Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Aug 2000 10:35:43 -0500
From:      "Bill McMilleon" <billmcmilleon@home.com>
To:        <freebsd-questions@freebsd.org>
Subject:   hardening my nat/firewall rules
Message-ID:  <005201c009f3$27ca5bd0$6401a8c0@tp770z>

next in thread | raw e-mail | index | archive | help
I'd love to "harden" this ipfw ruleset up a bit --- any suggestions are
welcome.
I tried some of the newer keep-state stuff, but could never get it to work
right.
Below are copies of my ipfw.rules (a file which ipfw reads directly since I
specify a firewall_type of "/etc/ipfw.rules") and natd.conf.
In this case ep0 is the public interface (which has been changed for this
example to 24.1.1.1).
There are comments and questions for most rules...


(ipfw.rules)
# clean up existing ruleset...
-f flush

# take care of localhost
add allow all from localhost to localhost

# Always allow traffic on the local/private subnet
add allow ip from 192.168.0.0/16 to 192.168.0.0/16 via xl0

# Allow anything incoming on xl0 from 192.168 that is going elsewhere
add skipto 10000 ip   from 192.168.0.0/16 to not 192.168.0.0/16 in recv xl0

# kill any specific bad guys
add deny log all from 24.0.94.0/24 to any  # @home's
authorized-scan.security.home.net subnet

# Allow the "safer" ICMP types through
add skipto 10000 icmp from any to any icmptype 0,3,8,11

# add support for incoming connections on port 80 for the web server
add skipto 10000 log tcp from any to 24.1.1.1 80 setup

# kill any other connection setup requests that are incoming on the public
interface
add deny log tcp from any to 24.1.1.1 setup in recv ep0

# kill all fragmented packets
add deny log all from any to any frag in recv ep0

# kill all with source routing options set
add deny log all from any to any ipoptions ssrr in recv ep0
add deny log all from any to any ipoptions lsrr in recv ep0

# allow existing connections to continue speaking
add skipto 10000 tcp from any to 24.1.1.1 established

# need UDP, but how to control??  This seems too loose...but it works
add skipto 10000 udp from any to any

# kill everything else
#add deny ip from any to any

# perform NAT.  Shouldn't this be more refined than "any" to "any?"
add 10000 divert natd all from any to any

# I didn't know how to proceed here, but this works for now
add allow ip from any to any



(natd.conf)
# Operate on packets traversing ep0...
interface ep0

#http...
# incoming tcp packets destined for port 80 on this machine (the firewall
24.1.1.1)
# will be sent to port 80 on the internal web server (192.168.1.5)
redirect_port tcp 192.168.1.5:80    24.1.1.1:80

#dialpad.com services...
# incoming tcp and udp packets on specified ports will be allowed thru
redirect_port tcp 192.168.1.99:51210 24.1.1.1:51210
redirect_port udp 192.168.1.99:51200 24.1.1.1:51200
redirect_port udp 192.168.1.99:51201 24.1.1.1:51201

# Log denied incoming packets via syslog (see also log_facility)
log_denied

# Only alter outgoing packets with an unregistered source address.
# According to rfc 1918, unregistered source addresses are
# 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
unregistered_only


Thanks in advance,
--Bill
billmc@internetaddress.com




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005201c009f3$27ca5bd0$6401a8c0>