ipfw subnetting

[Michael Sierchio]

On Mon, May 21, 2012 at 8:30 AM, Paul Macdonald <paul at ifdnrg.com> wrote:

> A very open firewall test script is as follows:
>
> 00010 allow ip from any to any via lo0
> 00081 deny log ip from 180.0.0.0/8 to any
> 00100 check-state

You don't need the following
> 00101 allow tcp from any to any established

This may not do what you think - "out" does not necessarily mean out
your external interface.  Packets can go in and out (from the
perspective of the ruleset) more than once.  And you want only to
start a dynamic rule for legitimate TCP traffic, which means "tcpflags
syn,!ack" - See below

> 00102 allow ip from any to any out keep-state

and you probably want to be selective about which ICMP you allow
> 00103 allow icmp from any to any
> 65535 deny ip from any to any

It's also helpful (most of the time) to be explicit about the interface

Is this ruleset just protecting this host itself, or are you using it
as a firewall for an internal network?

ipfw add allow ip from any to any via lo0
ifpw add allow ip from $local_net to $local_net

ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if

ipfw add check-state

ipfw add allow tcp from any to any out xmit $ext_if setup keep-state
ipfw add allow udp from any to any out xmit $ext_if keep-state
ipfw add allow icmp from any to any out xmit $ext_if keep-state

ipfw add allow icmp from any to any in recv $ext_if icmptypes 3,8,11

ipfw add deny ip from any to any