Re: Sanity-check for my (working) ipfw rules please...
On Tue, 11 Jul 2006 13:16:21 +1000 Nick Withers <[EMAIL PROTECTED]> wrote: > On Mon, 10 Jul 2006 18:38:51 -0400 (EDT) > Ensel Sharon <[EMAIL PROTECTED]> wrote: > > > > > My individual hosts have a set of firewall rules on each of them that > > looks like this: (snip) > > Second, are there any other bad-behavior blocks I should put into my list? > > How about: > > deny tcp from any to any tcpflags fin,urg,psh > deny tcp from any to any tcpflags syn,fin,rst,ack > deny tcp from any to any tcpflags '!syn,!fin,!ack' > > (rorted from a posting at > http://support.daemonnews.org/viewtopic.php?p=846, I have to > admit that I havent myself actually checked that these are > correct and therefore don't use them myself) > > and > > deny all from 10.0.0.0/8 to any in via > deny all from 203.219.206.72/30 to any in via Sorry - 203.219.206.72/30 is the network address for my public interface. > deny all from any to 0.0.0.0/8 via > deny all from any to 169.254.0.0/16 via > deny all from any to 192.0.2.0/24 via > deny all from any to 198.18.0.0/15 via > deny all from any to 224.0.0.0/4 via > deny all from any to 240.0.0.0/4 via > deny all from any to 172.16.0.0 via > deny all from any to 192.168.0.0/16 via > > deny all from 0.0.0.0/8 to any via > deny all from 169.254.0.0/16 to any via > deny all from 192.0.2.0/24 to any via > deny all from 198.18.0.0/15 to any via > deny all from 224.0.0.0/4 to any via > deny all from 240.0.0.0/4 to any via > deny all from 172.16.0.0 to any via > deny all from 192.168.0.0/16 to any via ...and these actually probably aren't all that appropriate for your situation (i.e., internal client rules, rather than Internet <-> LAN router) > > Thanks! Hope this is at least vaguely useful, and sorry for any misleading / inappropriate information! -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sanity-check for my (working) ipfw rules please...
On Mon, 10 Jul 2006 18:38:51 -0400 (EDT) Ensel Sharon <[EMAIL PROTECTED]> wrote: > > My individual hosts have a set of firewall rules on each of them that > looks like this: > > > /sbin/ipfw add 00010 allow ip from any to any via lo0 > /sbin/ipfw add 00020 deny ip from any to 127.0.0.0/8 > > /sbin/ipfw add 00100 count ip from any to any via em0 in > /sbin/ipfw add 00100 count ip from any to any via em0 out Note the double-up of rule numbers here... Don't know if you care, but thought I'd point it out. > /sbin/ipfw add 01000 allow tcp from any to any established > > /sbin/ipfw add 01010 deny tcp from any to any tcpflags syn tcpoptions !mss > /sbin/ipfw add 01011 deny icmp from any to any icmptypes > 4,5,9,10,12,13,14,15,16,17,18 > /sbin/ipfw add 01012 deny tcp from any to any tcpflags syn,fin > /sbin/ipfw add 01013 deny tcp from any to any tcpflags fin,psh,rst,urg > > /sbin/ipfw add 02001 allow udp from 10.10.10.10 to any 53 > /sbin/ipfw add 02002 allow udp from any 53 to 10.10.10.10 > /sbin/ipfw add 02003 allow tcp from any to 10.10.10.10 21,22,80,443 setup > /sbin/ipfw add 02009 deny ip from any to 10.10.10.10 > > > Easy. Some standard loopback lines, count traffic on the interface, allow > established, block out obvious offedners (xmas tree, syn/fin, etc.) and > then open up the ports I need and block everything else. Easy. It works > great. > > Two questions: is it appropriate to have line 01000 above all of my > bad-behavior lines ? That is, by allowing all established, is it possible > that some of those bad tcp packetrs could be let in before they hit my > bad-behavior block of ipfw rules ? Or are all of those bad behaviors > inconsistent with being an established tcp session ? As Chuck Swiger pointed out in an earlier reply, you're probably better off moving the rule down below your naughty packet checking. > Second, are there any other bad-behavior blocks I should put into my list? How about: deny tcp from any to any tcpflags fin,urg,psh deny tcp from any to any tcpflags syn,fin,rst,ack deny tcp from any to any tcpflags '!syn,!fin,!ack' (rorted from a posting at http://support.daemonnews.org/viewtopic.php?p=846, I have to admit that I havent myself actually checked that these are correct and therefore don't use them myself) and deny all from 10.0.0.0/8 to any in via deny all from 203.219.206.72/30 to any in via deny all from any to 0.0.0.0/8 via deny all from any to 169.254.0.0/16 via deny all from any to 192.0.2.0/24 via deny all from any to 198.18.0.0/15 via deny all from any to 224.0.0.0/4 via deny all from any to 240.0.0.0/4 via deny all from any to 172.16.0.0 via deny all from any to 192.168.0.0/16 via deny all from 0.0.0.0/8 to any via deny all from 169.254.0.0/16 to any via deny all from 192.0.2.0/24 to any via deny all from 198.18.0.0/15 to any via deny all from 224.0.0.0/4 to any via deny all from 240.0.0.0/4 to any via deny all from 172.16.0.0 to any via deny all from 192.168.0.0/16 to any via > Thanks! -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Sanity-check for my (working) ipfw rules please...
Ensel Sharon wrote: [ ... ] Two questions: is it appropriate to have line 01000 above all of my bad-behavior lines ? "established" means "ACK and not SYN", basicly. Your "bad behavior" rules wouldn't really match anything which matches established, but it's probably better to block known-bad stuff earlier on. However, it's not the same thing as stateful tracking, which you might want to consider using depending on what you're doing... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Sanity-check for my (working) ipfw rules please...
My individual hosts have a set of firewall rules on each of them that looks like this: /sbin/ipfw add 00010 allow ip from any to any via lo0 /sbin/ipfw add 00020 deny ip from any to 127.0.0.0/8 /sbin/ipfw add 00100 count ip from any to any via em0 in /sbin/ipfw add 00100 count ip from any to any via em0 out /sbin/ipfw add 01000 allow tcp from any to any established /sbin/ipfw add 01010 deny tcp from any to any tcpflags syn tcpoptions !mss /sbin/ipfw add 01011 deny icmp from any to any icmptypes 4,5,9,10,12,13,14,15,16,17,18 /sbin/ipfw add 01012 deny tcp from any to any tcpflags syn,fin /sbin/ipfw add 01013 deny tcp from any to any tcpflags fin,psh,rst,urg /sbin/ipfw add 02001 allow udp from 10.10.10.10 to any 53 /sbin/ipfw add 02002 allow udp from any 53 to 10.10.10.10 /sbin/ipfw add 02003 allow tcp from any to 10.10.10.10 21,22,80,443 setup /sbin/ipfw add 02009 deny ip from any to 10.10.10.10 Easy. Some standard loopback lines, count traffic on the interface, allow established, block out obvious offedners (xmas tree, syn/fin, etc.) and then open up the ports I need and block everything else. Easy. It works great. Two questions: is it appropriate to have line 01000 above all of my bad-behavior lines ? That is, by allowing all established, is it possible that some of those bad tcp packetrs could be let in before they hit my bad-behavior block of ipfw rules ? Or are all of those bad behaviors inconsistent with being an established tcp session ? Second, are there any other bad-behavior blocks I should put into my list? Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"