The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 Nice article, but....
Author: My Name 
Date:   24-08-01 13:00

Very nice article, but the IPF rules (no offence intended, please) need fixing.

You have some rules that aren't needed at all ie, lo0 (unless you had default_deny in kernel) which IMHO in this case (seems you don't) wastes space, processing time, and searching through the rules. Especially for LPC communication.

You're ICMP rules, you have a couple in there that either you don't need (but you're ISP's router would) and/or, redirect_icmp, I wouldn't recommend allowing that in/out. Makes it a lot easier in redirect/hijacking your connection. Matter of back, I would block some of the others too and allow only a certain subset out, with 'keep state'.

You should also block certain things out... It's not possible or feasable to block out all, but 'certain' ports is a definate block out. I can't really get into that in here.

Other than those, the rules are great but again you can sure so well find tune it more with 'rule groups' in a much better way than you can with IPFW.

Personally, I recommend either a transparent ethernet bridge with OpenBSD + IPFilter (ipless, 99.9999% uncompromisable), and/or a FreeBSD/OpenBSD/NetBSD NAT Router in *behind* that.
FreeBSD alone as a NAT Router/Firewall is much easier to crack into, open the firewall, then gain 100% access to all ports so to speak.

If you guys want, I can write up a small how-to, but applies more to my setup with Cable/DSL & OpenBSD. Still, I have FreeBSD/NetBSD in there mind you but always behind the OpenBSD box in which is transparent to everyone with more than just Layer 3 filtering.


 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 Nice article, but....   new
My Name 24-08-01 13:00 
 Re: Nice article, but....   new
Dan Langille 24-08-01 23:03 
 Re: Nice article, but....   new
My Name 28-08-01 13:44 

 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Remember my login:
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum