RFC: my firewall ruleset(s)
Eric F Crist
ecrist at secure-computing.net
Sun Oct 23 09:27:25 PDT 2005
On Oct 23, 2005, at 11:12 AM, Chuck Swiger wrote:
> Eric F Crist wrote:
>
>
>> Hey all. I'm relatively new to shell scripting and I'm looking
>> for some comments on my firewall script.
>> Comments on either the ipfw rules themselves or on my scripting
>> lack of ability would be appreciated.
>>
>>
>
> Ugh. :-) IPFW knows how to increment rule numbers all by itself;
> you can get rid of the "rulenum1=`expr $rulenum1 + 50`" stuff.
>
>
I do this so that I have sufficient space between rules for my own
sanity. By default, IPFW numbers rules that increment by 1. I have
a need on occasion to add or remove a rule on the fly. Perhaps there
is a better way?
> The breakdown of sh functions like setup_loopback, setup_keepstate,
> setup_ntp is fine if you want to play with shell scripts, but it
> scatters your IPFW rules into different places. I'd rather see
> something that closely resembles what "ipfw list" gives you.
>
>
The reasoning behind this is so I have a single firewall script for
all of my servers. At some point in the very near future, there will
be a cron job on each server the pulls the current script from a
central source. Depending on the rc.conf entries on that server, the
firewall script will be executed accordingly. This allows me to edit
one script and have it apply to multiple systems. I'm calling the
functions for basic components, rather than writing the whole thing
out each time.
> You could chain several ports together into a list rather than
> listing them all seperately as individual rules, IPFW will end up
> doing less work.
>
Is this a 'good' way to do things? The server in this instance has
really nothing else to do, save serving up a couple website with low
traffic.
>
> You have anti-spoofing for the lookback, lo0 interface, but not for
> your other interfaces. You should add anti-spoofing rules, and
> also block strict and loose source routing [1]:
>
>
Point taken. I pulled those rules from the default script that ships
with FreeBSD. I did a brief google search on the strict and loose
source routing. Can you share more information?
> # Stop strict and loose source routing
> add deny log all from any to any ipoptions ssrr
> add deny log all from any to any ipoptions lsrr
>
> You should give some thought to ICMP filtering. Consider something
> like:
>
> add allow icmp from any to any icmptypes 0,3,4,8,11,12
>
>
This was simply forgotten. Thanks!
> You should use the log command more when developing a ruleset, to
> see what traffic you are blocking or permitting, until you've
> gotten your rules and network finalized.
>
>
Is there a way to direct different rules to different facilities or
log files? This is the primary reason I have not enabled logging more.
> --
> -Chuck
>
> [1]: This is known to hackers as the "how to go through a firewall
> as if it wasn't there" IP option if you don't block these. :-)
>
Thanks for the great input! I'll work further to develop my script.
Part of my reason for getting so involved with the shell scripting on
this ruleset is so that I have an actual project with a purpose in
front of me to develop my scripting abilities.
_______________________________________________________
Eric F Crist "I am so smart, S.M.R.T!"
Secure Computing Networks -Homer J Simpson
More information about the freebsd-questions
mailing list