Date: Mon, 18 Dec 2006 04:29:06 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: ipfw rules Message-ID: <20061218022906.GC2552@kobe.laptop> In-Reply-To: <20061216170123.GA962@jurjenm.stack.nl> References: <20061216170123.GA962@jurjenm.stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-12-16 18:01, Jurjen Middendorp <jurjenm@stack.nl> wrote:
> I posted this to the freebsd-security list, but i believe that is not
> the right list to this question (sorry! this is my first message to
> the freebsd mailing-lists). I hope this is the right list! :) anyway:
>
> I tried making a firewall for my laptop..but i'm not sure if i forgot
> anything. And things can always be done better :)
> #to stack (student computer thing... e-mail, irc, ssh stuff)
> $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks
>
> #allow ssh
> $cmd 021 allow all from me to any 22 out via $oif setup $ks
>
> #internet sites:
> $cmd 032 allow tcp from me to any 80 out via $oif setup $ks
> #https
> $cmd 033 allow tcp from me to any 443 out via $oif setup $ks
> #gopher
> $cmd 034 allow tcp from me to any 70 out via $oif setup $ks
>
> #other e-mail
> #pop
> $cmd 040 allow tcp from me to any 110 out via $oif setup $ks
> #imap
> $cmd 041 allow tcp from me to any 143 out via $oif setup $ks
>
> #allow dns queries
> $cmd 050 allow udp from me to any 53 out via $oif $ks
> #allow ntp (?) queries
> $cmd 051 allow udp from me to any 123 out via $oif $ks
>
> #i can send icmp myself
> $cmd 060 allow icmp from me to any out via $oif $ks
> #but others can't
> $cmd 061 deny icmp from any to me
>
> #
> #root can do anything
> $cmd 070 allow tcp from me to any out via $oif setup $ks uid root
>
> #log other outgoing packets
> $cmd 071 deny log all from any to any out via $oif
>
> ####
> # Incoming
>
> #The default is that all other connections will be blocked anyway, but
> # the more stuff i put in here, the less stuff will get logged
>
> #deny incoming to private networks
> $cmd 100 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918
> $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC 1918
> $cmd 105 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto
> $cmd 106 deny all from 192.0.2.0/24 to any in via $oif #reserved
> $cmd 108 deny all from 192.168.0.0/16 to any in via $oif #D & E class
> # multicast
> #block smb stuff
> $cmd 120 deny tcp from any to me 137 in via $oif
> $cmd 121 deny tcp from any to me 138 in via $oif
> $cmd 122 deny tcp from any to me 139 in via $oif
>
> #log ACK packets that did'nt match the dynamic ruleset
> $cmd 130 deny log all from any to any established in via $oif
>
> #Now log some stuff in case i did something wrong
> $cmd 999 deny log any to me
It's a fairly complex ruleset, but it seems mostly ok. There are
a few things I'd change, mostly resulting from my own personal
preferences:
* I don't like hard-coding rule numbers in IPFW rulesets.
* I like using 127.0.0.1/32 instead of any for loopback interfaces.
* In general, I prefer much simpler rulesets.
* I try to avoid a lot of variables/macros, like your $ks, since they
don't really keep things a lot shorter, and when they do they try to
abstract away too much of ipfw's syntax.
* I don't aggressively filter out ICMP packets. They are useful for a
lot of things, they are rate-limited by the kernel, and it is
usually silly to block them without a fair amount of knowledge and a
very good reason.
* I don't deny packets for 'private' networks,like 192.168.0.0/26
because the networks I use with my laptop *ARE* private a lot of the
time. Having the firewall block too much and cause me problems is
rarely a good way of spending my time.
I would probably start with something like:
: flush="ipfw -q flush"
: add="ipfw -q add"
:
: oif="ath0"
:
: $flush
: $add allow all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
: $add deny all from 127.0.0.1/32 to any
: $add deny all from any to 127.0.0.1/32
:
: $add allow icmp from any to any
:
: $add check-state
:
: # Allow all outgoing connections.
: $add allow all from any to any out via $oif setup keep-state
:
: # Allow *some* incoming connections (only SSH right now).
: $add allow all from any to any 22 in via $oif setup keep-state
:
: # Block everything else.
: $add deny log all from any to any
That's pretty minimal, and you can build on top of it :-)
If you are using DHCP to get an address for your laptop, you may have to
also allow incoming packets from "any" to "255.255.255.255", destined
for UDP port 68, which would make your ruleset:
: flush="ipfw -q flush"
: add="ipfw -q add"
:
: oif="ath0"
:
: $flush
: $add allow all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
: $add deny all from 127.0.0.1/32 to any
: $add deny all from any to 127.0.0.1/32
:
: $add allow icmp from any to any
:
: $add check-state
:
: # Allow all outgoing connections.
: $add allow all from any to any out via $oif setup keep-state
:
: # Allow *some* incoming stuff (only DHCP and SSH right now).
: $add allow udp from any to 255.255.255.255 68 in via $oif
: $add allow all from any to any 22 in via $oif setup keep-state
:
: # Block everything else.
: $add deny log all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061218022906.GC2552>