[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Traceroute, ping and ipf



Hi,

Newbie question on ipf setup.

I've setup the ipf on our firewall/nat box based on the suggestions in
the OpenBSD FAQ, and allowed out ICMP packets with state to allow
pinging of remote sites (/etc/ipf.rules attached).  However I want to
add two more cases :

	1) Allow remote hosts t ping our firewall
	2) Allow traceroutes from behind our firewall

I suspect both of these could open up the potential for DOS attacks if
not done correctly.  What is the safest method of allowing this?

Cheers,
Steve


#############################
# begin ruleset
#############################

# Free up loopback port
pass out quick on lo0
pass in quick on lo0

# Block sub-header fragments hack
block in quick proto tcp all with short

# Drop source routed packets
block in quick on fxp0 all with opt lsrr
block in quick on fxp0 all with opt ssrr

# Protect against remote spoofing
block in quick on fxp0 from 127.0.0.0/8 to any
block in quick on fxp0 from 192.168.0.0/16 to any
block in quick on fxp0 from 172.16.0.0/12 to any
block in quick on fxp0 from 10.0.0.0/8 to any

# Block accidental passing of internal traffic
block out quick on fxp0 from any to 127.0.0.1/8
block out quick on fxp0 from any to 192.168.0.0/16
block out quick on fxp0 from any to 172.16.0.0/12
block out quick on fxp0 from any to 10.0.0.0/8

# Allow SSH from anywhere.
pass in quick on fxp0 proto tcp from any to any port = 22

# SMTP
pass in quick on fxp0 proto tcp from any to any port = 25

# BIND.  Note: Can use both tcp and udp.
pass in quick on fxp0 proto tcp/udp from any to any port = 53

# HTTPD
pass in quick on fxp0 proto tcp from any to any port = 80

# Lock the rest down: default deny
block in quick on fxp0 from any to any

# We allow all outgoing traffic.  We allow returns by keeping a log of
# connection states:
pass out on fxp0 proto tcp/udp from any to any keep state
pass out on fxp0 proto icmp from any to any keep state

##############################
# end ruleset
##############################