Login or Register to Ask a Question and Join Our Community


Cybersecurity

FreeBSD IPFW Rules clarification please...

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity FreeBSD IPFW Rules clarification please...
# 1  
Old 04-28-2005
FreeBSD IPFW Rules clarification please...
Hello.

I hope you can help me please.
We are about to bring a few servers online which will be hosting different things...

For one server, it will be hosting a HTTPd, and just wanted to know whether these rules are correct that I have?

To ensure the right interfaces etc, here's a copy of my 'ifconfig' output:

Code:
$ ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet our.public.ip.here netmask 0xfffffff0 broadcast our.broadcast.i[
        inet6 xxxxx prefixlen 64 scopeid 0x1
        ether 00:02:b3:b8:cd:7b
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fwe0: flags=108802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        ether 02:0f:ea:1b:34:bf
        ch 1 dma -1
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        ether 00:0f:ea:a1:33:1b
        media: Ethernet autoselect (10baseT/UTP)
        status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
$

The interface our public Internet Ethernet card is on is: fxp0

The rules:

Code:
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference.  Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for details.
$fwcmd add check-state
$fwcmd add deny tcp from any to any established

# Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny  tcp from me to any out via lo0
$fwcmd add allow ip  from me to any out via lo0 keep-state

# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny  tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
$fwcmd add allow all from 192.168.0.0/24 to any

# Everyone on the Internet is allowed to connect to the following
# services on the machine.  This example specifically allows connections
# to sshd and a webserver.
$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to me 80 setup

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any

# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add allow icmp from any to any icmptypes 0,3,11,12,13,14

# Deny all the rest.
$fwcmd add deny log ip from any to any

Many thanks!
# 2  
Old 08-13-2008
In the first part, you use statefull inspection:
$fwcmd add check-state
$fwcmd add deny tcp from any to any established

but then, in the last part:
$fwcmd add allow tcp from any to any established
$fwcmd add allow tcp from any to me 80 setup

I would make it:
$fwcmd add allow tcp from any to me 80 setup keep-state

and remove
$fwcmd add allow tcp from any to any established
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. OS X (Apple)

How to enable ipfw.log?

Under Mountain Lion, I want logs from ipfw sent to ipfw.log instead of dumped in system.log I've tried to figure out how OSX handles logs, but... after going back and forth between a syslog.conf which does little if anything, a newsyslog.conf that seems to only handle rotation, an asl.conf that... (3 Replies)
Discussion started by: jnojr
3 Replies

2. Shell Programming and Scripting

Help, SSH /ipfw block script

Hello, This is an SSH Block hammer script using ipfw, that I have modified for my own use. It is for a freenas 7.2 box which is FreeBSD based. The script works, but if there is more then one hammer attack per day, my issue is the script reads the first five instances of refused or invalid... (2 Replies)
Discussion started by: dpreviti
2 Replies

3. Cybersecurity

pass syntax iptables to ipfw

Hello, excuse my English. Please could tell me how I can pass this syntax for iptables to ipfw. iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name thor --rdest -j ACCEPT iptables -A INPUT -p tcp -m tcp --tcp-flag RST RST -m state --state ESTABLISHED -m recent... (0 Replies)
Discussion started by: dot357
0 Replies

4. UNIX for Advanced & Expert Users

ipfw and dhcp

Hello, I have a little problem with my server configuration. So: I have two PC's with DHCP enable and both of them have two NIC's. PC1 - le0 ADSL PC1 - le1 192.168.10.1 PC2 - le0 192.168.10.10 PC2 - le1 192.168.20.1 One NIC on PC1 is connected to ADSL, another one have IP address... (3 Replies)
Discussion started by: mrowcp
3 Replies

5. BSD

Using several pipes in ipfw (dummynet)

Hi! I've already posted this on the freebsd-questions mailing list, but I thought I could try it here too. I'm using FreeBSD 7.0 with IPFW DUMMYNET enabled. I've got a problem with creating a ruleset, which allows me to limit the overall bandwidth of a link and afterwards pass the packets... (0 Replies)
Discussion started by: xenator
0 Replies

6. Cybersecurity

ipfw - dynamic rules and multiple IP addresses with outgoing packets

Here's the problem: Some email-service providers (like Google) have more than one server and distribute the load such that, e.g. the incoming mail server imap.gmail.com is assigned to more than one IP-address. With stateful rules, the ipfw firewall correctly allows outgoing packages to one of... (1 Reply)
Discussion started by: steffen
1 Replies

7. UNIX for Dummies Questions & Answers

Need help with IPFW.. Please...

Hi folks, I am a Mac User, and have little knowledge on IPFW. I have a set up at home where my computer (with 2 ethernet cards and static IP adresses) serves Internet to my family's computers. I have already a script that will run automatically at login and called from Cron at certain... (2 Replies)
Discussion started by: fundidor
2 Replies

8. BSD

ipfw slow ssh and ftp connections

just as the title says. thanks. #General Rule Sets /sbin/ipfw add 0300 check-state /sbin/ipfw add 0301 deny tcp from any to any in established /sbin/ipfw add 0302 pass tcp from any to any out setup keep-state /sbin/ipfw add 0303 pass udp from any to any out #SSH FTP /sbin/ipfw add 0400... (11 Replies)
Discussion started by: dwildgoose
11 Replies

9. Cybersecurity

ipfw directives and order of precidence...

Is there a general rule I can apply when examining/editing ipfw entries? Also, does each new entry have to have a unique rule number? And, I think I can write a script to block code red infected machines (though I'm not sure it would do more than slim down my web server error message log),... (0 Replies)
Discussion started by: [MA]Flying_Meat
0 Replies

10. UNIX for Dummies Questions & Answers

fBSD nat ipfw

i am running nat on my freeBSD and web/ftp server. The rule allow ip from any to any must always be? or how? if i accept all packets to go on my ep0 which diverts all to my intranet it doesnt help, must the rule allow ip from any to any always be ? even if many rules are between divert rule and... (3 Replies)
Discussion started by: hachik
3 Replies
Login or Register to Ask a Question