: /sbin/ipfw add deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34DCFAF4.576BB4D1>