New IPFW Setup.

Giorgos Keramidas keramida at ceid.upatras.gr
Wed Dec 29 14:22:20 PST 2004 

On 2004-12-29 07:02, Grant Peel <gpeel at thenetnow.com> wrote:
> I have recentory activated ipfw on 5 of my productive server.
> All servers are Apache, Exim or Sendmail, MySQL, vm-pop3d, ProFTPD
> enabled. All serves have multiple domains and UNIX users, though, by
> default, we do not supply shell accounts.
>
> Here is the ruleset I currently use on all the servers. I would like
> nothing more than to tighten them up a bit, if possible, considering
> the environment they are used in (Internet).

Please don't mail freebsd-ipfw with questions about ipfw usage.

The freebsd-ipfw list is meant to be a discussion board for developers
of ipfw.  AFAIK, it should be limited to the technical details of
implementing IPFW, not usage questions.

> Please feel free to browse and send me any comments, critiques you may
> have on the ruleset below.
>
> 00010 allow ip from any to any via lo0
>       # LAN access ... Is behind a managed switch, VLAN setup.
> 00020 allow ip from any to any via fxp1
> 00030 check-state
>       # Allow me in via ssh ... I hope!
> 00040 allow tcp from N.N.N.N to me 22 keep-state setup
>       # An nfs mount
> 00050 allow ip from any to 192.168.0.6
> 00060 allow ip from 192.168.0.6 to any
> 00070 allow icmp from any to any icmptype 0,3,4,8,11,12
> 00100 allow ip from any to any keep-state out
> 00110 allow tcp from any to any 20,21 keep-state setup
> 00120 allow tcp from any to any 25,110 keep-state setup
> 00130 allow tcp from any to any 53 keep-state setup
> 00140 allow udp from any to any 53 keep-state
> 00150 allow tcp from any to any 80,110,443 keep-state setup
>       # Webmin and Usermin.
> 00160 allow tcp from any to any 10000,20000 keep-state setup
>       # ftp ports.
>       # Seems to negate alot of the firewall ???
> 00170 allow tcp from any to any 1024-65534 in setup
> 65534 deny log ip from any to any
> 65535 deny ip from any to any
>
> Of special concern to me is line 170 ... added to allow ftp. Any ideas
> here?

1. Just don't.  This way any service loaded in a non-privileged port
will not be protected at all by your firewall.

2. Rules 50 and 60 are not really necessary if fxp1 is the interface of
the private network.

3. Rule 70 is also not a good idea:

	00070 allow icmp from any to any icmptype 0,3,4,8,11,12

There is no reason to block any sort of icmp packets when you can
rate-limit them all:

    # sysctl -a | grep icmplim
    net.inet.icmp.icmplim: 200
    net.inet.icmp.icmplim_output: 1

4. Rule 110 is wrong.  You don't need to enable connections TO port 20
for FTP to work.  To allow active FTP connections (as opposed to
'passive') you need something like this:

    allow tcp from any 20 to any 1024-65535 in setup keep-state
    allow tcp from any    to any 21         in setup keep-state

It is the _source_ port of active FTP connections that is 20, not the
destination.

<bofh>
Having said that, it's probably a bad idea to allow active FTP at all.
I usually disable FTP and teach everyone to use SCP instead :-)
</bofh>

5. Rule 120 and 150 have a duplicate check for port number 110.  One of
the two should go away.

6. You can simplify the ruleset a lot by joining rules that are almost
identical, differing only to the port numbers they allow to pass
through.  Rules 110, 120, 130, and 150 can be just one rule.  Rules for
outgoing connections and other stuff that doesn't need a lot of handling
(i.e. port number or port-range matching) should be moved upwards as
much as possible.

:           # Allow anything over the loopback interface.
: add    10 allow ip from any to any via lo0
:
:           # Allow anything over the internal LAN network.
: add    20 allow ip from any to any via fxp1
:
:           # Allow all incoming ICMP messages.
:           # They are rate limited by setting net.inet.icmp.icmplim
: add    21 allow icmp from any to any icmptype 0,3,4,8,11,12
:
:           # Enable stateful filtering for the rest of the ruleset.
: add    30 check-state
:
:           # Allow all outgoing TCP connections as soon as possible.
: add    40 allow tcp from any to any out setup keep-state
:
:           # Let DNS work, but block all other UDP stuff.
: add    50 allow udp from any to any 53 out keep-state
: add    51 block udp from any to any
:
:           # Allow incoming SSH from known host(s) only.
: add    60 allow tcp from N.N.N.N to me 22 keep-state setup
:
:           # Allow incoming FTP, SMTP, HTTP, POP, HTTPS and webmin
:           # from everyone.
: add    70 allow tcp from any to any 21,25,80,110,443,10000-20000 in setup keep-state
:
:           # Default firewall policy: block everything else.
: add 65534 deny log ip from any to any

Having a smaller set of rules means less stuff to match against, which
will usually result in faster operation.  The reduction of the ruleset
size is about 70% which may make a bit of difference, but you shouldn't
be able to notice it until you hit really high loads.

Allowing Webmin and FTP from everyone in the world is not a good idea,
but I didn't want to cut down functionality that you probably depend
upon right now.  Consider disabling these two some time in the future,
though.

- Giorgos

More information about the freebsd-questions mailing list