ipfw subnetting
Michael Sierchio
kudzu at tenebras.com
Mon May 21 15:44:33 UTC 2012
On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald <paul at ifdnrg.com> wrote:
> A very open firewall test script is as follows:
>
> 00010 allow ip from any to any via lo0
> 00081 deny log ip from 180.0.0.0/8 to any
> 00100 check-state
You don't need the following
> 00101 allow tcp from any to any established
This may not do what you think - "out" does not necessarily mean out
your external interface. Packets can go in and out (from the
perspective of the ruleset) more than once. And you want only to
start a dynamic rule for legitimate TCP traffic, which means "tcpflags
syn,!ack" - See below
> 00102 allow ip from any to any out keep-state
and you probably want to be selective about which ICMP you allow
> 00103 allow icmp from any to any
> 65535 deny ip from any to any
It's also helpful (most of the time) to be explicit about the interface
Is this ruleset just protecting this host itself, or are you using it
as a firewall for an internal network?
ipfw add allow ip from any to any via lo0
ifpw add allow ip from $local_net to $local_net
ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if
ipfw add check-state
ipfw add allow tcp from any to any out xmit $ext_if setup keep-state
ipfw add allow udp from any to any out xmit $ext_if keep-state
ipfw add allow icmp from any to any out xmit $ext_if keep-state
ipfw add allow icmp from any to any in recv $ext_if icmptypes 3,8,11
ipfw add deny ip from any to any
More information about the freebsd-questions
mailing list