IPF, NAT or NIC

Steve Bertrand steve at ibctech.ca
Fri Sep 18 17:52:24 UTC 2009 

Freeco wrote:
> Ok, thanks for advice about switch. You really helped me so much. Now i'll
> get with my ipf and nat rules.

I'm glad I could help. So many people here and on other lists have
helped me significantly over the years, so I try to give back whenever I
can/have time.

> What ports u recomend to keep open and how to block gateway ping?

About the ports....that depends on what you are going to do. My theory
is, unless you are an Internet Provider, all ports should be closed by
default, and opened on an as-is needed basis. Generally, there isn't
very much that will break if you block everything coming into the ISP
side of your gateway (so long as you are using the firewall as a
'stateful' firewall).

On the other hand, having the idea that "wide open and block certain
things" leads to accidentally leaving things like SSH on your gateway
accessible.

As for the ping.

I am generally dead against blocking any type of ICMP. I've spent
countless nights trying to troubleshoot wide-scale Internet reachability
problems because someone out there decided that blocking ICMP was the
same as blocking ping. This goes against my above 'deny everything', but
it's my only exception. Those who have ever had to deal with pmtud
issues when it's least expected know exactly what I mean.

Issues caused by careless filtering of ICMP can have the same effect to
a home user as it does to an ISP, but the home user will likely have a
much harder time figuring out what is wrong :)

For instance, most will do the following:

# ipfw add 100 deny icmp from any to any in

You just broke Path MTU Discovery, lost the ability to learn when a
remote port/host is unreachable, and our tests earlier would have failed
as well. If your firewall is clamped down, there is no real good reason
to block ping requests IMHO.

If you don't want others on the WAN side to be able to ping you, block
ICMP Type 8 messages inbound only. In IPFW, it would look like this:

# ipfw add 10 deny icmp from any to me in via $ext_if icmptypes 8
# ipfw add 15 allow icmp from any to any

...but my personal recommendation is to not do it. Even for the simple
fact that if you ever have to call your ISP for support, pinging is one
of the most basic and helpful utilities available.

Again, IMHO.

Cheers,

Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090918/7ff08b43/smime.bin

More information about the freebsd-questions mailing list