Date: Fri, 3 Jul 1998 20:11:59 -0700 (PDT)
From: "Jan B. Koum" <jkb@best.com.>
To: Louie <louie@sunra.csci.unt.edu.>
Subject: Re: ipfw with ppp -alias setup
Cc: freebsd-security@FreeBSD.ORG
On Fri, 3 Jul 1998, Louie wrote:
>I'm using userland ppp with packet aliasing to give a private
>address IP network (192.168.1.x on ed0) Internet access through a
>dialup ISP that assigns dynamic IP addresses. This works. I'm
>also using ipfw for packet filtering. This also works but since
>I don't claim to be a security expert I'm not sure if I've set this
>up properly. I'm using ipfw instead of ppp's packet filtering
>because I prefer ipfw's log output. (Maybe not a good reason.)
>My intentions are to block just about everything from the Internet.
>(Call me paranoid.) I've also tried to define an ipfw rule list
>using just interface names since the IP addresses my ISP assigns
>can vary over multiple class C networks. I also don't want to have
>to rerun ipfw every time I make a new connection with my ISP.
>
>Enough background. My question is, will this rule list work or
>have I just proved I don't know what I'm doing?
>
># ipfw list
>01000 allow ip from any to any via lo0
>01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8
>01110 deny log ip from 192.168.0.0/16 to any in recv tun0
^^^^^^
Aren't you using 192.168.1.0/16 as you mentioned above?
>01210 deny log ip from 172.16.0.0/12 to any in recv tun0
>01310 deny log ip from 10.0.0.0/8 to any in recv tun0
>01410 allow tcp from any to any in recv tun0 established
>01510 deny log tcp from any to any in recv tun0 setup
>01610 allow tcp from any to any out xmit tun0
>01710 allow tcp from any to any via ed0
>01810 allow udp from any 53 to any
>01910 allow udp from any to any 53
>02010 allow icmp from any to any icmptype 0
>02110 allow icmp from any to any icmptype 3
>02210 allow icmp from any to any icmptype 8
>02310 allow icmp from any to any icmptype 11
>65535 deny ip from any to any
I'd also do:
ipfw add 65534 deny log ip from any to any
This way if you will see something not working you will have a
log to debug. For example, your ftp will not work -- you'll have to use
passive ftp. Else you gonna see server trying to connect to your port
40000+ (if I remember correctly) from it's port 20. If you dont' wan't to
use passive ftp, then
ipfw add 1509 allow tcp from any 20 to any 40000-40100 in recv tun0
^^^^
Notice how it should be before 1510. Also, you have to add
incoming port and not just "... from any 20 to any" since if I am root, I
can claim to be from port 20. :)
AFAICT the rules look ok. Really paranoid people might just take
out icmp (think Phrack issue 51 article 6). But yeah, everything looks
fine. Add the "deny log" rule before last one if you want.
I am sure if I missed something people here will correct me.
-- Yan
Jan Koum jkb@best.com | "Turn up the lights; I don't want
www.FreeBSD.org -- The Power to Serve | to go home in the dark."
---------------------------------------+-----------------------------------
ICMP: What happens when you hack into a military network and they catch you.
>
>Thanks for your time,
>Louie <louie@sunra.csci.unt.edu.>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
