Date: Sat, 14 Feb 2004 20:31:45 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Eric F Crist <ecrist@adtechintegrated.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW ruleset not working... advice? WAS Re: Running processes... Message-ID: <20040214203144.GA3904@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <200402141315.13710.ecrist@adtechintegrated.com> References: <MIEPLLIBMLEEABPDBIEGIEBFFLAA.Barbish3@adelphia.net> <200402141247.13325.ecrist@adtechintegrated.com> <20040214185845.GA66227@falcon.midgard.homeip.net> <200402141315.13710.ecrist@adtechintegrated.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Feb 14, 2004 at 01:15:07PM -0600, Eric F Crist wrote:
> Hey, thanks! I changed all the rules so they read:
>=20
> allow ip from any to me <port>
>=20
> and added the rule:
>=20
> allow ip from me to any at rule 50
>=20
> All seems to work now! Does anyone have any suggestions on how to make t=
his=20
> system even tighter? Thanks.
Yes. Use the stateful rules feature. Instead of opening up outgoing
packets to everywhere, the keep-state rules dynamically open up a
point to point connection that remains open while traffic is flowing
beteeen the two systems, and times out after traffic stops or the
connection is closed.
A very minimal partial ruleset to allow incoming SSH, HTTP, HTTPS,
SMTP and outgoing DNS lookups would look like:
00100 check-state
00200 deny log tcp from any to any established
00300 allow tcp from any to me 22,25,80,443 keep-state in recv fxp0
00400 allow udp from me to any 53 out xmit fxp0
00500 deny log ip from any to any
[The 'in recv fxp0' and 'out xmit fxp0' stuff is optional: all it does
is filter packets according to what interface they are traversing and
in what direction. Remember to substitute the correct device name for
your network interface.]
Although at first sight, this would appear to block all tcp traffic
except for the first 'SYN' packet, and not permit any incoming UDP
traffic at all, the 'keep-state' flag in rules 00300 and 00400
generates dynamic rules that permit packets to flow in response to the
packet that triggered them. Those rules are effectively inserted into
the ruleset at the 'check-state' line (or at the first occuring
'limit' or 'keep-state' line). Use 'ipfw -d list' to show all active
dynamic rules.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFALoWwdtESqEQa7a0RAtB+AKCNHZvpkLbUbk3RsLiOeCv9xako1QCeOqmV
XAgyp79G0zij/72MsWxwKec=
=m2PB
-----END PGP SIGNATURE-----
--CE+1k2dSO48ffgeK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040214203144.GA3904>