Sanity-check for my (working) ipfw rules please...

Nick Withers nick at nickwithers.com
Tue Jul 11 03:16:36 UTC 2006 

On Mon, 10 Jul 2006 18:38:51 -0400 (EDT)
Ensel Sharon <user at dhp.com> wrote:

> 
> My individual hosts have a set of firewall rules on each of them that
> looks like this:
> 
> 
> /sbin/ipfw add 00010 allow ip from any to any via lo0
> /sbin/ipfw add 00020 deny ip from any to 127.0.0.0/8
>  
> /sbin/ipfw add 00100 count ip from any to any via em0 in
> /sbin/ipfw add 00100 count ip from any to any via em0 out

Note the double-up of rule numbers here... Don't know if you
care, but thought I'd point it out.

> /sbin/ipfw add 01000 allow tcp from any to any established
> 
> /sbin/ipfw add 01010 deny tcp from any to any tcpflags syn tcpoptions !mss
> /sbin/ipfw add 01011 deny icmp from any to any icmptypes
> 4,5,9,10,12,13,14,15,16,17,18
> /sbin/ipfw add 01012 deny tcp from any to any tcpflags syn,fin
> /sbin/ipfw add 01013 deny tcp from any to any tcpflags fin,psh,rst,urg
> 
> /sbin/ipfw add 02001 allow udp from 10.10.10.10 to any 53
> /sbin/ipfw add 02002 allow udp from any 53 to 10.10.10.10
> /sbin/ipfw add 02003 allow tcp from any to 10.10.10.10 21,22,80,443 setup
> /sbin/ipfw add 02009 deny ip from any to 10.10.10.10
> 
> 
> Easy.  Some standard loopback lines, count traffic on the interface, allow
> established, block out obvious offedners (xmas tree, syn/fin, etc.) and
> then open up the ports I need and block everything else.  Easy.  It works
> great.
> 
> Two questions:  is it appropriate to have line 01000 above all of my
> bad-behavior lines ?  That is, by allowing all established, is it possible
> that some of those bad tcp packetrs could be let in before they hit my
> bad-behavior block of ipfw rules ?  Or are all of those bad behaviors
> inconsistent with being an established tcp session ?

As Chuck Swiger pointed out in an earlier reply, you're
probably better off moving the rule down below your naughty
packet checking.

> Second, are there any other bad-behavior blocks I should put into my list?

How about:

deny tcp from any to any tcpflags fin,urg,psh
deny tcp from any to any tcpflags syn,fin,rst,ack
deny tcp from any to any tcpflags '!syn,!fin,!ack'

(rorted from a posting at
http://support.daemonnews.org/viewtopic.php?p=846, I have to
admit that I havent myself actually checked that these are
correct and therefore don't use them myself)

and

deny all from 10.0.0.0/8 to any in via <public interface>
deny all from 203.219.206.72/30 to any in via <internal interface>

deny all from any to 0.0.0.0/8 via <public interface>
deny all from any to 169.254.0.0/16 via <public interface>
deny all from any to 192.0.2.0/24 via <public interface>
deny all from any to 198.18.0.0/15 via <public interface>
deny all from any to 224.0.0.0/4 via <public interface>
deny all from any to 240.0.0.0/4 via <public interface>
deny all from any to 172.16.0.0 via <public interface>
deny all from any to 192.168.0.0/16 via <public interface>

deny all from 0.0.0.0/8 to any via <public interface>
deny all from 169.254.0.0/16 to any via <public interface>
deny all from 192.0.2.0/24 to any via <public interface>
deny all from 198.18.0.0/15 to any via <public interface>
deny all from 224.0.0.0/4 to any via <public interface>
deny all from 240.0.0.0/4 to any via <public interface>
deny all from 172.16.0.0 to any via <public interface>
deny all from 192.168.0.0/16 to any via <public interface>

> Thanks!
-- 
Nick Withers
email: nick at nickwithers.com
Web: http://www.nickwithers.com
Mobile: +61 414 397 446

More information about the freebsd-questions mailing list