Date: Fri, 23 May 2014 22:57:33 -0700 From: Lucius Rizzo <Lucius.Rizzo@the.ie> To: David Noel <david.i.noel@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: What is your favourite/best firewall on FreeBSD and why? Message-ID: <20140524055733.GA69376@The.ie> In-Reply-To: <CAHAXwYCi%2BqRmCfY1FKCXXvnxDQW-Xn113yv-dLTBaC04Th9r6Q@mail.gmail.com> References: <20140520070926.GA92183@The.ie> <CAHAXwYAZzFdqsEjA3xApZXaSZHaJR2R8XHds_aZDBcaRCGxNpQ@mail.gmail.com> <CAHAXwYCi%2BqRmCfY1FKCXXvnxDQW-Xn113yv-dLTBaC04Th9r6Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--A6N2fC+uXW/VQSAv Content-Type: multipart/mixed; boundary="r5Pyd7+fXNt84Ff3" Content-Disposition: inline --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * David Noel <david.i.noel@gmail.com> [2014-05-24 00:31]: > On 5/23/14, David Noel <david.i.noel@gmail.com> wrote: > > On 5/20/14, Lucius Rizzo <Lucius.Rizzo@the.ie> wrote: > >> If you use any of the firewalls, and have interesting > >> or even optimized rule sets, I would really like to see them :) > > > > I'll post them shortly. > > >=20 > Let me know if I missed anything. Thank you! This actually helps. I have a set of IPFilter rules that I plunk on my FreeBSD servers running on cloud. I use IPFilter with ssguard-ipfilter. (See Attached) Seems like consesus is that pf is perhaps the best choice moving forward.= =20=20 --=20 | _o _ |_)o_ _ _=20=20 |_|_|(_||_|_> | \|/_/_(_) - Lucius.Tel -------------------------------------- ++ Your digestive system is your body's Fun House, whereby food goes on a l= ong, ++ ++ dark, scary ride, taking all kinds of unexpected twists and turns, being= ++ ++ attacked by vicious secretions along the way, and not knowing until the = last ++ ++ minute whether it will be turned into a useful body part or ejected into= the ++ ++ Dark Hole by Mister Sphincter. We Americans live in a nation where the = ++ ++ medical-care system is second to none in the world, unless you count may= be ++ ++ 25 or 30 little scuzzball countries like Scotland that we could vaporize= in ++ ++ seconds if we felt like it. ++ ++ -- Dave Barry, "Stay Fit & Healthy Until You're Dead" ++ --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipf.rules" # pass out quick from any to any pass in from any to any # block in log quick on vtnet0 proto icmp from any to any icmp-type redir block in log quick on vtnet0 proto tcp/udp all with short block in log quick on vtnet0 from any to any with ipopts # block in log quick on vtnet0 from 192.168.4.0/24 to any block in log quick on vtnet0 from localhost to any block in log quick on vtnet0 from 0.0.0.0/32 to any block in log quick on vtnet0 from 255.255.255.255/32 to any # # block in on vtnet0 proto udp from any to any block in log on vtnet0 proto udp from any to any port = sunrpc block in log on vtnet0 proto udp from any to any port = 2049 pass in on vtnet0 proto udp from any to any port = domain pass in on vtnet0 proto udp from any to any port = talk pass in on vtnet0 proto udp from any to any port = ntalk # # block return-rst in log on vtnet0 proto tcp from any to any flags S/SA block return-rst in on vtnet0 proto tcp from any to any port = auth flags S/SA # pass in on vtnet0 proto tcp from any to any port 1024 >< 5000 pass in on vtnet0 proto tcp from any port = ftp-data to any port 1024 >< 5000 # pass in quick from any to any port = smtp pass in quick from any to any port = www pass in quick from any to any port = ssh pass in quick from any to any port = 443 ##sshguard-begin## block in quick proto tcp from 61.19.247.185 to any block in quick proto tcp from 220.177.198.62 to any block in quick proto tcp from 211.234.100.203 to any block in quick proto tcp from 112.220.198.102 to any block in quick proto tcp from 61.174.49.104 to any block in quick proto tcp from 112.206.228.98 to any block in quick proto tcp from 220.177.198.51 to any ##sshguard-end## --r5Pyd7+fXNt84Ff3-- --A6N2fC+uXW/VQSAv Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTgDTNAAoJEDTEFvl1pMrQbRcP/RB0a9tw28KVNcm6CJUULOYX Xs3HWiHNPXLpEgUxoPdDOrgoMYQHDN8Ql2k6ce+dKRYQ8EPf2cuOdKfGAl+Ykkfc FGNCtNp8CLaxwA2KByN+Oz2FXuH1LlyKGiru8MOQOAQ7LSLPJnnLRiXqhVLckNU6 AZbkXyM0yLATAUQSbdaIezqe8u3ZfZWS3pbd6a+hcyEv9ZYS1XKcNNPy6M+Nevv2 u9OUV5dr3aCRf1rmo995GLV/8q56jGKwf1S6MyDKgxmEiGOnmr0IyTgWnkllaDKU V+LqavmxCMB0SDG7qsM4W14cMYIDyC/PK2+XgiDk0710k9WwIg34SDNbx4qMDxKh QySFu3Ccxk9kF7HNt92vUia2+8vIZmzsPTMgA6RAFKcuyiGe+TcTqC0knOUz8KsR B6TmUOOziKTgi6lUli0JjGv0nNWRAPgG6lIRfZm706fqNLgVkAl/9oH3mPbMeKoK N3yZjiiaKeWEzKwalcpCdXZJ5GEJpjSCN79HNL+B+AKho4YroBcacMrlAACO14I8 HsNbk2rJ6Cv0rpuw9oa4xhdxQEUpq9g7yDncAxewScuwdQ82vaoYl8ZhVrgsX7CF d+KmssqFz8j6NDb8q61uqmhx2sVR0Mn1L8xF6KQxusEg2cwiyTuRxQROnclJVM45 eBKi19IRB4PrnQQqosK7 =Xwmf -----END PGP SIGNATURE----- --A6N2fC+uXW/VQSAv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140524055733.GA69376>