Firewall

Adolfo B. Ferreira bitchat at hotpop.com
Thu Jul 21 15:04:21 GMT 2005 

Hi Folks,

I'm sending this e-mail to get suggestions about my firewall.
I red about firewall in FreeBSD HandBook and I got suggestions from my
friends but I would like suggestions from here.


# DEVICE: lo0
add 100 allow ip from any to any via lo0
add 102 deny ip from any to 127.0.0.0/8

# LAN: IN
add 200 divert natd ip from any to any in via rl0

# LAN: DNS
add 300 allow ip from 201.6.255.86 to 201.6.0.100 out via rl0
add 301 allow ip from 201.6.0.100 to 201.6.255.86 in via rl0 
add 302 allow udp from 201.6.0.100 to 10.1.1.0/8 in via rl0
add 303 allow udp from 201.6.0.100 to 192.168.0.0/8 in via rl0
add 304 allow udp from 201.6.0.102 to 10.1.1.0/8 in via rl0

# CHECK STATE
add 500 check-state

# LAN: ROOT
add 800 allow tcp from me to any out via rl0 setup keep-state uid root

# LAN: OUT
add 900 skipto 2000 ip from any to any          out via rl0 setup
keep-state 
add 901 skipto 2000 icmp from any to any        out via rl0 icmptypes 8
add 902 skipto 2000 udp from any to 201.6.0.100 out via rl0
add 903 skipto 2000 udp from any to 201.6.0.102 out via rl0

# NETCRAFT
add 1000 deny all from 195.92.95.0/32 to any in via rl0

# ICMP: BLOCK PING
add 1100 allow icmp from any to any in via rl0 icmptypes 0
add 1101 prob 0.2 allow icmp from any to 201.6.255.86 in via rl0
icmptypes 8
add 1102 allow icmp from 201.6.255.86 to any out via rl0 icmptypes 0

# LAN: RFC
add 1200 deny all from 192.168.0.0/16  to any in via rl0
add 1220 deny all from 172.16.0.0/12   to any in via rl0
add 1240 deny all from 127.0.0.0/8     to any in via rl0
add 1250 deny all from 0.0.0.0/8       to any in via rl0
add 1260 deny all from 169.254.0.0/16  to any in via rl0
add 1270 deny all from 192.0.2.0/24    to any in via rl0
add 1280 deny all from 204.152.64.0/23 to any in via rl0
add 1290 deny all from 224.0.0.0/3     to any in via rl0

# INTERNET: FRAG
add 1300 deny all from any to any frag in via rl0

# INTERNET: STATE STABLE
add 1400 deny ip from any to any established in via rl0

# INTERNET: SERVICES IN
add 1600 pipe 30 tcp from any to 201.6.255.86 20,21 in via rl0 setup
limit src-a
ddr 2
add 1603 pipe 60 tcp from any to 201.6.255.86 80 in via rl0 setup limit
src-addr
 2

# DENY / LOG
add 1800 deny log all from any to any out via rl0
add 1900 deny log all from any to any in via rl0

# LAN: NAT
add 2000 divert natd ip from any to any out via rl0
add 2001 allow ip from any to any

# BLOCK EVERYTHING ELSE
add 2100 deny log all from any to any





THanks All,


Adolfo Bravo Ferreira
Admninistrador de Redes / Analista de Segurança / Desenvolvedor
Sophiex Serviços de Informática
Telefone: 11 8135-6090

More information about the freebsd-ipfw mailing list