Date: Fri, 26 Oct 2001 11:13:09 +0200 From: Rogier Steehouder <r.j.s@gmx.net> To: Eric Lam <elam101083@earthlink.net> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Rules Help Message-ID: <20011026111309.B4520@localhost> In-Reply-To: <IAEKKLIOEBMAKJIIGEBBCEKBCEAA.elam101083@earthlink.net>; from elam101083@earthlink.net on Thu, Oct 25, 2001 at 06:18:46PM -0700 References: <IAEKKLIOEBMAKJIIGEBBCEKBCEAA.elam101083@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25-10-2001 18:18 (-0700), Eric Lam wrote:
> Hello, I am attempting to construct an inclusive firewall, so that all ports
> and protocols (udp, tcp) are blocked by default, except ones specificed,
> such as FTP, SSH, SMB, etc... However, I am not using natd or trying to
> turn this into a router. I am just trying to secure the box so that only
> specific services and their corresponding ports are open, and everything
> else closed. xl0 is my ethernet card. the 207/206 ip's are my dns servers.
> Someone told me to do that checkstate stuff for ftp; I have no idea what
> that is for, please advise on that. I am wondering did I do my rules
> correctly. Thanks for your help.
There are some problems I can see.
> /sbin/ipfw add allow ip from any to any via lo0
> /sbin/ipfw add allow ip from any to any via xl0
This would allow everything. All other rules are ignored.
> /sbin/ipfw add allow tcp from any to any 20 out xmit setup
> /sbin/ipfw add allow tcp from any to any 21 out xmit setup
> /sbin/ipfw add allow tcp from any to any 22 out xmit setup
> /sbin/ipfw add allow tcp from any to any 23 out xmit setup
> /sbin/ipfw add allow tcp from any to any 25 out xmit setup
> /sbin/ipfw add allow tcp from any to 207.151.38.154 53 out xmit setup
> /sbin/ipfw add allow tcp from any to 207.151.38.133 53 out xmit setup
> /sbin/ipfw add allow tcp from any to 206.117.120.66 53 out xmit setup
> /sbin/ipfw add allow tcp from any to any 80 out xmit setup
> /sbin/ipfw add allow tcp from any to any 110 out xmit setup
> /sbin/ipfw add allow tcp from any to any 139 out xmit setup
> /sbin/ipfw add allow tcp from any to any 3128 out xmit setup
These would allow you to make connections to others, but not others to
connect to you. Besides DNS uses UDP, not TCP.
> /sbin/ipfw add allow tcp from any to any via xl0 estab
This should go first. It will speed up checking by not going through the
whole list for every packet.
> /sbin/ipfw add allow udp from any to any 137 out xmit
> /sbin/ipfw add check-state
> /sbin/ipfw add allow tcp from any to any keep-state
This would again allow everything.
> /sbin/ipfw deny udp from any to any
> /sbin/ipfw add 65435 deny ip from any to any
> /sbin/ipfw add 65434 allow icmp from any to any
My rules are somewhat as follows:
----- Firewall rules -----
fwcmd="/sbin/ipfw -q"
ip="<my ip address or the keyword 'me'>"
pips="<some privileged ip addresses or the keyword 'all'>"
# Empty ruleset
$fwcmd -f flush
# Loopback device
$fwcmd add 100 allow all from any to any via lo0
$fwcmd add 110 deny all from any to 127.0.0.0/8
# Allow established TCP connections
$fwcmd add 1000 allow tcp from any to any established
# Allow outgoing TCP connections
$fwcmd add allow tcp from $ip to any setup
# Use 'keep-state' to allow UDP and ICMP packets and their answers
$fwcmd add check-state
$fwcmd add allow udp from $ip to any keep-state
$fwcmd add allow icmp from $ip to any keep-state
# Open up servers for privileged IP addresses
if [ -n "$pips" ]; then
for pip in $pips; do
# HTTP
$fwcmd add 20001 allow log tcp from $pip to any 80
# FTP (passive)
$fwcmd add 20002 allow log tcp from $pip to any 20,21
$fwcmd add 20002 allow log tcp from $pip to any 49152-65535
# Any other services you want to allow
done
fi
# SSH
$fwcmd add 50001 allow log tcp from any to any 22
# Explicitly deny everything else
$fwcmd add 65000 deny all from any to any
----- End of firewall rules -----
You should read the ipfw man-page and study /etc/rc.firewall as an
example.
With kind regards, Rogier Steehouder
--
___ _
-O_\ //
| / Rogier Steehouder //\
/ \ r.j.s@gmx.net // \
<---------------------- 25m ---------------------->
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011026111309.B4520>