The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 Nice article, but....
Author: My Name 
Date:   24-08-01 13:00

Very nice article, but the IPF rules (no offence intended, please) need fixing.

You have some rules that aren't needed at all ie, lo0 (unless you had default_deny in kernel) which IMHO in this case (seems you don't) wastes space, processing time, and searching through the rules. Especially for LPC communication.

You're ICMP rules, you have a couple in there that either you don't need (but you're ISP's router would) and/or, redirect_icmp, I wouldn't recommend allowing that in/out. Makes it a lot easier in redirect/hijacking your connection. Matter of back, I would block some of the others too and allow only a certain subset out, with 'keep state'.

You should also block certain things out... It's not possible or feasable to block out all, but 'certain' ports is a definate block out. I can't really get into that in here.

Other than those, the rules are great but again you can sure so well find tune it more with 'rule groups' in a much better way than you can with IPFW.

Personally, I recommend either a transparent ethernet bridge with OpenBSD + IPFilter (ipless, 99.9999% uncompromisable), and/or a FreeBSD/OpenBSD/NetBSD NAT Router in *behind* that.
FreeBSD alone as a NAT Router/Firewall is much easier to crack into, open the firewall, then gain 100% access to all ports so to speak.

If you guys want, I can write up a small how-to, but applies more to my setup with Cable/DSL & OpenBSD. Still, I have FreeBSD/NetBSD in there mind you but always behind the OpenBSD box in which is transparent to everyone with more than just Layer 3 filtering.

Regard!

Reply To This Message
 
 Re: Nice article, but....
Author: Dan Langille 
Date:   24-08-01 23:03

Sure. Write something up. There's a pointer to the html template on the home page. I can give you FTP access to a development box if you want to test the php.

Reply To This Message
 
 Re: Nice article, but....
Author: My Name 
Date:   28-08-01 13:44

Damn, look at all my typo's...

I'll look for that template, but the only problem is finding the time to write something up, and that it might apply more so to OpenBSD than FreeBSD but might strike up some new ideas for people.

I know in FreeBSD you can't do transparent bridging with IPF, but AFAIK (never done it myself yet) you can with IPFW somehow.
The OpenBSD has modified things so that IPF filters 'bridged' packets/frames and a lot more!

Being transparent, no IP address(es), and preferably just console or serial access only would be just as secure as the OpenBSD box in a sense or two doing the same thing.

As of OpenBSD 2.9-current and above, IPF is no longer included in the default install, although it still is and will be available to install/setup after market - just hopefully stays like that.

OpenBSD is now working on a work-alike backwards compatible & native OpenBSD version called 'PF'. That so far doesn't support the bridging yet and might not even be as secure as IPF seeing as it's still new.

Regards!

-- *BSD, it's not about 'money' --

Microsoft: Where do you want to go today?
Linux: Where do you want to go tomorrow?
FreeBSD: Hey, you guys coming or what!?
OpenBSD: Hey, you guys left some holes out there!
NetBSD: What's this!? A CPU not running our OS!?

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org