Sanity-check for my (working) ipfw rules please...

Nick Withers nick at nickwithers.com
Tue Jul 11 03:42:43 UTC 2006 

On Tue, 11 Jul 2006 13:16:21 +1000
Nick Withers <nick at nickwithers.com> wrote:

> On Mon, 10 Jul 2006 18:38:51 -0400 (EDT)
> Ensel Sharon <user at dhp.com> wrote:
> 
> > 
> > My individual hosts have a set of firewall rules on each of them that
> > looks like this:

(snip)

> > Second, are there any other bad-behavior blocks I should put into my list?
> 
> How about:
> 
> deny tcp from any to any tcpflags fin,urg,psh
> deny tcp from any to any tcpflags syn,fin,rst,ack
> deny tcp from any to any tcpflags '!syn,!fin,!ack'
> 
> (rorted from a posting at
> http://support.daemonnews.org/viewtopic.php?p=846, I have to
> admit that I havent myself actually checked that these are
> correct and therefore don't use them myself)
> 
> and
> 
> deny all from 10.0.0.0/8 to any in via <public interface>
> deny all from 203.219.206.72/30 to any in via <internal interface>

Sorry - 203.219.206.72/30 is the network address for my public
interface.

> deny all from any to 0.0.0.0/8 via <public interface>
> deny all from any to 169.254.0.0/16 via <public interface>
> deny all from any to 192.0.2.0/24 via <public interface>
> deny all from any to 198.18.0.0/15 via <public interface>
> deny all from any to 224.0.0.0/4 via <public interface>
> deny all from any to 240.0.0.0/4 via <public interface>
> deny all from any to 172.16.0.0 via <public interface>
> deny all from any to 192.168.0.0/16 via <public interface>
> 
> deny all from 0.0.0.0/8 to any via <public interface>
> deny all from 169.254.0.0/16 to any via <public interface>
> deny all from 192.0.2.0/24 to any via <public interface>
> deny all from 198.18.0.0/15 to any via <public interface>
> deny all from 224.0.0.0/4 to any via <public interface>
> deny all from 240.0.0.0/4 to any via <public interface>
> deny all from 172.16.0.0 to any via <public interface>
> deny all from 192.168.0.0/16 to any via <public interface>

...and these actually probably aren't all that appropriate for
your situation (i.e., internal client rules, rather than
Internet <-> LAN router)

> > Thanks!

Hope this is at least vaguely useful, and sorry for any
misleading / inappropriate information!
-- 
Nick Withers
email: nick at nickwithers.com
Web: http://www.nickwithers.com
Mobile: +61 414 397 446

More information about the freebsd-questions mailing list