Date: Fri, 21 Mar 2014 17:42:35 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-security@freebsd.org, "Ronald F. Guilmette" <rfg@tristatelogic.com> Subject: Re: URGENT? Message-ID: <86r45v7bb8.fsf@nine.des.no> In-Reply-To: <20140322000445.C31989@sola.nimnet.asn.au> (Ian Smith's message of "Sat, 22 Mar 2014 02:25:19 %2B1100 (EST)") References: <45158.1395348066@server1.tristatelogic.com> <20140322000445.C31989@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian Smith <smithi@nimnet.asn.au> writes:
> Just on your last point: if your internet-connected device is providing
> any services whatsoever on its outside interface (netstat -finet -an)=20
Or sockstat -4l, which is far more readable.
> As assorted experts have suggested, you need a stateful rule. It's=20
> really not that hard; if you _only_ needed to protect ntp on udp:
>
> kldload ipfw && add 65000 allow ip from any to any # load null fw
> ipfw add allow udp from me to any ntp out xmit $outsideif keep-state
> ipfw add deny udp from any to me ntp in recv $outsideif
>
> Done. Perfectly configured for this one purpose, statefully no less ..
Wrong, wrong, wrong. Whitelist, not blacklist.
I haven't used ipfw in years, but with pf:
| set block-policy return
| set skip on lo0
| scrub in all
| block quick inet6
| block log all
|=20
| # allow ping
| pass inet proto icmp all icmp-type echoreq
|=20
| # allow incoming ssh
| pass in inet proto tcp from any to self port ssh
|=20
| # allow outgoing tcp
| pass out on proto tcp from self to any
|=20
| # allow outgoing DNS and NTP
| pass out inet proto udp from self to any port { domain, ntp }
Unlike ipfw, pf keeps state by default and retains it when you reload
the ruleset, so you can safely do "sudo service pf reload" over ssh.
Note that I didn't include echoresp in the list of allowed ICMP types,
because an incoming or outgoing echoreq packet will create a state rule
which allows the corresponding echoresp.
I have the following rule at on at least one machine:
| # Allow outgoing TCP RST packets
| pass out proto tcp from any to any flags R/R no state
but I don't remember the exact circumstances in which outgoing RST
packets were being blocked. Try connecting to a TCP port other than ssh
from outside, and if the connection times out instead of immediately
failing, you need the RST rule.
This ruleset blocks UDP traceroute. Use TCP ('traceroute -P TCP host')
instead.
DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86r45v7bb8.fsf>