From owner-freebsd-net@FreeBSD.ORG  Tue Sep  9 23:37:28 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 378787DB
 for <freebsd-net@freebsd.org>; Tue,  9 Sep 2014 23:37:28 +0000 (UTC)
Received: from sdf.lonestar.org (mx.sdf.org [192.94.73.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx.sdf.org", Issuer "SDF.ORG" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 19A64A15
 for <freebsd-net@freebsd.org>; Tue,  9 Sep 2014 23:37:27 +0000 (UTC)
Received: from otaku.freeshell.org (IDENT:case@otaku.freeshell.org
 [192.94.73.9])
 by sdf.lonestar.org (8.14.8/8.14.5) with ESMTP id s89NbJ36028629
 (using TLSv1/SSLv3 with cipher DHE-RSA-AES256-SHA (256 bits) verified NO)
 for <freebsd-net@freebsd.org>; Tue, 9 Sep 2014 23:37:19 GMT
Date: Tue, 9 Sep 2014 23:37:19 +0000 (UTC)
From: John Case <case@SDF.ORG>
X-X-Sender: case@faeroes.freeshell.org
To: freebsd-net@freebsd.org
Subject: Can I make this simple ipfw ruleset any more restrictive ?
Message-ID: <Pine.NEB.4.64.1409092333450.17244@faeroes.freeshell.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2014 23:37:28 -0000


I have a very simple firewall - it*blocks everything*, and the only 
traffic that is allowed is for internal clients to make outbound 
connections to tcp port 40.

Also, internal clients can ping/traceroute.

But that's it - no other connections in or out are allowed.  I have this 
ruleset and it is working perfectly:

ipfw add 10 allow tcp from any to any established
ipfw add 20 allow icmp from any to any icmptypes 0,3,8,11
ipfw add 30 allow udp from any to any 33433-33499 in via fxp1
ipfw add 40 allow tcp from any to any 40 in via fxp1

(fxp1 is the internal interface, and so I allow the port 40 connections 
and the udp for traceroute only for requests that come in from the 
internal network)

Is there anything I have screwed up here ?  Any unintentional traffic that 
I am letting through ?

Is there any way to lock this down further, and make it even more strict ?

Thank yo.