New to IPFW and would like critique...
From: GLOCK! (glock_perfection_at_hotmail.com)
Date: 10/01/03
- Previous message: mike420_at_ziplip.com: "FreeBSD boots very slowly!!!"
- Next in thread: Lowell Gilbert: "Re: New to IPFW and would like critique..."
- Reply: Lowell Gilbert: "Re: New to IPFW and would like critique..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 01 Oct 2003 03:21:35 GMT
I decided to get rid of my Linksys cable router, so the other night I
replaced it with my FBSD box. It's a dual homed 5.1 system. The firewall
rules are my first attempt with some help from a FAQ. I'm looking for
feedback in regards to the rule setup and also information on how to
implement stateful rules. I think I could cut back a large amount of my
rules by using it. I tried last night but ran out of time...probably sleep
deprivation kicked in and "man ipfw" began to read like Alice in
Wonderland...so I ended up with a non functioning internet connection until
I reverted back to this set of rules.
fxp0 is my outside interface (receives address via DHCP)
fxp1 is my inside interface (statically addressed 192.168.1.1)
Thanks for the help and input.
GLOCK!
titanium# cat rc.firewall
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
# Firewall program
fwcmd="/sbin/ipfw"
# Outside interface network and netmask and ip
oif="fxp0"
onet=`ifconfig fxp0 |grep "inet " |awk '{print $6}'`
omask="255.255.240.0"
oip=`ifconfig fxp0 |grep "inet " |awk '{print $2}'`
# Inside interface network and netmask and ip
iif="fxp1"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"
# Endpoints
bb="xxx.xxx.xxx.xxx"
auth01="xxx.xxx.xxx.xxx"
auth02="xxx.xxx.xxx.xxx"
phantom="xxx.xxx.xxx.xxx"
# Flush previous rules
${fwcmd} -f flush
# Allow loopbacks, deny imposters
${fwcmd} add 101 pass all from any to any via lo0
${fwcmd} add 119 deny all from any to 127.0.0.0/8
# Stop spoofing
${fwcmd} add 209 deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add 219 deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets
${fwcmd} add 229 deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add 239 deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add 249 deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add 259 deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add 269 deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add 279 deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add 289 deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add 299 deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add 300 divert natd all from any to any via ${natd_interface}
# Allow established connections with minimal overhead
${fwcmd} add 301 pass tcp from any to any established
# Deny IP fragments
${fwcmd} add 399 deny all from any to any in frag
### TCP RULES
# HTTP - Uncomment to allow access to our web server
#${fwcmd} add 401 pass tcp from any to any 80 setup
# SMTP - Uncomment to allow access to sendmail for incoming e-mail
#${fwcmd} add 411 pass tcp from any to any 25 setup
# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add 421 pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add 429 deny log tcp from any to any 21 in via ${oif} setup
# SSH Login - Allow & Log all incoming
${fwcmd} add 431 pass log tcp from any to any 22 in via ${oif} setup
# RDP Login - Allow & Log all incoming
${fwcmd} add 441 pass log tcp from 216.150.131.207 to any 3389 in via ${oif}
# IDENT - Reset incoming connections
${fwcmd} add 459 reset tcp from any to any 113 in via ${oif} setup
# Reject & Log all setup of incoming connections from the outside
${fwcmd} add 469 deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add 471 pass tcp from any to any setup
# Reject & Log all setup of incoming connections from the outside
${fwcmd} add 499 deny log tcp from any to any in via ${oif}
### UDP RULES
# DNS - Allow queries out in the world
${fwcmd} add 501 pass udp from any to any 53 out via ${oif}
${fwcmd} add 502 pass udp from any 53 to any in via ${oif}
${fwcmd} add 503 pass udp from any to any 53 via ${iif}
${fwcmd} add 504 pass udp from any 53 to any via ${iif}
# DHCP - Allow request and reply from OptOnline
${fwcmd} add 511 pass log udp from any 68 to xxx.xxx.xxx.xxx out via ${oif}
${fwcmd} add 512 pass log udp from xxx.xxx.xxx.xxx to any 68 in via ${oif}
# SMB - Allow local traffic
${fwcmd} add 521 pass udp from any to any 137-139 via ${iif}
# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add 531 pass udp from any 514 to any 514 via ${iif}
# NTP - Allow queries out in the world
${fwcmd} add 541 pass udp from ${auth01} 123 to any 123 in via ${oif}
${fwcmd} add 542 pass udp from any to ${auth01} out via ${oif}
${fwcmd} add 543 pass udp from ${auth02} 123 to any 123 in via ${oif}
${fwcmd} add 544 pass udp from any to ${auth02} out via ${oif}
${fwcmd} add 545 pass udp from any 123 to any via ${iif}
${fwcmd} add 546 pass udp from any to any 123 via ${iif}
# TRACEROUTE - Allow outgoing
${fwcmd} add 551 pass udp from any to any 33434-33523 out via ${oif}
# Reject & Log all setup of incoming connection from the outside
${fwcmd} add 599 deny log udp from any to any in via ${oif}
### ICMP RULES
# Allow all ICMP packets on internal interface
${fwcmd} add 601 pass icmp from any to any via ${iif}
# Allow outgoing pings
${fwcmd} add 611 pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add 621 pass icmp from any to any icmptypes 0 in via ${oif}
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header
${fwcmd} add 621 pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
# Deny the rest of them
${fwcmd} add 699 deny log icmp from any to any via ${oif}
### GRE RULE
# PPTP VPN support
#${fwcmd} add 700 pass gre from any to any
### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
${fwcmd} add 60009 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
# Reject&Log SMB connections on outside interface
${fwcmd} add 61009 deny log udp from any to any 137-139 via ${oif}
# Reject&Log all other connections from outside interface
${fwcmd} add 62009 deny log ip from any to any via ${oif}
${fwcmd} add 65309 deny log ip from any to any
# Everything else is denied by default, since the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is not set in the kernel
- Previous message: mike420_at_ziplip.com: "FreeBSD boots very slowly!!!"
- Next in thread: Lowell Gilbert: "Re: New to IPFW and would like critique..."
- Reply: Lowell Gilbert: "Re: New to IPFW and would like critique..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
