Hello, I would like the opinion (and if possible tips) of the most knowledgeable staff in ipfw, about my rules below.
* Sorry for bad English
Bash:
#!/bin/sh
# IPFW: rules for a Intranet server
PATH='/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin'
# Running services
tcp_services='22,80,443'
# Trusted LAN
trusted_lan='192.168.64.0/24,192.168.128.0/24'
# Flushing rules
ipfw -q -f flush
# Loopback
ipfw -q add allow via lo0
ipfw -q add deny { dst-ip 127.0.0.0/8 or src-ip 127.0.0.0/8 }
# Broadcast/multicast undesirable
ipfw -q add deny ip from any to 255.255.255.255
ipfw -q add deny ip from any to 224.0.0.0/24 in
# Blocking suspicious packets
ipfw -q add deny all from any to me in frag
ipfw -q add deny all from any to me not verrevpath in
ipfw -q add deny tcp from any to me tcpflags fin,urg,psh in
ipfw -q add deny tcp from any to me tcpflags !fin,!syn,!ack,!urg,!psh,!rst in
ipfw -q add deny tcp from any to me tcpflags syn,fin,rst,ack in
ipfw -q add deny tcp from any to me tcpflags fin,!syn,!rst,!ack in
ipfw -q add deny tcp from any to me tcpflags syn,fin,!rst,!ack in
ipfw -q add deny tcp from any to me tcpflags urg,!syn,!fin,!rst,!ack in
ipfw -q add deny tcp from any to me tcpoptions !mss tcpflags syn,!ack in
# Packets reass
ipfw -q add reass all from any to me in
# Sstateful firewall
ipfw -q add check-state
# Allow access only to trusted networks
ipfw -q add allow tcp from $trusted_lan to me dst-port $tcp_services in setup keep-state
# Ping
ipfw -q add allow icmp from any to me in
# Outgoing packets
ipfw -q add allow tcp from me to any out setup keep-state
ipfw -q add allow { udp or icmp } from me to any out keep-state* Sorry for bad English
