RFC: my firewall ruleset(s)
Chuck Swiger
cswiger at mac.com
Sun Oct 23 09:12:24 PDT 2005
Eric F Crist wrote:
> Hey all. I'm relatively new to shell scripting and I'm looking for
> some comments on my firewall script.
>
> Comments on either the ipfw rules themselves or on my scripting lack of
> ability would be appreciated.
Ugh. :-) IPFW knows how to increment rule numbers all by itself; you can get
rid of the "rulenum1=`expr $rulenum1 + 50`" stuff.
The breakdown of sh functions like setup_loopback, setup_keepstate, setup_ntp
is fine if you want to play with shell scripts, but it scatters your IPFW rules
into different places. I'd rather see something that closely resembles what
"ipfw list" gives you.
You could chain several ports together into a list rather than listing them all
seperately as individual rules, IPFW will end up doing less work.
You have anti-spoofing for the lookback, lo0 interface, but not for your other
interfaces. You should add anti-spoofing rules, and also block strict and
loose source routing [1]:
# Stop strict and loose source routing
add deny log all from any to any ipoptions ssrr
add deny log all from any to any ipoptions lsrr
You should give some thought to ICMP filtering. Consider something like:
add allow icmp from any to any icmptypes 0,3,4,8,11,12
You should use the log command more when developing a ruleset, to see what
traffic you are blocking or permitting, until you've gotten your rules and
network finalized.
--
-Chuck
[1]: This is known to hackers as the "how to go through a firewall as if it
wasn't there" IP option if you don't block these. :-)
More information about the freebsd-questions
mailing list