Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Jun 2004 16:41:40 -0300
From:      =?iso-8859-1?Q?Juli=E3o_Braga_-_Rede_Pegasus=AE?= <jb@redepegasus.com.br>
To:        <freebsd-ipfw@freebsd.org>
Subject:   Re: ipfw + natd + stateful rules. For the archives
Message-ID:  <013901c4517e$72f3dc90$fd3dc3c8@redepegasus.com.br>
References:  <MIEPLLIBMLEEABPDBIEGEEOFGBAA.fbsd_user@a1poweruser.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

And about the anti-spoofing rule using "verrevpath"? The man rule that "...
drops all incoming packets that appear to be coming to the system on the
wrong interface. For example, packet with a source address belonging to a
host on a protected internal network would be dropped if it tried to enter
the system from an external interface." :

ipfw add deny ip from any to any not verrevpath in

Don't is necessary?

JB
 Pegasus Network
Brazil

>
> Here is the /etc/ipfw.rules  file with comments.
>
> #!/bin/sh
>
> ################ Start of IPFW rules file
> ###############################
> # Flush out the list before we begin.
> ipfw -q -f flush
>
> # Set rules command prefix
> cmd="ipfw -q add"
> skip="skipto 800"
> pif="rl0"     # public interface name of Nic card
>               # facing the public internet
>
>
>
> #################################################################
> # No restrictions on Inside Lan Interface for private network
> # Not needed unless you have Lan.
> # Change xl0 to your Lan Nic card interface name
> #################################################################
> $cmd 005 allow all from any to any via xl0
>
> #################################################################
> # No restrictions on Loopback Interface
> #################################################################
> $cmd 010 allow all from any to any via lo0
>
> $cmd 014 divert natd ip from any to any in via $pif
>
> #################################################################
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by an allow keep-state statement.
> #################################################################
> $cmd 015 check-state
>
> #################################################################
> # Interface facing Public internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network or from this gateway server
> # destine for the public internet.
> #################################################################
>
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip tcp from any to xx.168.240.2 53 out via $pif setup
> keep-state
> $cmd 021 $skip udp from any to xx.168.240.2 53 out via $pif
> keep-state
>
> # Allow out access to my ISP's DHCP server for cable/DSL
> configurations.
> $cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif
> keep-state
>
> # Allow out non-secure standard www function
> $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
>
> # Allow out secure www function https over TLS SSL
> $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
>
> # Allow out send & get email function
> $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
> $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
>
> # Allow out FBSD (make install & CVSUP) functions
> # Basically give user root "GOD" privileges.
> $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid
> root
>
> # Allow out ping
> $cmd 080 $skip icmp from any to any out via $pif
>
> # Allow out Time
> $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
>
> # Allow out nntp news (IE: news groups)
> $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
>
> # Allow out secure FTP, Telnet, and SCP
> # This function is using SSH (secure shell)
> $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
>
> # Allow out whois
> $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
>
> # Allow ntp time server
> $cmd 130 $skip udp from any to any 123 out via $pif keep-state
>
> #################################################################
> # Interface facing Public internet (Inbound Section)
> # Interrogate packets originating from the public internet
> # destine for this gateway server or the private network.
> #################################################################
>
> # Deny all inbound traffic from non-routable reserved address spaces
> $cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918
> private IP
> $cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918
> private IP
> $cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918
> private IP
> $cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
> $cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
> $cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP
> auto-config
> $cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved
> for doc's
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun
> cluster interconnect
> $cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D
> & E multicast
>
> # Deny ident
> $cmd 315 deny tcp from any to any 113 in via $pif
>
> # Deny all Netbios service. 137=name, 138=datagram, 139=session
> # Netbios is MS/Windows sharing services.
> # Block MS/Windows hosts2 name server requests 81
> $cmd 320 deny tcp from any to any 137 in via $pif
> $cmd 321 deny tcp from any to any 138 in via $pif
> $cmd 322 deny tcp from any to any 139 in via $pif
> $cmd 323 deny tcp from any to any 81  in via $pif
>
> # Deny any late arriving packets
> $cmd 330 deny all from any to any frag in via $pif
>
> # Deny ACK packets that did not match the dynamic rule table
> $cmd 332 deny tcp from any to any established in via $pif
>
> # Allow traffic in from ISP's DHCP server. This rule must contain
> # the IP address of your ISP's DHCP server as it's the only
> # authorized source to send this packet type.
> # Only necessary for cable or DSL configurations.
> # This rule is not needed for 'user ppp' type connection to
> # the public internet. This is the same IP address you captured
> # and used in the outbound section.
> $cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif
> keep-state
>
> # Allow in standard www function because I have apache server
> $cmd 370 allow tcp from any to me 80 in via $pif setup limit
> src-addr 2
>
> # Allow in secure FTP, Telnet, and SCP from public Internet
> $cmd 380 allow tcp from any to me 22 in via $pif setup limit
> src-addr 2
>
> # Allow in non-secure Telnet session from public Internet
> # labeled non-secure because ID & PW are passed over public
> # internet as clear text.
> # Delete this sample group if you do not have telnet server enabled.
> $cmd 390 allow tcp from any to me 23 in via $pif setup limit
> src-addr 2
>
> # Allow in secure FTP, Telnet, and SCP from public Internet
> $cmd 380 allow tcp from any to me 22 in via $pif setup limit
> src-addr 2
>
> # Allow in icmp responces
> $cmd 390 allow icmp from any to any icmptypes 0,3,11,12  in via $pif
>
> # Reject & Log all unauthorized incoming connections from the public
> internet
> $cmd 400 deny log all from any to any in via $pif
>
> # Reject & Log all unauthorized out going connections to the public
> internet
> $cmd 450 deny log all from any to any out via $pif
>
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> $cmd 801 allow ip from any to any
>
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they are
> $cmd 999 deny log all from any to any
>
>
>
> ################ End of IPFW rules file
> ###############################



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.701 / Virus Database: 458 - Release Date: 6/7/2004



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?013901c4517e$72f3dc90$fd3dc3c8>