IPFW Recommendations for my rules

Can someone with experience with ipfw have a look to these rules?

I want to have incoming + outgoing:

FTP (passive + active)
SSH
MySQL
DNS
WWW (http + https)
MAIL (smtps + submission)

Only incoming:

MAIL (pop3, imap, pop3s, imaps)
SNMP

Only outgoing:

MAIL (smtp for some specific users to avoid direct telnet connections to port 25 from other users)


Code:
#!/bin/sh

# Flush all rules before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add "
cmd2="ipfw -q "

pif=`ifconfig -l | awk '{ print $1 }'`

# Allow loopback and deny loopback spoofing
$cmd 00010 allow ip from any to any via lo0
$cmd 00020 deny ip from any to 127.0.0.0/8
$cmd 00030 deny ip from 127.0.0.0/8 to any

# Checks stateful rules
$cmd 00050 check-state
$cmd 00060 deny tcp from any to any established

# SSHGUARD
$cmd 01000 reset ip from 'table(22)' to any

# NTP
$cmd 01005 allow udp from any to any dst-port 123 out via $pif keep-state

# ICMP
$cmd 01010 allow icmp from any to any out via $pif keep-state
$cmd 01011 allow icmp from any to any in via $pif

# FTP
$cmd 10001 allow tcp from me to any dst-port 21 out via $pif setup keep-state
$cmd 10002 allow tcp from any 20 to me in via $pif setup keep-state
$cmd 10003 allow tcp from me to any dst-port 49152-65535 out via $pif keep-state
$cmd 10004 allow tcp from any to me 21 in via $pif setup keep-state
$cmd 10004 allow tcp from me 20,21 to any out via $pif keep-state
$cmd 10006 allow tcp from any to me 50000-51000 in via $pif setup keep-state

# SSH
$cmd 10010 allow tcp from any to me dst-port 22 in via $pif setup keep-state
$cmd 10011 allow tcp from me to any dst-port 22 out via $pif setup keep-state

# DNS
$cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup keep-state
$cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state
$cmd 10023 allow tcp from me to any dst-port 53 out via $pif setup keep-state
$cmd 10024 allow udp from me to any dst-port 53 out via $pif keep-state

# SNMP
$cmd 10026 allow udp from any to me dst-port 161 in via $pif keep-state

# EPP
$cmd 10027 allow tcp from me to any dst-port 700 out via $pif setup keep-state

# WWW
$cmd 10030 allow tcp from me to any dst-port 80 out via $pif setup keep-state
$cmd 10031 allow tcp from me to any dst-port 443 out via $pif setup keep-state
$cmd 10032 allow tcp from any to me dst-port 80 in via $pif setup keep-state
$cmd 10033 allow tcp from any to me dst-port 443 in via $pif setup keep-state

# MAIL
$cmd 10039 allow tcp from any to me dst-port 25 in via $pif setup keep-state
$cmd 10040 allow tcp from me to any dst-port 25 uid root out via $pif setup keep-state
$cmd 10041 allow tcp from me to any dst-port 25 uid postfix out via $pif setup keep-state
$cmd 10042 allow tcp from me to any dst-port 25 uid filter out via $pif setup keep-state
$cmd 10044 allow tcp from any to me dst-port 465 in via $pif setup keep-state
$cmd 10045 allow tcp from me to any dst-port 465 out via $pif setup keep-state
$cmd 10046 allow tcp from any to me dst-port 587 in via $pif setup keep-state
$cmd 10047 allow tcp from me to any dst-port 587 out via $pif setup keep-state
$cmd 10048 allow tcp from any to me dst-port 110 in via $pif setup keep-state
$cmd 10049 allow tcp from any to me dst-port 995 in via $pif setup keep-state
$cmd 10050 allow tcp from any to me dst-port 143 in via $pif setup keep-state
$cmd 10051 allow tcp from any to me dst-port 993 in via $pif setup keep-state

# MYSQL
$cmd 10100 allow tcp from me to any dst-port 3306 out via $pif setup keep-state
$cmd 10101 allow tcp from any to me dst-port 3306 in via $pif setup keep-state

# WHOIS OUTGOING
$cmd 10200 allow tcp from me to any dst-port 43 out via $pif setup keep-state

# Deny everything else, and log it
$cmd 56599 deny log all from any to any
 
You can test the rules by using the list command: ipfw -de list. You can reset the counters first before testing, then monitor the packet counts as you test each rule: ipfw zero.
 
You only need to allow incoming DNS if you're hosting a DNS zone. It's not needed for basic resolving.

Code:
$cmd 10021 allow tcp from any to me dst-port 53 in via $pif setup keep-state
$cmd 10022 allow udp from any to me dst-port 53 in via $pif keep-state
If you're not hosting DNS domains yourself you can remove these.

And you're going to want to limit access to SNMP:
Code:
# SNMP
$cmd 10026 allow udp from any to me dst-port 161 in via $pif keep-state
It's UDP so it's easily spoofed. And if you don't configure it properly it can easily be abused as an amplifier for a DDoS attack. So it's best to limit access and only allow the monitoring host.
 
Back
Top