firewalling help/audit
Antoine Jacoutot
ajacoutot at lphp.org
Fri Apr 25 07:09:20 PDT 2003
Hi !
First of all, I am sorry if this is not the list for that, but I've been
learning (a little bit...) a way to implement a freeBSD firewall.
So far I came up with a set of rules I would like to show you for commenting.
I am sure there're a lot of errors and/or stupid rules (I am not sure the
rules order is good for what I need) and I would be really pleased if one
could have a look at it... otherwise, please ignore my mail (it is big !).
Basically, I have a 192.168.0.0/24 network connected to a gateway that has a
dynamic IP. I would like the network and the gateway itself to do whatever
they want and in the meantime filter everything from the outside except for
specified services (http, ftp...) and share the internet connexion.
I understand it is a very basic configuration but I would like to be sure not
to make any mistake.
Thanks a lot in advance.
Antoine
Here is my ruleset:
#!/bin/sh
# Firewall Command
fwcmd="/sbin/ipfw"
# Flush out the list before we begin.
${fwcmd} -f flush
# Stop spoofing
${fwcmd} add deny all from 192.168.0.0:255.255.255.0 to any in via tun0
### ${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via
vr0 ### Disabled --> dynamic @ip
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
${fwcmd} add deny all from any to 192.168.0.0/16 via tun0
${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
${fwcmd} add deny all from any to 240.0.0.0/4 via tun0
${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
# Network Address Translation.
${fwcmd} add divert natd all from any to any via tun0
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
# Allow firewall outbound for everything
${fwcmd} add pass all from any to any via vr0
# Stateful rules & allow everything from our net
${fwcmd} add check-state
${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any setup keep-state
${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any keep-state
# Deny suspicious packets
$fwcmd add deny log tcp from any to any in tcpflags syn,fin
# Allow some icmp
${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through ### --> should we deny this ?
${fwcmd} add pass all from any to any frag
# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
${fwcmd} add pass tcp from any to me in via tun0 20,21,22,25,53,80,110 setup
${fwcmd} add pass udp from any to me in via tun0 53
# Reject & log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via tun0 setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Deny everything else
${fwcmd} add deny ip from any to any
More information about the freebsd-security
mailing list