Hello all,
I'm trying to "sum up" and gather all good defence mechanisms
for building up "the ultimate" IPFW.
Today i have played around with the Mac OS X's IPFW, which should
actually be the same as in our FreeBSD (as for Snow Leopard).
The experiment is intended for a standalone desktop workstation,
which doesn't run any servers, but only essential web-surfing
and ftp/torrents downloading.Some more details :
- i get my ip from a DHCP server
- i connect to my ISP through PPPoE
- don't have a home LAN/routers etc., just traditional cable
Here's what i have done till now, and saved it as a startup
script, so the system will load these rules instead of the defaults:
After restarting, i found out that i can browse the web at least,
after having made such a mess
I'm not advanced in Unix and i try learning the more i can,
focused on IPFW momentarily
Please, help identifying wrong config lines/weaknesses in this setup, and advice what would be better/optimal instead.
I also hope that this thread would also help other people in my
position and anybody else wishing to learn more and more.
Any help and hints will be greatly appreciated !
Greetings,
Unixworld
I'm trying to "sum up" and gather all good defence mechanisms
for building up "the ultimate" IPFW.
Today i have played around with the Mac OS X's IPFW, which should
actually be the same as in our FreeBSD (as for Snow Leopard).
The experiment is intended for a standalone desktop workstation,
which doesn't run any servers, but only essential web-surfing
and ftp/torrents downloading.Some more details :
- i get my ip from a DHCP server
- i connect to my ISP through PPPoE
- don't have a home LAN/routers etc., just traditional cable
Here's what i have done till now, and saved it as a startup
script, so the system will load these rules instead of the defaults:
Code:
add 00090 check-state
add 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
add 00110 deny log ip from 127.0.0.0/8 to any in
add 00120 deny log ip from any to 127.0.0.0/8 in
add 00130 deny log ip from 224.0.0.0/3 to any in
add 00140 deny log tcp from any to 224.0.0.0/3 in
add 00150 deny ip from 224.0.0.0/4 to any in
add 00160 deny ip from 0.0.0.0/8 to any
add 00170 deny tcp from any 0 to any
add 00180 deny tcp from any to any dst-port 0 in
add 00190 deny udp from any 0 to any
add 00200 deny udp from any to any dst-port 0 in
add 00210 deny tcp from any to any dst-port 81 in via ppp0
add 00220 deny tcp from any to any dst-port 113 in via ppp0
add 00230 deny tcp from any to any dst-port 137 in via ppp0
add 00240 deny tcp from any to any dst-port 138 in via ppp0
add 00250 deny tcp from any to any dst-port 139 in via ppp0
add 00260 deny tcp from any to any tcpflags syn,fin
add 00270 deny tcp from any to any tcpflags syn,rst
add 00280 deny ip from any to any ipoptions rr
add 00290 deny ip from any to any ipoptions ts
add 00300 deny ip from any to any ipoptions lsrr
add 00310 deny ip from any to any ipoptions ssrr
add 00400 allow tcp from me to any established
add 00410 allow tcp from me to any setup keep-state
add 00420 allow udp from me to any keep-state
add 65531 deny tcp from any to any established in via ppp0
add 65532 deny udp from any to any in
add 65533 deny icmp from any to any
add 65534 deny log logamount 1000 ip from any to any
add 65535 allow ip from any to any
After restarting, i found out that i can browse the web at least,
after having made such a mess
I'm not advanced in Unix and i try learning the more i can,
focused on IPFW momentarily
Please, help identifying wrong config lines/weaknesses in this setup, and advice what would be better/optimal instead.
I also hope that this thread would also help other people in my
position and anybody else wishing to learn more and more.
Any help and hints will be greatly appreciated !
Greetings,
Unixworld