Can I make this simple ipfw ruleset any more restrictive ?
John-Mark Gurney
jmg at funkthat.com
Tue Sep 9 23:50:44 UTC 2014
John Case wrote this message on Tue, Sep 09, 2014 at 23:37 +0000:
>
> I have a very simple firewall - it*blocks everything*, and the only
> traffic that is allowed is for internal clients to make outbound
> connections to tcp port 40.
>
> Also, internal clients can ping/traceroute.
>
> But that's it - no other connections in or out are allowed. I have this
> ruleset and it is working perfectly:
>
> ipfw add 10 allow tcp from any to any established
> ipfw add 20 allow icmp from any to any icmptypes 0,3,8,11
> ipfw add 30 allow udp from any to any 33433-33499 in via fxp1
> ipfw add 40 allow tcp from any to any 40 in via fxp1
>
> (fxp1 is the internal interface, and so I allow the port 40 connections
> and the udp for traceroute only for requests that come in from the
> internal network)
>
> Is there anything I have screwed up here ? Any unintentional traffic that
> I am letting through ?
>
> Is there any way to lock this down further, and make it even more strict ?
You could lock down the UDP ports to a single one and remember to use
-e with traceroute:
-e Firewall evasion mode. Use fixed destination ports for UDP and
TCP probes. The destination port does NOT increment with each
packet sent.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-net
mailing list