firewalling help/audit

Antoine Jacoutot ajacoutot at lphp.org
Fri Apr 25 17:15:12 PDT 2003 

> Okay, good.  I suspect that the machines on the inside network will
> have trouble using UDP to the outside world, but you probably won't
> care.

Hi, thanks a lot to Lowell and Simon who helped me a lot cleaning and 
reconfiguring my firewall rulesets.
After some work, I came up with the much shorter following ruleset, I think 
this should work ok now.
I know that pop3 is not a secure protocol, but it is my first ruleset under 
FreeBSD and I would like to achieve this before securing the services 
themselves.
I will post this to -questions too, as someone recommended me.

Once again, thanks a lot.

Antoine

#!/bin/sh

# Firewall Command
fwcmd="/sbin/ipfw"

# Flush out the list before we begin.
${fwcmd} -f flush

# Network Address Translation
${fwcmd} add divert natd all from any to any via tun0

# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

# Stop spoofing
${fwcmd} add deny all from 192.168.0.0/24 to any in via tun0
### The following rule is disabled since we have a dynamic @ip
#${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via vr0

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
${fwcmd} add deny all from any to 192.168.0.0/16 via tun0

# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
${fwcmd} add deny all from any to 240.0.0.0/4 via tun0

# From man 8 ipfw: allow only outbound TCP connections I've created
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any in established
${fwcmd} add allow tcp from any to any out setup keep-state

# Allow firewall and local network to do everything
${fwcmd} add pass all from me to any
${fwcmd} add pass all from 192.168.0.0/24 to any

# Deny & log suspicious packets (like nmap scans)
$fwcmd add deny log tcp from any to any in tcpflags syn,fin

# Allow the following icmp: echo reply (0) destination unreachable (3)
# source quench (4) echo request (8) time-to-live exceeded (11)
# IP header bad (12)
${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
# find a way to allow FTP inbound
${fwcmd} add pass tcp from any to me 22,25,53,80,110 in via tun0 setup
${fwcmd} add pass udp from any to me 53 in via tun0

# Reject & log everything else
${fwcmd} add deny log ip from any to any

More information about the freebsd-security mailing list