Re: IPFW almost works now -> stateful rules

From: Crist Clark (crist.clark@globalstar.com)
Date: 06/14/01


Date: Thu, 14 Jun 2001 10:35:42 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
To: Marcel Dijk <nascar24@home.nl>, Evren Yurtesen <yurtesen@ispro.net.tr>, "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>, "Thomas T. Veldhouse" <veldy@veldy.net>, Jason DiCioccio <Jason.DiCioccio@Epylon.com>, freebsd-security@FreeBSD.ORG

Crist Clark wrote:

Oops. Correcting an oversight in the rules I posted. Sorry for the
self-follow-up.

[snip]

> Here is what I would do,
>
> # Pass loopback traffic
> add 100 allow ip from any to any via lo0
> # Protect loopback address
> add 200 deny ip from 127.0.0.0/8 to any
> add 300 deny ip from any to 127.0.0.0/8
> # Block spoofs
> add 400 deny ip from MY_IP to any in via ed0
> # Check dynamic rules
> add 400 check-state
> # Make dynamic entries for all outgoing traffic
> add 500 allow tcp from MY_IP to any keep-state out via ed0
> add 600 allow udp from MY_IP to any keep-state out via ed0
    # Services we offer to the world
    add 650 allow log tcp from any to MY_IP 22,5617,10000 keep-state in via ed0
> # Just pass ICMP
> add 700 allow icmp from MY_IP to any out via ed0
> # Allow ping replies and requests, and various error messages
> add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12
> # Pass everything on private LAN (do we have another interface?
> # Otherwise, these rules are dangerous)
> add 1000 allow ip from 192.168.0.0/16 to any
> add 1100 allow ip from any to 192.168.0.0/16
> # Log the rejects that have fallen through
> add 65000 deny log ip from any to any
> --
> Crist J. Clark Network Security Engineer
> crist.clark@globalstar.com Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926
>
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above. If
> the reader of this e-mail is not the intended recipient, or the employee
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or copying
> of this communication is strictly prohibited. If you have received this
> e-mail in error, please contact postmaster@globalstar.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: ipfw
    ... > If I do ipfw -f flush I still have rule 65535 deny ip from any to any ... Having default deny is generally a Good Thing ... The information contained in this e-mail message is confidential, ... the reader of this e-mail is not the intended recipient, ...
    (FreeBSD-Security)
  • Re: ISOs
    ... Las Vegas, NV / Beverly Hills, CA / Philadelphia, PA / Washington, DC ... Confidentiality Notice: This e-mail message, including any attachments, is ... you are not the intended recipient, please contact the sender by reply ...
    (freebsd-questions)
  • RE: Where are the selected rows stored using fetchall_arrayref
    ... Peter Loo ... This E-mail message is for the sole use of the intended recipient ... unauthorized review, use, disclosure or distribution is prohibited. ... you are not the intended recipient, please contact the sender by reply ...
    (perl.dbi.users)
  • Re: Can I remove sendmail?
    ... This E-mail message and its attachments, if any are intended solely for the use of the addressee hereof. ... If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. ... we have the sendmail.service enabled by default even in the minimal installation. ... May I uninstall sendmail? ...
    (Fedora)
  • Re: AIX 5.3 disaster recovery fro AIX newbie
    ... fro AIX newbie ... errors or omissions in this e-mail message. ... not the intended recipient or the individual responsible for delivering ... e-mail do not reflect the views of Blue Cross Blue Shield of Florida, ...
    (AIX-L)