IPFW ruleset not working... advice? WAS Re: Running processes...

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Feb 14 12:32:00 PST 2004

On Sat, Feb 14, 2004 at 01:15:07PM -0600, Eric F Crist wrote:

> Hey, thanks!  I changed all the rules so they read:
> allow ip from any to me <port>
> and added the rule:
> allow ip from me to any at rule 50
> All seems to work now!  Does anyone have any suggestions on how to make this 
> system even tighter?  Thanks.

Yes.  Use the stateful rules feature.  Instead of opening up outgoing
packets to everywhere, the keep-state rules dynamically open up a
point to point connection that remains open while traffic is flowing
beteeen the two systems, and times out after traffic stops or the
connection is closed.

A very minimal partial ruleset to allow incoming SSH, HTTP, HTTPS,
SMTP and outgoing DNS lookups would look like:

    00100 check-state
    00200 deny log tcp from any to any established
    00300 allow tcp from any to me 22,25,80,443 keep-state in recv fxp0
    00400 allow udp from me to any 53 out xmit fxp0
    00500 deny log ip from any to any

[The 'in recv fxp0' and 'out xmit fxp0' stuff is optional: all it does
is filter packets according to what interface they are traversing and
in what direction.  Remember to substitute the correct device name for
your network interface.]

Although at first sight, this would appear to block all tcp traffic
except for the first 'SYN' packet, and not permit any incoming UDP
traffic at all, the 'keep-state' flag in rules 00300 and 00400
generates dynamic rules that permit packets to flow in response to the
packet that triggered them.  Those rules are effectively inserted into
the ruleset at the 'check-state' line (or at the first occuring
'limit' or 'keep-state' line).  Use 'ipfw -d list' to show all active
dynamic rules.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040214/4030d7f2/attachment.bin

More information about the freebsd-questions mailing list