Date: Sat, 16 Dec 2006 18:01:23 +0100 From: "Jurjen Middendorp" <jurjenm@stack.nl> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: ipfw rules Message-ID: <20061216170123.GA962@jurjenm.stack.nl>
next in thread | raw e-mail | index | archive | help
I posted this to the freebsd-security list, but i believe that is not the right list to this question (sorry! this is my first message to the freebsd mailing-lists). I hope this is the right list! :) anyway: I tried making a firewall for my laptop..but i'm not sure if i forgot anything. And things can always be done better :) I'm not sure what i should've put under incoming connections... what i have put there now is pretty useless because the default is to deny, but should i accept any incoming connections that don't match the dynamic rules? I just want to be able to surf the internet without too much trouble and send e-mail and pretty much deny everything else. If someone would have the time to have a quick look at this to see if there's anything wrong with it i would really appreciate it! Bye, jurjen. ps. here is my ruleset: #!/bin/sh ipfw -q flush cmd="ipfw -q add" ks="keep-state" oif="ath0" #setup the loopback $cmd 001 allow all from any to any via lo0 $cmd 002 deny all from any to 127.0.0.0/8 $cmd 003 deny ip from 127.0.0.0/8 to any #check state of incoming packets $cmd 010 check-state #### # Outgoing #allow outgoing connections to internetsites, ssh sites # webservers and stack. (keep-state) #to stack (student computer thing... e-mail, irc, ssh stuff) $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks #allow ssh $cmd 021 allow all from me to any 22 out via $oif setup $ks #internet sites: $cmd 032 allow tcp from me to any 80 out via $oif setup $ks #https $cmd 033 allow tcp from me to any 443 out via $oif setup $ks #gopher $cmd 034 allow tcp from me to any 70 out via $oif setup $ks #other e-mail #pop $cmd 040 allow tcp from me to any 110 out via $oif setup $ks #imap $cmd 041 allow tcp from me to any 143 out via $oif setup $ks #allow dns queries $cmd 050 allow udp from me to any 53 out via $oif $ks #allow ntp (?) queries $cmd 051 allow udp from me to any 123 out via $oif $ks #i can send icmp myself $cmd 060 allow icmp from me to any out via $oif $ks #but others can't $cmd 061 deny icmp from any to me # #root can do anything $cmd 070 allow tcp from me to any out via $oif setup $ks uid root #log other outgoing packets $cmd 071 deny log all from any to any out via $oif #### # Incoming #The default is that all other connections will be blocked anyway, but # the more stuff i put in here, the less stuff will get logged #deny incoming to private networks $cmd 100 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC 1918 $cmd 105 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto $cmd 106 deny all from 192.0.2.0/24 to any in via $oif #reserved $cmd 108 deny all from 192.168.0.0/16 to any in via $oif #D & E class # multicast #block smb stuff $cmd 120 deny tcp from any to me 137 in via $oif $cmd 121 deny tcp from any to me 138 in via $oif $cmd 122 deny tcp from any to me 139 in via $oif #log ACK packets that did'nt match the dynamic ruleset $cmd 130 deny log all from any to any established in via $oif #Now log some stuff in case i did something wrong $cmd 999 deny log any to me
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061216170123.GA962>