firewall rules

[Antoine Jacoutot]

Hi !

I've been learning (a little bit...) a way to implement a freeBSD firewall.
So far with help from the -security list, I came up with a set of rules I 
would like to show you for commenting. 
I would be really pleased if one could have a look at it to see if there're 
any obvious errors.
Basically, I have a 192.168.0.0/24 network connected to a gateway that has a 
dynamic IP. I would like the network and the gateway itself to do whatever 
they want and in the meantime filter everything from the outside except for 
specified services (http, ftp...) and also share the internet connexion.
I understand it is a very basic configuration but I would like to be sure not 
to make any mistake.

Thanks a lot in advance.

Antoine

Here is my ruleset:

#!/bin/sh

# Firewall Command
fwcmd="/sbin/ipfw"

# Flush out the list before we begin.
${fwcmd} -f flush

# Network Address Translation
${fwcmd} add divert natd all from any to any via tun0

# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

# Stop spoofing
${fwcmd} add deny all from 192.168.0.0/24 to any in via tun0
### The following rule is disabled since we have a dynamic @ip
#${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via vr0

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
${fwcmd} add deny all from any to 192.168.0.0/16 via tun0

# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
${fwcmd} add deny all from any to 240.0.0.0/4 via tun0

# From man 8 ipfw: allow only outbound TCP connections I've created
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any in established
${fwcmd} add allow tcp from any to any out setup keep-state

# Allow firewall and local network to do everything
${fwcmd} add pass all from me to any
${fwcmd} add pass all from 192.168.0.0/24 to any

# Deny & log suspicious packets (like nmap scans)
$fwcmd add deny log tcp from any to any in tcpflags syn,fin

# Allow the following icmp: echo reply (0) destination unreachable (3)
# source quench (4) echo request (8) time-to-live exceeded (11)
# IP header bad (12)
${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
# find a way to allow FTP inbound
${fwcmd} add pass tcp from any to me 22,25,53,80,110 in via tun0 setup
${fwcmd} add pass udp from any to me 53 in via tun0

# Reject & log everything else
${fwcmd} add deny log ip from any to any