From owner-freebsd-questions@FreeBSD.ORG  Sat Apr  5 11:46:28 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1901A37B405
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Apr 2003 11:46:28 -0800 (PST)
Received: from zaphod.profecta.se (profecta1.cust.morotsmedia.se
	[193.235.206.49])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 815E543FBF
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Apr 2003 11:46:26 -0800 (PST)
	(envelope-from lobbin@localhost.nu)
Received: from 127.0.0.1 (localhost [127.0.0.1])
	by slartibartfast.profecta.se (Postfix) with SMTP id 74705177
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Apr 2003 20:46:01 +0000 (GMT)
Received: from metis (as1-6-2.hy.m.bonet.se [217.215.80.157])
	by zaphod.profecta.se (Postfix) with ESMTP id 541B5CD
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Apr 2003 20:46:01 +0000 (GMT)
Message-ID: <008d01c2fbac$86dcf710$0401a8c0@metis>
From: "Robin Ericsson" <lobbin@localhost.nu>
To: <freebsd-questions@freebsd.org>
Date: Sat, 5 Apr 2003 21:49:53 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Subject: input on ipfw rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Apr 2003 19:46:28 -0000

Hi,

I would like to get some input of these rules I'm currenly using.

I come from a linux/cisco background, so I want to know how bad these are :)
mostly my questions are the keep-state stuff. I guess 00235 can go, as I
think that
one allows all trafic from that specific ip if already connected elsewhere?

It is compiled with IP_FIREWALL only, so there is also a
65535 deny ip from any to any.

# regular stuff
ipfw add 00100 allow ip from any to any via lo0

# normal trafic
ipfw add 00220 deny log ip from me to any in
ipfw add 00225 deny log tcp from any to any in tcpflags fin,syn
ipfw add 00230 check-state
ipfw add 00235 allow tcp from any to any in established
ipfw add 00240 allow tcp from any to any frag
ipfw add 00245 allow ip from any to any keep-state out

# icmp
ipfw add 00300 allow icmp from any to any icmptype 3
ipfw add 00301 allow icmp from any to any icmptype 4
ipfw add 00302 allow icmp from any to any icmptype 11

# ident
ipfw add 00600 allow tcp from any to any 113 keep-state setup

# ssh
ipfw add 00700 allow tcp from any to me 22 keep-state

# webhosting services
ipfw add 00800 allow tcp from any to me 80 keep-state
ipfw add 00810 allow tcp from any to me 21 keep-state
ipfw add 00820 allow tcp from any to me 40000-45000 keep-state

# dns
ipfw add 00900 allow udp from me to any 53 keep-state
ipfw add 00910 allow udp from any to me 53

# mail services
ipfw add 01000 allow tcp from any to me 143 keep-state
ipfw add 01010 allow tcp from any to me 110 keep-state
ipfw add 01020 allow tcp from any to me 25 keep-state



best regards
Robin