no keep-state and and unpredictable ssh connections
Michael Sierchio
kudzu at tenebras.com
Sun Jul 27 08:40:54 PDT 2003
You may need to fiddle with the default values for these
net.inet.ip.fw.dyn_ack_lifetime
net.inet.ip.fw.dyn_syn_lifetime
net.inet.ip.fw.dyn_fin_lifetime
net.inet.ip.fw.dyn_rst_lifetime
net.inet.ip.fw.dyn_udp_lifetime
net.inet.ip.fw.dyn_short_lifetime
and you want
/sbin/sysctl net.inet.ip.fw.dyn_keepalive=1
Anyway, try it this way.
#!/bin/sh
fwcmd="/sbin/ipfw -q"
$fwcmd -f flush
$fwcmd add allow ip from any to any via lo0
$fwcmd add check-state
$fwcmd add deny ip from 127.0.0.8 to any
$fwcmd add deny ip from any to 127.0.0.8
$fwcmd add deny tcp from any to any established
# antispoofing rules
$fwcmd add deny ip from 10.0.0.0/8 to any in recv xl0
$fwcmd add deny ip from 172.16.0.0/12 to any in recv xl0
$fwcmd add deny ip from 192.168.0.0/16 to any in recv xl0
$fwcmd add deny ip from me to any in recv xl0
# some ICMP types you musn't block -- esp. 3 for PMTU, etc.
$fwcmd add allow icmp from any to any icmptype 0,3,11
# allow local net traffic
$fwcmd add allow ip from $mynet to $mynet
# from me to anywhere
$fwcmd add allow tcp from me to any setup keep-state
$fwcmd add allow udp from me to any keep-state
$fwcmd add allow icmp from me to any
# Separate rules for SSH and HTTP, etc.
$fwcmd add count log logamount 0 tcp from any to me ssh in recv xl0 setup
$fwcmd add allow tcp from any to me ssh in recv xl0 keep-state setup
$fwcmd add count log logamount 0 tcp from any to me http in recv xl0 setup
$fwcmd add allow tcp from any to me http in recv xl0 keep-state setup
$fwcmd add deny log logamount 0 ip from any to any
More information about the freebsd-ipfw
mailing list