firewalling help/audit

twig les twigles at yahoo.com
Fri Apr 25 10:48:07 PDT 2003 

I'm no ipfw guru, but you seem to have a bunch of duplicate
rules in the 2nd 1918 and draft-manning-dsua-03 sections. 


--- Antoine Jacoutot <ajacoutot at lphp.org> wrote:
> Hi !
> 
> First of all, I am sorry if this is not the list for that, but
> I've been 
> learning (a little bit...) a way to implement a freeBSD
> firewall.
> So far I came up with a set of rules I would like to show you
> for commenting. 
> I am sure there're a lot of errors and/or stupid rules (I am
> not sure the 
> rules order is good for what I need) and I would be really
> pleased if one 
> could have a look at it... otherwise, please ignore my mail
> (it is big !).
> Basically, I have a 192.168.0.0/24 network connected to a
> gateway that has a 
> dynamic IP. I would like the network and the gateway itself to
> do whatever 
> they want and in the meantime filter everything from the
> outside except for 
> specified services (http, ftp...) and share the internet
> connexion.
> I understand it is a very basic configuration but I would like
> to be sure not 
> to make any mistake.
> 
> Thanks a lot in advance.
> 
> Antoine
> 
> Here is my ruleset:
> 
> #!/bin/sh
> # Firewall Command
> fwcmd="/sbin/ipfw"
> 
> # Flush out the list before we begin.
> ${fwcmd} -f flush
> 
> # Stop spoofing
> ${fwcmd} add deny all from 192.168.0.0:255.255.255.0 to any in
> via tun0
> ### ${fwcmd} add deny all from ${outside_net}:${outside_mask}
> to any in via 
> vr0 ### Disabled --> dynamic @ip
> 
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
> ${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
> ${fwcmd} add deny all from any to 192.168.0.0/16 via tun0
> ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
> ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
> 
> # Stop draft-manning-dsua-03.txt nets
> ${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
> ${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
> ${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
> ${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
> ${fwcmd} add deny all from any to 240.0.0.0/4 via tun0
> ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
> ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
> ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
> 
> # Setup Loopback
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> 
> # Network Address Translation.
> ${fwcmd} add divert natd all from any to any via tun0
> 
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
> ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
> ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
> ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
> 
> # Stop draft-manning-dsua-03.txt nets
> ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
> ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
> ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
> ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
> ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
> 
> # Allow firewall outbound for everything
> ${fwcmd} add pass all from any to any via vr0
> 
> # Stateful rules & allow everything from our net
> ${fwcmd} add check-state
> ${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any
> setup keep-state
> ${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any
> keep-state
> 
> # Deny suspicious packets
> $fwcmd add deny log tcp from any to any in tcpflags syn,fin
> 
> # Allow some icmp
> ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12
> 
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
> 
> # Allow IP fragments to pass through ### --> should we deny
> this ?
> ${fwcmd} add pass all from any to any frag
> 
> # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
> ${fwcmd} add pass tcp from any to me in via tun0
> 20,21,22,25,53,80,110 setup
> ${fwcmd} add pass udp from any to me in via tun0 53
> 
> # Reject & log all setup of incoming connections from the
> outside
> ${fwcmd} add deny log tcp from any to any in via tun0 setup
> 
> # Allow setup of any other TCP connection
> ${fwcmd} add pass tcp from any to any setup
> 
> # Deny everything else
> ${fwcmd} add deny ip from any to any
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

More information about the freebsd-security mailing list