From owner-freebsd-questions@FreeBSD.ORG Sat Dec 16 17:01:58 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E11D916A403 for ; Sat, 16 Dec 2006 17:01:57 +0000 (UTC) (envelope-from jurjenm@stack.nl) Received: from mx1.stack.nl (meestal.stack.nl [131.155.140.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C9F743CA4 for ; Sat, 16 Dec 2006 17:01:56 +0000 (GMT) (envelope-from jurjenm@stack.nl) Received: by mx1.stack.nl (Postfix, from userid 65534) id DDAE24B2EB; Sat, 16 Dec 2006 18:01:55 +0100 (CET) X-Spam-DCC: CTc-dcc2: snail.stack.nl 1031; Body=1 Fuz1=1 Fuz2=1 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on snail.stack.nl X-Spam-Level: X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL, BAYES_00, J_CHICKENPOX_32 autolearn=no version=3.1.5 X-Spam-Relay-Country: NL Received: from snhmib (a62-251-106-27.adsl.xs4all.nl [62.251.106.27]) by mailhost.stack.nl (Postfix) with ESMTP id CB2654B02F for ; Sat, 16 Dec 2006 18:01:52 +0100 (CET) Received: by snhmib (sSMTP sendmail emulation); Sat, 16 Dec 2006 18:01:23 +0100 From: "Jurjen Middendorp" Date: Sat, 16 Dec 2006 18:01:23 +0100 To: freebsd-questions Message-ID: <20061216170123.GA962@jurjenm.stack.nl> Mail-Followup-To: freebsd-questions Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Subject: ipfw rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2006 17:01:58 -0000 I posted this to the freebsd-security list, but i believe that is not the right list to this question (sorry! this is my first message to the freebsd mailing-lists). I hope this is the right list! :) anyway: I tried making a firewall for my laptop..but i'm not sure if i forgot anything. And things can always be done better :) I'm not sure what i should've put under incoming connections... what i have put there now is pretty useless because the default is to deny, but should i accept any incoming connections that don't match the dynamic rules? I just want to be able to surf the internet without too much trouble and send e-mail and pretty much deny everything else. If someone would have the time to have a quick look at this to see if there's anything wrong with it i would really appreciate it! Bye, jurjen. ps. here is my ruleset: #!/bin/sh ipfw -q flush cmd="ipfw -q add" ks="keep-state" oif="ath0" #setup the loopback $cmd 001 allow all from any to any via lo0 $cmd 002 deny all from any to 127.0.0.0/8 $cmd 003 deny ip from 127.0.0.0/8 to any #check state of incoming packets $cmd 010 check-state #### # Outgoing #allow outgoing connections to internetsites, ssh sites # webservers and stack. (keep-state) #to stack (student computer thing... e-mail, irc, ssh stuff) $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks #allow ssh $cmd 021 allow all from me to any 22 out via $oif setup $ks #internet sites: $cmd 032 allow tcp from me to any 80 out via $oif setup $ks #https $cmd 033 allow tcp from me to any 443 out via $oif setup $ks #gopher $cmd 034 allow tcp from me to any 70 out via $oif setup $ks #other e-mail #pop $cmd 040 allow tcp from me to any 110 out via $oif setup $ks #imap $cmd 041 allow tcp from me to any 143 out via $oif setup $ks #allow dns queries $cmd 050 allow udp from me to any 53 out via $oif $ks #allow ntp (?) queries $cmd 051 allow udp from me to any 123 out via $oif $ks #i can send icmp myself $cmd 060 allow icmp from me to any out via $oif $ks #but others can't $cmd 061 deny icmp from any to me # #root can do anything $cmd 070 allow tcp from me to any out via $oif setup $ks uid root #log other outgoing packets $cmd 071 deny log all from any to any out via $oif #### # Incoming #The default is that all other connections will be blocked anyway, but # the more stuff i put in here, the less stuff will get logged #deny incoming to private networks $cmd 100 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC 1918 $cmd 105 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto $cmd 106 deny all from 192.0.2.0/24 to any in via $oif #reserved $cmd 108 deny all from 192.168.0.0/16 to any in via $oif #D & E class # multicast #block smb stuff $cmd 120 deny tcp from any to me 137 in via $oif $cmd 121 deny tcp from any to me 138 in via $oif $cmd 122 deny tcp from any to me 139 in via $oif #log ACK packets that did'nt match the dynamic ruleset $cmd 130 deny log all from any to any established in via $oif #Now log some stuff in case i did something wrong $cmd 999 deny log any to me