Can I make this simple ipfw ruleset more restrictive ?

John Case case at SDF.ORG
Mon Sep 8 16:08:07 UTC 2014

I have a very simple firewall - it sits on the network border and it 
*blocks everything*, and the only traffic that is allowed is for internal 
clients to make outbound port 40 connections.

Also internal clients can ping and traceroute.

But that's it - no other connections in or out are allowed.  I havet he 
following ruleset that is working perfectly:

ipfw add 10 allow tcp from any to any established

ipfw add 20 allow icmp from any to any icmptypes 0,3,8,11
ipfw add 21 allow udp from any to any 33433-33499 in via fxp1

ipfw add 30 allow tcp from any to any 40 in via fxp1

(fxp1 is the *internal* interface, and so I allow the port 40 connections 
and the udp for traceroute only for requests that come in from the 
internal net)

Is there anything I have screwed up here ?  Any connections that can come 
in or out that I am trying to avoid ?

Is there any way to lock this down any further ?

Thanks very much.

More information about the freebsd-questions mailing list