Cool! thanks for the reply + suggestions! I haven't had any trouble with my firewall blocking too much yet (also didn't connect to the internet much yet :), but i'll think about just allowing all out... on the other hand i like the idea of just letting through out that i need (which isn't very much) and denying all else.
I don't use the file shares on the network, so i figured if i got a packet from one of those addresses it would be a mistake so i let them drop. Anyway, i'll try to build some rules based on the suggestions you made and then i can try them both and then decide which one gives me the least trouble :) greetings, jurjen. On Mon, Dec 18, 2006 at 04:29:06AM +0200, Giorgos Keramidas wrote: >On 2006-12-16 18:01, Jurjen Middendorp <[EMAIL PROTECTED]> wrote: >> I tried making a firewall for my laptop..but i'm not sure if i forgot >> anything. And things can always be done better :) > >> #to stack (student computer thing... e-mail, irc, ssh stuff) >> $cmd 020 allow all from me to 131.155.140.141/16 via $oif $ks >> >> #allow ssh >> $cmd 021 allow all from me to any 22 out via $oif setup $ks >> >> #internet sites: >> $cmd 032 allow tcp from me to any 80 out via $oif setup $ks >> #https >> $cmd 033 allow tcp from me to any 443 out via $oif setup $ks >> #gopher >> $cmd 034 allow tcp from me to any 70 out via $oif setup $ks >> >> #other e-mail >> #pop >> $cmd 040 allow tcp from me to any 110 out via $oif setup $ks >> #imap >> $cmd 041 allow tcp from me to any 143 out via $oif setup $ks >> >> #allow dns queries >> $cmd 050 allow udp from me to any 53 out via $oif $ks >> #allow ntp (?) queries >> $cmd 051 allow udp from me to any 123 out via $oif $ks >> >> #i can send icmp myself >> $cmd 060 allow icmp from me to any out via $oif $ks >> #but others can't >> $cmd 061 deny icmp from any to me >> >> # >> #root can do anything >> $cmd 070 allow tcp from me to any out via $oif setup $ks uid root >> >> #log other outgoing packets >> $cmd 071 deny log all from any to any out via $oif >> >> #### >> # Incoming >> >> #The default is that all other connections will be blocked anyway, but >> # the more stuff i put in here, the less stuff will get logged >> >> #deny incoming to private networks >> $cmd 100 deny all from 192.168.0.0/16 to any in via $oif #RFC 1918 >> $cmd 101 deny all from 172.16.0.0/16 to any in via $oif #RFC >> 1918 >> $cmd 105 deny all from 169.254.0.0/16 to any in via $oif #DHCP auto >> $cmd 106 deny all from 192.0.2.0/24 to any in via $oif >> #reserved >> $cmd 108 deny all from 192.168.0.0/16 to any in via $oif #D & E class >> >> # multicast >> #block smb stuff >> $cmd 120 deny tcp from any to me 137 in via $oif >> $cmd 121 deny tcp from any to me 138 in via $oif >> $cmd 122 deny tcp from any to me 139 in via $oif >> >> #log ACK packets that did'nt match the dynamic ruleset >> $cmd 130 deny log all from any to any established in via $oif >> >> #Now log some stuff in case i did something wrong >> $cmd 999 deny log any to me rule 999 had a syntax error and now it reads "...log all from..." that works a bit better :) > >It's a fairly complex ruleset, but it seems mostly ok. There are >a few things I'd change, mostly resulting from my own personal >preferences: > > * I don't like hard-coding rule numbers in IPFW rulesets. > > * I like using 127.0.0.1/32 instead of any for loopback interfaces. > > * In general, I prefer much simpler rulesets. > > * I try to avoid a lot of variables/macros, like your $ks, since they > don't really keep things a lot shorter, and when they do they try to > abstract away too much of ipfw's syntax. > > * I don't aggressively filter out ICMP packets. They are useful for a > lot of things, they are rate-limited by the kernel, and it is > usually silly to block them without a fair amount of knowledge and a > very good reason. > > * I don't deny packets for 'private' networks,like 192.168.0.0/26 > because the networks I use with my laptop *ARE* private a lot of the > time. Having the firewall block too much and cause me problems is > rarely a good way of spending my time. > >I would probably start with something like: > > <<<recommendation for ipfw ruleset>>> > >_______________________________________________ >[email protected] mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
