Re: IPFW almost works now -> stateful rules

From: Crist Clark (crist.clark@globalstar.com)
Date: 06/14/01


Date: Thu, 14 Jun 2001 10:35:42 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
To: Marcel Dijk <nascar24@home.nl>, Evren Yurtesen <yurtesen@ispro.net.tr>, "Antoine Beaupre (LMC)" <Antoine.Beaupre@ericsson.ca>, "Thomas T. Veldhouse" <veldy@veldy.net>, Jason DiCioccio <Jason.DiCioccio@Epylon.com>, freebsd-security@FreeBSD.ORG

Crist Clark wrote:

Oops. Correcting an oversight in the rules I posted. Sorry for the
self-follow-up.

[snip]

> Here is what I would do,
>
> # Pass loopback traffic
> add 100 allow ip from any to any via lo0
> # Protect loopback address
> add 200 deny ip from 127.0.0.0/8 to any
> add 300 deny ip from any to 127.0.0.0/8
> # Block spoofs
> add 400 deny ip from MY_IP to any in via ed0
> # Check dynamic rules
> add 400 check-state
> # Make dynamic entries for all outgoing traffic
> add 500 allow tcp from MY_IP to any keep-state out via ed0
> add 600 allow udp from MY_IP to any keep-state out via ed0
    # Services we offer to the world
    add 650 allow log tcp from any to MY_IP 22,5617,10000 keep-state in via ed0
> # Just pass ICMP
> add 700 allow icmp from MY_IP to any out via ed0
> # Allow ping replies and requests, and various error messages
> add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12
> # Pass everything on private LAN (do we have another interface?
> # Otherwise, these rules are dangerous)
> add 1000 allow ip from 192.168.0.0/16 to any
> add 1100 allow ip from any to 192.168.0.0/16
> # Log the rejects that have fallen through
> add 65000 deny log ip from any to any
> --
> Crist J. Clark Network Security Engineer
> crist.clark@globalstar.com Globalstar, L.P.
> (408) 933-4387 FAX: (408) 933-4926
>
> The information contained in this e-mail message is confidential,
> intended only for the use of the individual or entity named above. If
> the reader of this e-mail is not the intended recipient, or the employee
> or agent responsible to deliver it to the intended recipient, you are
> hereby notified that any review, dissemination, distribution or copying
> of this communication is strictly prohibited. If you have received this
> e-mail in error, please contact postmaster@globalstar.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message