Date: Thu, 15 Mar 2001 12:40:49 +0800 From: "Ramoncito P. Puyat" <nitronarc@iname.com> To: freebsd-ipfw@freebsd.org Subject: help with ipfw Message-ID: <5.0.2.1.2.20010315124042.009f4850@pop.info.com.ph>
next in thread | raw e-mail | index | archive | help
greetings!
We have a small company using a cable connection for our internet.
Recently, due to some nuisance hacking we installed a freebsd box with
ipfw/natd. Everything went fine until two of our employees complained that
we were not able to use the pc-to-phone facility of MSN Messenger and the
ftp facility of ICQ. When we needed to call, we had to bring the firewall
to open-mode and only closed it up after the phone call. My security logs
points to many probe/scan attempts from the outside especially in the
137-139 port range. We tried to make the rules as per the suggestion of MSN
and ICQ but to no avail. Could someone help me out on this. I want to allow
the use of MSN and ICQ with out necessarily removing my protection. Below
is a copy of my ipfw rules.
TIA
Ramon
----- ipfw.rules -----
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
# Flush previous rules
/sbin/ipfw -f flush
# Allow loopbacks, deny imposters
/sbin/ipfw add 100 pass all from any to any via lo0
/sbin/ipfw add 200 deny all from any to 127.0.0.0/8
# Stop spoofing
/sbin/ipfw add deny all from 192.168.0.0/16 to any in via ed0
/sbin/ipfw add deny all from not 192.168.0.0/16 to any in via rl0
# Stop RFC1918 nets on the outside interface
/sbin/ipfw add deny all from any to 10.0.0.0/8 via ed0
/sbin/ipfw add deny all from any to 172.16.0.0/12 via ed0
/sbin/ipfw add deny all from any to 192.168.0.0/16 via ed0
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
/sbin/ipfw add deny all from any to 0.0.0.0/8 via ed0
/sbin/ipfw add deny all from any to 169.254.0.0/16 via ed0
/sbin/ipfw add deny all from any to 192.0.2.0/24 via ed0
/sbin/ipfw add deny all from any to 224.0.0.0/4 via ed0
/sbin/ipfw add deny all from any to 240.0.0.0/4 via ed0
/sbin/ipfw add deny all from 0.0.0.0/8 to any via ed0
/sbin/ipfw add deny all from 169.254.0.0/16 to any via ed0
/sbin/ipfw add deny all from 192.0.2.0/24 to any via ed0
/sbin/ipfw add deny all from 224.0.0.0/4 to any via ed0
/sbin/ipfw add deny all from 240.0.0.0/4 to any via ed0
# Stop Scour
/sbin/ipfw add deny all from 209.249.159.0/24 to any via ed0
/sbin/ipfw add deny all from 216.52.208.0/24 to any via ed0
/sbin/ipfw add deny all from any to 209.249.159.0/24 via ed0
/sbin/ipfw add deny all from any to 216.52.208.0/24 via ed0
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
/sbin/ipfw add divert 8668 ip from any to any via ed0
# Allow established connections with minimal overhead
/sbin/ipfw add allow tcp from any to any established
# Allow IP fragments to pass through
/sbin/ipfw add allow all from any to any frag
### TCP RULES
# DNS - Allow queries out in the world
/sbin/ipfw add allow tcp from any to 203.172.11.21 53
/sbin/ipfw add allow tcp from any to 203.172.11.25 53
/sbin/ipfw add allow tcp from 203.172.11.21 53 to any
/sbin/ipfw add allow tcp from 203.172.11.25 53 to any
# HTTP - Allow access to our web server
/sbin/ipfw add allow tcp from any to any 80 setup
# HTTPS - Allow access to our secure server
/sbin/ipfw add allow tcp from any to any 443 setup
# POP - Allow access to our POP3 server
/sbin/ipfw add allow tcp from any to any 110 setup
# SMTP - Allow access to sendmail for incoming e-mail
/sbin/ipfw add allow tcp from any to any 25 setup
# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
/sbin/ipfw add allow tcp from any 20 to any 1024-65535 setup
/sbin/ipfw add deny log tcp from any to any 21 in via ed0 setup
# SSH Login - Allow & Log all incoming
/sbin/ipfw add allow log tcp from any to any 22 in via ed0 setup
# IDENT - Reset incoming connections
/sbin/ipfw add reset tcp from any to any 113 in via ed0 setup
# NFS
/sbin/ipfw add deny log tcp from any to any 2049 in recv ed0
# ICQ
/sbin/ipfw add allow tcp from any 5190 to any via ed0
/sbin/ipfw add allow tcp from any to any 5190 via ed0
# MSN Messenger
/sbin/ipfw add allow tcp from any 6901 to any via ed0
/sbin/ipfw add allow tcp from any to any 6901 via ed0
/sbin/ipfw add allow tcp from any to any 7801-7825 via ed0
/sbin/ipfw add allow tcp from any 6891-6900 to any via ed0
/sbin/ipfw add allow tcp from any to any 6891-6900 via ed0
# X Servers
/sbin/ipfw add deny log tcp from any to any 6000-6010 in recv ed0
# Reject&Log all setup of incoming connections from the outside
/sbin/ipfw add deny log tcp from any to any in via ed0 setup
# Allow setup of any other TCP connection
/sbin/ipfw add allow tcp from any to any setup
### UDP RULES
# DNS - Allow queries out in the world
/sbin/ipfw add allow udp from any to 203.172.11.21 53
/sbin/ipfw add allow udp from any to 203.172.11.25 53
/sbin/ipfw add allow udp from 203.172.11.21 53 to any
/sbin/ipfw add allow udp from 203.172.11.25 53 to any
# SMB - Allow local traffic
/sbin/ipfw add allow udp from any to any 137-139 via rl0
# SYSLOG - Allow machines on inside net to log to us.
/sbin/ipfw add allow log udp from any to any 514 via rl0
# NTP - Allow queries out in the world
/sbin/ipfw add allow udp from any 123 to any 123 via ed0
/sbin/ipfw add allow udp from any 123 to any via rl0
/sbin/ipfw add allow udp from any to any 123 via rl0
# MSN Messenger
/sbin/ipfw add allow udp from any to any 6801 via ed0
/sbin/ipfw add allow udp from any to any 6901 via ed0
/sbin/ipfw add allow udp from any to any 2001-2120 via ed0
/sbin/ipfw add allow udp from any 6801 to any via ed0
/sbin/ipfw add allow udp from any 6901 to any via ed0
/sbin/ipfw add allow udp from any 2001-2120 to any via ed0
# NFS
/sbin/ipfw add deny log udp from any to any 2049 in recv ed0
# TRACEROUTE - Allow outgoing
/sbin/ipfw add allow udp from any to any 33434-33523 out via ed0
### ICMP RULES
# ICMP packets
# Allow all ICMP packets on internal interface
/sbin/ipfw add allow icmp from any to any via rl0
# Allow outgoing pings
/sbin/ipfw add allow icmp from any to any icmptypes 8 out via ed0
/sbin/ipfw add allow icmp from any to any icmptypes 0 in via ed0
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header
/sbin/ipfw add allow icmp from any to any icmptypes 3,4,11,12 via ed0
# Deny the rest of them
/sbin/ipfw add deny icmp from any to any
### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
/sbin/ipfw add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ed0
# Reject&Log SMB connections on outside interface
/sbin/ipfw add 64000 deny log udp from any to any 137-139 via ed0
# Reject&Log all other connections from outside interface
/sbin/ipfw add 65000 deny log ip from any to any via ed0
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.2.1.2.20010315124042.009f4850>