Author: My Name
Date: 24-08-01 13:00
Very nice article, but the IPF rules (no offence intended, please) need fixing.
You have some rules that aren't needed at all ie, lo0 (unless you had default_deny in kernel) which IMHO in this case (seems you don't) wastes space, processing time, and searching through the rules. Especially for LPC communication.
You're ICMP rules, you have a couple in there that either you don't need (but you're ISP's router would) and/or, redirect_icmp, I wouldn't recommend allowing that in/out. Makes it a lot easier in redirect/hijacking your connection. Matter of back, I would block some of the others too and allow only a certain subset out, with 'keep state'.
You should also block certain things out... It's not possible or feasable to block out all, but 'certain' ports is a definate block out. I can't really get into that in here.
Other than those, the rules are great but again you can sure so well find tune it more with 'rule groups' in a much better way than you can with IPFW.
Personally, I recommend either a transparent ethernet bridge with OpenBSD + IPFilter (ipless, 99.9999% uncompromisable), and/or a FreeBSD/OpenBSD/NetBSD NAT Router in *behind* that.
FreeBSD alone as a NAT Router/Firewall is much easier to crack into, open the firewall, then gain 100% access to all ports so to speak.
If you guys want, I can write up a small how-to, but applies more to my setup with Cable/DSL & OpenBSD. Still, I have FreeBSD/NetBSD in there mind you but always behind the OpenBSD box in which is transparent to everyone with more than just Layer 3 filtering.