Re: What's the point of not allowing all outgoing traffic by default?



linuxlover992000@xxxxxxxxx wrote:


Am I missing something?

Outbound traffic is normally disallowed by default, and you have to setup an explicit rule that you want it. Then again you typically also want to filter some traffic.

something like:

ipfw add 3 deny log ip from any to me out
ipfw add 3 deny log ip from me to any in
ipfw add 4 skipto 5 ip from 255.255.255.255 to any out via eth0
ipfw add 4 skipto 5 ip from any to 255.255.255.255 in via eth0
ipfw add 4 skipto 5 ip from 192.168.0.255 to any out via eth0
ipfw add 4 skipto 5 ip from any to 192.168.0.255 in via eth0
ipfw add 4 deny log ip from not me to any out via eth0
ipfw add 4 deny log ip from any to not me in via eth0
for $I in $IANA_PRIVATE; do;
ipfw add 5 deny log ip from $I to any out via ppp0
ipfw add 5 deny log ip from any to $I in via ppp0
end;
for $I in $IANA_RESERVED; do;
ipfw add 6 deny log ip from $I to any
ipfw add 6 deny log ip from any to $I
end;
for $I in [TCP,UDP], $J in $I_BAD; do;
ipfw add 8 deny log $I from any to me $J in
ipfw add 8 deny log $I from me $J to any out
end;
ipfw add 9 deny log tcp from me to any smtp out
ipfw add 9 deny log tcp from any smtp to me in
*ipfw add 12 check-state*
*ipfw add 12 allow tcp from me to any out setup keep-state*
*ipfw add 12 allow tcp from any to any established keep-state*
*ipfw add 12 allow tcp from any to any frag keep-state*
*ipfw add 13 deny tcp from any to me in setup*
.



Relevant Pages

  • Re: IPFW: Blocking me out. How to debug?
    ... add allow tcp from any to any ftp in setup ... Passive mode needs allowing connections to this port range ... add deny log ip from any to 0.0.0.0/8 in ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... allow log tcp from any to any out established ... add allow udp from any to any domain out ... add allow tcp from any to any ssh in setup ... $add deny log tcp from any to any in via $setup ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... allow tcp from any to any in established ... add allow udp from any 33434-34458 to any out ... add allow tcp from any to any ssh in setup ... someone else used 'deny log ip from any to any recv all' ...
    (freebsd-questions)
  • Re: IPFW: Blocking me out. How to debug?
    ... UDP 53 traffic with upstream nameservers, up to the root unless you're ... Given that you're checking TCP ... add allow tcp from any to any ftp in setup ... add deny log ip from any to 0.0.0.0/8 in ...
    (freebsd-questions)
  • IPFW: Blocking me out. How to debug?
    ... # Allow UDP traceroutes: ... add allow tcp from any to any ssh in setup ... add allow tcp from any to any https in setup ... ipfw -n /etc/ipfw.rules ...
    (FreeBSD-Security)