My individual hosts have a set of firewall rules on each of them that looks like this:
/sbin/ipfw add 00010 allow ip from any to any via lo0 /sbin/ipfw add 00020 deny ip from any to 127.0.0.0/8 /sbin/ipfw add 00100 count ip from any to any via em0 in /sbin/ipfw add 00100 count ip from any to any via em0 out /sbin/ipfw add 01000 allow tcp from any to any established /sbin/ipfw add 01010 deny tcp from any to any tcpflags syn tcpoptions !mss /sbin/ipfw add 01011 deny icmp from any to any icmptypes 4,5,9,10,12,13,14,15,16,17,18 /sbin/ipfw add 01012 deny tcp from any to any tcpflags syn,fin /sbin/ipfw add 01013 deny tcp from any to any tcpflags fin,psh,rst,urg /sbin/ipfw add 02001 allow udp from 10.10.10.10 to any 53 /sbin/ipfw add 02002 allow udp from any 53 to 10.10.10.10 /sbin/ipfw add 02003 allow tcp from any to 10.10.10.10 21,22,80,443 setup /sbin/ipfw add 02009 deny ip from any to 10.10.10.10 Easy. Some standard loopback lines, count traffic on the interface, allow established, block out obvious offedners (xmas tree, syn/fin, etc.) and then open up the ports I need and block everything else. Easy. It works great. Two questions: is it appropriate to have line 01000 above all of my bad-behavior lines ? That is, by allowing all established, is it possible that some of those bad tcp packetrs could be let in before they hit my bad-behavior block of ipfw rules ? Or are all of those bad behaviors inconsistent with being an established tcp session ? Second, are there any other bad-behavior blocks I should put into my list? Thanks! _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"