Hi all,
I'm somewhat a first-timer when it comes to IPFW. I have been using it for about a year, but been using a stock template I bashed together after a bit of research some time ago. Anyway, I'm trying to improve my FreeBSD and IPFW knowledge, and I'm working on my rulesets. I would appreciate a review of the following ruleset and suggest better ways of doing things, or things that are wrong, or more best practices.
Things I am not sure about are the "setup" and "keep-state" options, as well as the entire stateful inspection paragraph.
Thanks!
Mark
I'm somewhat a first-timer when it comes to IPFW. I have been using it for about a year, but been using a stock template I bashed together after a bit of research some time ago. Anyway, I'm trying to improve my FreeBSD and IPFW knowledge, and I'm working on my rulesets. I would appreciate a review of the following ruleset and suggest better ways of doing things, or things that are wrong, or more best practices.
Things I am not sure about are the "setup" and "keep-state" options, as well as the entire stateful inspection paragraph.
Code:
IPF="ipfw -q add"
ipfw -q -f flush
******** BUNCH of HOST AND NETWORK VARIABLES HERE ********
#loopback
$IPF 09 deny tcp from any to 127.0.0.1 113 in
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny log tcp from any to any frag
# Deny Statements
$IPF 41 deny log all from 172.16.0.0/12 to any in #RFC 1918
$IPF 42 deny log all from 10.0.0.0/8 to any in #RFC 1918
$IPF 43 deny log all from $******** to any in
$IPF 44 deny log all from $******** to any in
# stateful
$IPF 50 check-state
$IPF 60 allow tcp from any to any established # Won't this and the rule below it be wrong?
# The example on FreeBSD page says
# to deny established, but I'm not sure if this means keep accepting already
# established(connection tracked) sessions, or whether it means accept packets
# that are ACKS wether they have a valid session in the connections table or not?
$IPF 70 allow log all from any to any out keep-state
# ICMP
$IPF 80 allow log icmp from $******** to ******** keep-state
$IPF 81 allow log icmp from $******** to any keep-state
$IPF 82 allow log icmp from $******** to ******** keep-state
$IPF 83 allow icmp from $******** to any keep-state
$IPF 84 deny log icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 100 allow log any from $******** to any in setup keep-state
$IPF 101 allow log any from $******** to any in setup keep-state
$IPF 102 allow log tcp from any to any 21 out setup keep-state #FTP for faster port downloads
$IPF 110 allow log tcp from $******** to any 22 in setup keep-state # SSH MANAGEMENT
$IPF 111 allow log tcp from $******** to any 22 in setup keep-state
$IPF 112 allow log tcp from $******** to any 22 in setup keep-state
$IPF 113 allow log tcp from $******** to any 22 in setup keep-state
$IPF 120 allow log tcp from any to any 22 out setup keep-state uid root limit src-addr 5
$IPF 130 allow log udp from any to any 53 out setup keep-state limit src-addr 5
$IPF 140 allow log tcp from any to any 53 out setup keep-state limit src-addr 5
$IPF 150 allow log tcp from any to any 80 out setup keep-state limit src-addr 30
$IPF 160 allow log tcp from any to any 443 out setup keep-state limit src-addr 30
# deny and log everything
$IPF 500 deny log all from any to any
Thanks!
Mark