Date: Mon, 18 Mar 1996 08:23:29 +0200 From: Mark Murray <mark@grondar.za> To: current@freebsd.org Subject: Firewall setup... Message-ID: <199603180623.IAA03506@grumble.grondar.za>
next in thread | raw e-mail | index | archive | help
Hi As I have a leased line to the net, andas my home net is frequently unsupervised, I am pretty paranoid about security. So, I have decided to add one more layer of protection, a firewall. I _love_ the FreeBSD firewall setup! It took me about an hour from having never setup such a thing before to having the rudiments working pretty well: > 00200 deny all from 10.0.0.0/8 to any > 00300 deny all from 172.16.0.0/16 to any > 00400 deny all from 192.168.0.0/16 to any > 00500 deny all from any to 10.0.0.0/8 > 00600 deny all from any to 172.16.0.0/16 > 00700 deny all from any to 192.168.0.0/16 > 00800 deny all from any to 127.0.0.0/8 via tun0 > 00900 deny all from any to 127.0.0.0/8 via ed0 > 01000 deny all from any to 0.0.0.0/8 > 01100 deny all from 127.0.0.0/8 to any via tun0 > 01200 deny all from 127.0.0.0/8 to any via ed0 > 01300 deny all from 0.0.0.0/8 to any It is however not that clear how to do the last bit. I would like to zap spoofing - > 01350 accept all from any to 196.7.18.0/24 via tun0 > 01350 accept all from 196.7.18.0/24 to any via tun0 If my firewall machine has 2 interfaces - tun0=196.7.18.65 and ed0=196.7.18.129 with a netmask of 0xfffffff0, how do I prevent packets claiming to be from 196.7.18/24 from coming into tun0? The above 2 lines are necessary for me to communicate with the world. Are there any other "standard" anti spoofing rules that can be applied? I am basically running my firewall as a serious filter, rather than as a closed-to-the-world firewall. > 01500 accept all from any to any via ed0 > 01700 accept all from any to any via lo0 > 65535 deny all from any to any (I based most of this on a script by PST about 2 months ago(?), but that was before PHK's reorg of the sorting rules, and the sytax has changed quite a bit since then.) Thanks! M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199603180623.IAA03506>