ipfw rules

Jurjen Middendorp jurjenm at stack.nl
Wed Dec 20 05:41:54 PST 2006 

Cool! thanks for the reply + suggestions!

I haven't had any trouble with my firewall blocking too much yet
(also didn't connect to the internet much yet :), but i'll think
about just allowing all out... on the other hand i like the idea
of just letting through out that i need (which isn't very much) and
denying all else.

I don't use the file shares on the network, so i figured if i got
a packet from one of those addresses it would be a mistake so i let
them drop.

Anyway, i'll try to build some rules based on the suggestions you
made and then i can try them both and then decide which one gives
me the least trouble :)

greetings,
   jurjen.

On Mon, Dec 18, 2006 at 04:29:06AM +0200, Giorgos Keramidas wrote:
>On 2006-12-16 18:01, Jurjen Middendorp <jurjenm at stack.nl> wrote:
>> I tried making a firewall for my laptop..but i'm not sure if i forgot
>> anything. And things can always be done better :)
>
>> #to stack (student computer thing... e-mail, irc, ssh stuff)
>> $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks
>> 
>> #allow ssh
>> $cmd 021 allow all from me to any 22 out via $oif setup $ks
>> 
>> #internet sites:
>> $cmd 032 allow tcp from me to any 80 out via $oif setup $ks
>> #https
>> $cmd 033 allow tcp from me to any 443 out via $oif setup $ks
>> #gopher
>> $cmd 034 allow tcp from me to any 70 out via $oif setup $ks
>> 
>> #other e-mail
>> #pop
>> $cmd 040 allow tcp from me to any 110 out via $oif setup $ks
>> #imap
>> $cmd 041 allow tcp from me to any 143 out via $oif setup $ks
>> 
>> #allow dns queries
>> $cmd 050 allow udp from me to any 53 out via $oif $ks
>> #allow ntp (?) queries
>> $cmd 051 allow udp from me to any 123 out via $oif $ks
>> 
>> #i can send icmp myself
>> $cmd 060 allow icmp from me to any out via $oif $ks
>> #but others can't
>> $cmd 061 deny icmp from any to me
>> 
>> #
>> #root can do anything
>> $cmd 070 allow tcp from me to any out via $oif setup $ks uid root
>> 
>> #log other outgoing packets
>> $cmd 071 deny log all from any to any out via $oif
>> 
>> ####
>> #  Incoming
>> 
>> #The default is that all other connections will be blocked anyway, but 
>> # the more stuff i put in here, the less stuff will get logged
>> 
>> #deny incoming to private networks
>> $cmd 100 deny all from 192.168.0.0/16 to any in via $oif	   #RFC 1918
>> $cmd 101 deny all from 172.16.0.0/16 to any in via $oif		#RFC 1918
>> $cmd 105 deny all from 169.254.0.0/16 to any in via $oif	   #DHCP auto
>> $cmd 106 deny all from 192.0.2.0/24 to any in via $oif		#reserved
>> $cmd 108 deny all from 192.168.0.0/16 to any in via $oif	   #D & E class
>> 								                                    # multicast
>> #block smb stuff
>> $cmd 120 deny tcp from any to me 137 in via $oif
>> $cmd 121 deny tcp from any to me 138 in via $oif
>> $cmd 122 deny tcp from any to me 139 in via $oif
>> 
>> #log ACK packets that did'nt match the dynamic ruleset
>> $cmd 130 deny log all from any to any established in via $oif
>> 
>> #Now log some stuff in case i did something wrong
>> $cmd 999 deny log any to me
rule 999 had a syntax error and now it reads "...log all from..." that works a
bit better :)
>
>It's a fairly complex ruleset, but it seems mostly ok.  There are
>a few things I'd change, mostly resulting from my own personal
>preferences:
>
>  * I don't like hard-coding rule numbers in IPFW rulesets.
>
>  * I like using 127.0.0.1/32 instead of any for loopback interfaces.
>
>  * In general, I prefer much simpler rulesets.
>
>  * I try to avoid a lot of variables/macros, like your $ks, since they
>    don't really keep things a lot shorter, and when they do they try to
>    abstract away too much of ipfw's syntax.
>
>  * I don't aggressively filter out ICMP packets.  They are useful for a
>    lot of things, they are rate-limited by the kernel, and it is
>    usually silly to block them without a fair amount of knowledge and a
>    very good reason.
>
>  * I don't deny packets for 'private' networks,like 192.168.0.0/26
>    because the networks I use with my laptop *ARE* private a lot of the
>    time.  Having the firewall block too much and cause me problems is
>    rarely a good way of spending my time.
>
>I would probably start with something like:
>
>  <<<recommendation for ipfw ruleset>>>
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list