Here is a very short ipfw ruleset I have on a firewall device:
That's it. I want interior machines (connected via xl1) to be able to ping, to be able to traceroute out to the world, and to be able to connect over TCP 40.
And nothing else.
It's extremely important that no other network traffic can be generated on the interior net and pass to the other side of this firewall.
Is this watertight ? I think it is ... but I want a second opinion.
Thanks.
Code:
5 allow tcp from any to any established
10 allow icmp from any to any icmptypes 0,3,8,11
20 allow udp from any to any dst-port 33433-33499 in via xl1
30 allow tcp from any to any dst-port 40 in via xl1
65535 deny ip from any to any
And nothing else.
It's extremely important that no other network traffic can be generated on the interior net and pass to the other side of this firewall.
Is this watertight ? I think it is ... but I want a second opinion.
Thanks.
Last edited by a moderator: