[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Traceroute, ping and ipf

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Traceroute, ping and ipf
From: Steve Smith <steve_(_dot_)_smith_(_at_)_isay_(_dot_)_com_(_dot_)_au>
Date: Thu, 20 Apr 2000 13:11:45 +1000 (EST)

Hi,

Newbie question on ipf setup.

I've setup the ipf on our firewall/nat box based on the suggestions in
the OpenBSD FAQ, and allowed out ICMP packets with state to allow
pinging of remote sites (/etc/ipf.rules attached).  However I want to
add two more cases :

	1) Allow remote hosts t ping our firewall
	2) Allow traceroutes from behind our firewall

I suspect both of these could open up the potential for DOS attacks if
not done correctly.  What is the safest method of allowing this?

Cheers,
Steve


#############################
# begin ruleset
#############################

# Free up loopback port
pass out quick on lo0
pass in quick on lo0

# Block sub-header fragments hack
block in quick proto tcp all with short

# Drop source routed packets
block in quick on fxp0 all with opt lsrr
block in quick on fxp0 all with opt ssrr

# Protect against remote spoofing
block in quick on fxp0 from 127.0.0.0/8 to any
block in quick on fxp0 from 192.168.0.0/16 to any
block in quick on fxp0 from 172.16.0.0/12 to any
block in quick on fxp0 from 10.0.0.0/8 to any

# Block accidental passing of internal traffic
block out quick on fxp0 from any to 127.0.0.1/8
block out quick on fxp0 from any to 192.168.0.0/16
block out quick on fxp0 from any to 172.16.0.0/12
block out quick on fxp0 from any to 10.0.0.0/8

# Allow SSH from anywhere.
pass in quick on fxp0 proto tcp from any to any port = 22

# SMTP
pass in quick on fxp0 proto tcp from any to any port = 25

# BIND.  Note: Can use both tcp and udp.
pass in quick on fxp0 proto tcp/udp from any to any port = 53

# HTTPD
pass in quick on fxp0 proto tcp from any to any port = 80

# Lock the rest down: default deny
block in quick on fxp0 from any to any

# We allow all outgoing traffic.  We allow returns by keeping a log of
# connection states:
pass out on fxp0 proto tcp/udp from any to any keep state
pass out on fxp0 proto icmp from any to any keep state

##############################
# end ruleset
##############################

Prev by Date: Re: CPU Question preference (AMD, Intel)
Next by Date: auth for routers
Previous by thread: physical memory address
Next by thread: auth for routers
Index(es):
- Date
- Thread

Visit your host, monkey.org