OP
- Thread Starter
- #26
Some allow the use of only sockets. And then one is forced to be local. You cannot route sockets over the internet.
My point was that just because an application is listening on port n, that doesn't mean that a firewall is THE solution for securing port n. You may need to think not about securing port n, or port n+1, but telling the application to behave, which is done via .conf files. It's a bit like having a lock on your door, but also telling your kid/application to behave smartly and not let strangers in.
Sockets can be encapsulated in IP packets, which are routable.
Yep, this is important. The other day I found out that there is no way to turn off a number of Windows "share" related services listening on ports. When you toggle the "off" button what it actually does is add a firewall rule denying that port! How naff is that?
sockstat -l as demonstrated earlier in the thread really is satisfying to see a silent FreeBSD install. Only SSH is allowed for the majority of my machines.
cmd="/sbin/ipfw -q add" # Set rules command prefix
pif="em0"
/sbin/ipfw -q -f flush # Flush out the list before we begin.
# No restrictions on Loopback Interface
$cmd 01000 allow ip from any to any via lo0
### ICMP
$cmd 01110 allow icmp from any to any
$cmd 01120 allow ipv6-icmp from any to any
$cmd 01121 allow ipv6 from any to any
# The next rule allows the packet through if it matches an existing entry in the dynamic rules table
$cmd 02000 check-state
### OUTGOING
# Allow access to outside
$cmd 03010 allow tcp from any to any out via $pif setup keep-state
$cmd 03020 allow udp from any to any out via $pif keep-state
### INCOMING
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 04010 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 04020 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 04030 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 04040 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 04050 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 04060 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 04070 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 04080 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 04090 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
$cmd 05010 deny ip from any to ::1 in via $pif
$cmd 05020 deny ip from ::1 to any in via $pif
#ICMP
$cmd 06010 allow ipv6-icmp from :: to ff02::/16
$cmd 06020 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 06030 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 06040 allow ipv6-icmp from any to any icmp6types 1,2,135,136
# Deny fragments
$cmd 07010 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 07020 deny tcp from any to any established in via $pif
# Allow incoming access from localnet
#$cmd X allow tcp from 192.168.1.0/24 to any in via $pif setup keep-state
#$cmd X allow udp from 192.168.1.0/24 to any in via $pif keep-state
$cmd 08010 reject log all from any to any
$cmd 08020 deny log all from any to any
/sbin/ipfw listUnless I'm mistaken, only *some* multicast address allocations are routable, others are locally scoped and filtered by most commercial routers, which makes these less useful for spoofing attacks than private address ranges. It's a little tricky to untangle it.
Most people would start a new thread in the appropriate Forums section. Since your topic involves jails, I think that Emulation and Virtualization is a good section of the Forums to start a thread like that.
