RFC: my firewall ruleset(s)

Eric F Crist ecrist at secure-computing.net
Sun Oct 23 09:27:25 PDT 2005


On Oct 23, 2005, at 11:12 AM, Chuck Swiger wrote:


> Eric F Crist wrote:
>
>
>> Hey all.  I'm relatively new to shell scripting and I'm looking  
>> for  some comments on my firewall script.
>> Comments on either the ipfw rules themselves or on my scripting  
>> lack  of ability would be appreciated.
>>
>>
>
> Ugh.  :-)  IPFW knows how to increment rule numbers all by itself;  
> you can get rid of the "rulenum1=`expr $rulenum1 + 50`" stuff.
>
>

I do this so that I have sufficient space between rules for my own  
sanity.  By default, IPFW numbers rules that increment by 1.  I have  
a need on occasion to add or remove a rule on the fly.  Perhaps there  
is a better way?


> The breakdown of sh functions like setup_loopback, setup_keepstate,  
> setup_ntp is fine if you want to play with shell scripts, but it  
> scatters your IPFW rules into different places.  I'd rather see  
> something that closely resembles what "ipfw list" gives you.
>
>

The reasoning behind this is so I have a single firewall script for  
all of my servers. At some point in the very near future, there will  
be a cron job on each server the pulls the current script from a  
central source.  Depending on the rc.conf entries on that server, the  
firewall script will be executed accordingly.  This allows me to edit  
one script and have it apply to multiple systems.  I'm calling the  
functions for basic components, rather than writing the whole thing  
out each time.


> You could chain several ports together into a list rather than  
> listing them all seperately as individual rules, IPFW will end up  
> doing less work.
>

Is this a 'good' way to do things?  The server in this instance has  
really nothing else to do, save serving up a couple website with low  
traffic.


>
> You have anti-spoofing for the lookback, lo0 interface, but not for  
> your other interfaces.  You should add anti-spoofing rules, and  
> also block strict and loose source routing [1]:
>
>

Point taken.  I pulled those rules from the default script that ships  
with FreeBSD.  I did a brief google search on the strict and loose  
source routing.  Can you share more information?


> # Stop strict and loose source routing
> add deny log all from any to any ipoptions ssrr
> add deny log all from any to any ipoptions lsrr
>


> You should give some thought to ICMP filtering.  Consider something  
> like:
>


> add allow icmp from any to any icmptypes 0,3,4,8,11,12
>
>

This was simply forgotten.  Thanks!


> You should use the log command more when developing a ruleset, to  
> see what traffic you are blocking or permitting, until you've  
> gotten your rules and network finalized.
>
>

Is there a way to direct different rules to different facilities or  
log files?  This is the primary reason I have not enabled logging more.


> -- 
> -Chuck
>
> [1]: This is known to hackers as the "how to go through a firewall  
> as if it wasn't there" IP option if you don't block these.  :-)
>


Thanks for the great input!  I'll work further to develop my script.   
Part of my reason for getting so involved with the shell scripting on  
this ruleset is so that I have an actual project with a purpose in  
front of me to develop my scripting abilities.


_______________________________________________________
Eric F Crist                  "I am so smart, S.M.R.T!"
Secure Computing Networks              -Homer J Simpson




More information about the freebsd-questions mailing list