My individual hosts have a set of firewall rules on each of them that
looks like this:


/sbin/ipfw add 00010 allow ip from any to any via lo0
/sbin/ipfw add 00020 deny ip from any to 127.0.0.0/8
 
/sbin/ipfw add 00100 count ip from any to any via em0 in
/sbin/ipfw add 00100 count ip from any to any via em0 out

/sbin/ipfw add 01000 allow tcp from any to any established

/sbin/ipfw add 01010 deny tcp from any to any tcpflags syn tcpoptions !mss
/sbin/ipfw add 01011 deny icmp from any to any icmptypes
4,5,9,10,12,13,14,15,16,17,18
/sbin/ipfw add 01012 deny tcp from any to any tcpflags syn,fin
/sbin/ipfw add 01013 deny tcp from any to any tcpflags fin,psh,rst,urg

/sbin/ipfw add 02001 allow udp from 10.10.10.10 to any 53
/sbin/ipfw add 02002 allow udp from any 53 to 10.10.10.10
/sbin/ipfw add 02003 allow tcp from any to 10.10.10.10 21,22,80,443 setup
/sbin/ipfw add 02009 deny ip from any to 10.10.10.10


Easy.  Some standard loopback lines, count traffic on the interface, allow
established, block out obvious offedners (xmas tree, syn/fin, etc.) and
then open up the ports I need and block everything else.  Easy.  It works
great.

Two questions:  is it appropriate to have line 01000 above all of my
bad-behavior lines ?  That is, by allowing all established, is it possible
that some of those bad tcp packetrs could be let in before they hit my
bad-behavior block of ipfw rules ?  Or are all of those bad behaviors
inconsistent with being an established tcp session ?

Second, are there any other bad-behavior blocks I should put into my list?

Thanks!


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to