I just wrote up a ruleset for ipfw on a machine that will be running as a gateway, DHCP (isc-dhcp3), and IPsec/VPN (Racoon/Kame). The only traffic I want to allow through is SSH and IPsec. All traffic from the inside should be allowed out (stateful). I haven't written a firewall ruleset for a while... last one I did was with pf on OpenBSD about a year ago and some ipchains way before that.
I scanned using grc.com and nmap (-sS, -sN, -O...etc) and only port 22 shows as open. nmap -O only detects the OS when I dont block port 22.
please look over this and tell me if you see any flaws or any ways I can improve them. Also, I didnt log anything... are there somethings that I should log? Even if your're not a ipfw person, rules are rules... any comments are appreciated!
thanks!
btw... the rules work just fine... i just wanted to know if i missed some glaring holes...
-----------
fwcmd="/sbin/ipfw"
# Set loopback and flush previous rules
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} -f flush
# Info for the external interface
oif="em0"
onet="x.x.x.x"
omask="255.255.255.x"
oip="x.x.x.x"
# Info for the internal interface
iif="xl0"
inet="192.168.6.0"
imask="255.255.255.0"
iip="192.168.6.83"
natd_interface="em0"
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1
,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation
${fwcmd} add divert natd all from any to any via ${natd_interface}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
######## Rules Section #########
# Allow TCP through if setup succeeded
#${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow anything from the internal network
${fwcmd} add allow all from ${inet} to any setup
# Permit incoming SSH connections
${fwcmd} add pass tcp from any to ${oip} 22 setup
# IPsec/VPN
${fwcmd} add allow esp from any to any
${fwcmd} add allow udp from any 500 to any
# ICMP for ping, dest unreachable, etc
${fwcmd} add allow icmp from any to any icmptype 0,3,4,8,11
# Dynamic rules, stateful
${fwcmd} add check-state
#${fwcmd} add deny tcp from any to any established
${fwcmd} add allow all from ${inet}/24 to any keep-state
${fwcmd} add allow all from ${oip} to any keep-state
# Everything else is denied by default
I scanned using grc.com and nmap (-sS, -sN, -O...etc) and only port 22 shows as open. nmap -O only detects the OS when I dont block port 22.
please look over this and tell me if you see any flaws or any ways I can improve them. Also, I didnt log anything... are there somethings that I should log? Even if your're not a ipfw person, rules are rules... any comments are appreciated!
thanks!
btw... the rules work just fine... i just wanted to know if i missed some glaring holes...
-----------
fwcmd="/sbin/ipfw"
# Set loopback and flush previous rules
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
${fwcmd} -f flush
# Info for the external interface
oif="em0"
onet="x.x.x.x"
omask="255.255.255.x"
oip="x.x.x.x"
# Info for the internal interface
iif="xl0"
inet="192.168.6.0"
imask="255.255.255.0"
iip="192.168.6.83"
natd_interface="em0"
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1
,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation
${fwcmd} add divert natd all from any to any via ${natd_interface}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
######## Rules Section #########
# Allow TCP through if setup succeeded
#${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow anything from the internal network
${fwcmd} add allow all from ${inet} to any setup
# Permit incoming SSH connections
${fwcmd} add pass tcp from any to ${oip} 22 setup
# IPsec/VPN
${fwcmd} add allow esp from any to any
${fwcmd} add allow udp from any 500 to any
# ICMP for ping, dest unreachable, etc
${fwcmd} add allow icmp from any to any icmptype 0,3,4,8,11
# Dynamic rules, stateful
${fwcmd} add check-state
#${fwcmd} add deny tcp from any to any established
${fwcmd} add allow all from ${inet}/24 to any keep-state
${fwcmd} add allow all from ${oip} to any keep-state
# Everything else is denied by default
