Date: Thu, 15 Mar 2001 12:40:49 +0800 From: "Ramoncito P. Puyat" <nitronarc@iname.com> To: freebsd-ipfw@freebsd.org Subject: help with ipfw Message-ID: <5.0.2.1.2.20010315124042.009f4850@pop.info.com.ph>
next in thread | raw e-mail | index | archive | help
greetings! We have a small company using a cable connection for our internet. Recently, due to some nuisance hacking we installed a freebsd box with ipfw/natd. Everything went fine until two of our employees complained that we were not able to use the pc-to-phone facility of MSN Messenger and the ftp facility of ICQ. When we needed to call, we had to bring the firewall to open-mode and only closed it up after the phone call. My security logs points to many probe/scan attempts from the outside especially in the 137-139 port range. We tried to make the rules as per the suggestion of MSN and ICQ but to no avail. Could someone help me out on this. I want to allow the use of MSN and ICQ with out necessarily removing my protection. Below is a copy of my ipfw rules. TIA Ramon ----- ipfw.rules ----- # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Flush previous rules /sbin/ipfw -f flush # Allow loopbacks, deny imposters /sbin/ipfw add 100 pass all from any to any via lo0 /sbin/ipfw add 200 deny all from any to 127.0.0.0/8 # Stop spoofing /sbin/ipfw add deny all from 192.168.0.0/16 to any in via ed0 /sbin/ipfw add deny all from not 192.168.0.0/16 to any in via rl0 # Stop RFC1918 nets on the outside interface /sbin/ipfw add deny all from any to 10.0.0.0/8 via ed0 /sbin/ipfw add deny all from any to 172.16.0.0/12 via ed0 /sbin/ipfw add deny all from any to 192.168.0.0/16 via ed0 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface /sbin/ipfw add deny all from any to 0.0.0.0/8 via ed0 /sbin/ipfw add deny all from any to 169.254.0.0/16 via ed0 /sbin/ipfw add deny all from any to 192.0.2.0/24 via ed0 /sbin/ipfw add deny all from any to 224.0.0.0/4 via ed0 /sbin/ipfw add deny all from any to 240.0.0.0/4 via ed0 /sbin/ipfw add deny all from 0.0.0.0/8 to any via ed0 /sbin/ipfw add deny all from 169.254.0.0/16 to any via ed0 /sbin/ipfw add deny all from 192.0.2.0/24 to any via ed0 /sbin/ipfw add deny all from 224.0.0.0/4 to any via ed0 /sbin/ipfw add deny all from 240.0.0.0/4 to any via ed0 # Stop Scour /sbin/ipfw add deny all from 209.249.159.0/24 to any via ed0 /sbin/ipfw add deny all from 216.52.208.0/24 to any via ed0 /sbin/ipfw add deny all from any to 209.249.159.0/24 via ed0 /sbin/ipfw add deny all from any to 216.52.208.0/24 via ed0 # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. /sbin/ipfw add divert 8668 ip from any to any via ed0 # Allow established connections with minimal overhead /sbin/ipfw add allow tcp from any to any established # Allow IP fragments to pass through /sbin/ipfw add allow all from any to any frag ### TCP RULES # DNS - Allow queries out in the world /sbin/ipfw add allow tcp from any to 203.172.11.21 53 /sbin/ipfw add allow tcp from any to 203.172.11.25 53 /sbin/ipfw add allow tcp from 203.172.11.21 53 to any /sbin/ipfw add allow tcp from 203.172.11.25 53 to any # HTTP - Allow access to our web server /sbin/ipfw add allow tcp from any to any 80 setup # HTTPS - Allow access to our secure server /sbin/ipfw add allow tcp from any to any 443 setup # POP - Allow access to our POP3 server /sbin/ipfw add allow tcp from any to any 110 setup # SMTP - Allow access to sendmail for incoming e-mail /sbin/ipfw add allow tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections /sbin/ipfw add allow tcp from any 20 to any 1024-65535 setup /sbin/ipfw add deny log tcp from any to any 21 in via ed0 setup # SSH Login - Allow & Log all incoming /sbin/ipfw add allow log tcp from any to any 22 in via ed0 setup # IDENT - Reset incoming connections /sbin/ipfw add reset tcp from any to any 113 in via ed0 setup # NFS /sbin/ipfw add deny log tcp from any to any 2049 in recv ed0 # ICQ /sbin/ipfw add allow tcp from any 5190 to any via ed0 /sbin/ipfw add allow tcp from any to any 5190 via ed0 # MSN Messenger /sbin/ipfw add allow tcp from any 6901 to any via ed0 /sbin/ipfw add allow tcp from any to any 6901 via ed0 /sbin/ipfw add allow tcp from any to any 7801-7825 via ed0 /sbin/ipfw add allow tcp from any 6891-6900 to any via ed0 /sbin/ipfw add allow tcp from any to any 6891-6900 via ed0 # X Servers /sbin/ipfw add deny log tcp from any to any 6000-6010 in recv ed0 # Reject&Log all setup of incoming connections from the outside /sbin/ipfw add deny log tcp from any to any in via ed0 setup # Allow setup of any other TCP connection /sbin/ipfw add allow tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world /sbin/ipfw add allow udp from any to 203.172.11.21 53 /sbin/ipfw add allow udp from any to 203.172.11.25 53 /sbin/ipfw add allow udp from 203.172.11.21 53 to any /sbin/ipfw add allow udp from 203.172.11.25 53 to any # SMB - Allow local traffic /sbin/ipfw add allow udp from any to any 137-139 via rl0 # SYSLOG - Allow machines on inside net to log to us. /sbin/ipfw add allow log udp from any to any 514 via rl0 # NTP - Allow queries out in the world /sbin/ipfw add allow udp from any 123 to any 123 via ed0 /sbin/ipfw add allow udp from any 123 to any via rl0 /sbin/ipfw add allow udp from any to any 123 via rl0 # MSN Messenger /sbin/ipfw add allow udp from any to any 6801 via ed0 /sbin/ipfw add allow udp from any to any 6901 via ed0 /sbin/ipfw add allow udp from any to any 2001-2120 via ed0 /sbin/ipfw add allow udp from any 6801 to any via ed0 /sbin/ipfw add allow udp from any 6901 to any via ed0 /sbin/ipfw add allow udp from any 2001-2120 to any via ed0 # NFS /sbin/ipfw add deny log udp from any to any 2049 in recv ed0 # TRACEROUTE - Allow outgoing /sbin/ipfw add allow udp from any to any 33434-33523 out via ed0 ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface /sbin/ipfw add allow icmp from any to any via rl0 # Allow outgoing pings /sbin/ipfw add allow icmp from any to any icmptypes 8 out via ed0 /sbin/ipfw add allow icmp from any to any icmptypes 0 in via ed0 # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header /sbin/ipfw add allow icmp from any to any icmptypes 3,4,11,12 via ed0 # Deny the rest of them /sbin/ipfw add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface /sbin/ipfw add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ed0 # Reject&Log SMB connections on outside interface /sbin/ipfw add 64000 deny log udp from any to any 137-139 via ed0 # Reject&Log all other connections from outside interface /sbin/ipfw add 65000 deny log ip from any to any via ed0 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.2.20010315124042.009f4850>