[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: good IPF firewall ruleset
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: good IPF firewall ruleset
- From: martin <martin_(_at_)_chaossolutions_(_dot_)_org>
- Date: Thu, 20 Sep 2001 10:19:04 -0400
At 08:48 AM 9/20/2001 -0500, Joshua b. Jore wrote:
I couldn't pass this up. While I use a script to manage my IPF ruleset (I
have stuff to alter it on the fly) here's what I'm using to block all the
obviously wrong stuff. All the IP/port ranges are from an IPF howto which
has a list of places traffic shouldn't ever come from. If it does then the
packet is wrong somehow and doesn't have any business being passed. Also,
that first part only allows correct looking traffic to exit so I don't
cause problems for other people on the internet.
Of course, if anyone else has suggestions
# allow only correct outbound traffic
block out quick from !x.x.x.x/32 to any
<SNIP> good outbound
# Inbound network traffic
# block fragmented packets
block in quick proto tcp all with short
# block source routed traffic
block in log quick all with opt lsrr
block in log quick all with opt ssrr
# no spoofing non-routable addresses
block in quick from 0.0.0.0/7 to any
Your last rule is is a total block in. This means Your overall rules
format is a block unless otherwise allowed.
(This is as opposed to the other rule construction type where everything is
allowed unless you explicitly block it).
Basically, ALL the above block in rules are irrelevent as the final rule
will stop them.
There are no pass in rules to be a problem. Be careful though.
If you add a pass in quick rule then some of those block in will be required.
pass in quick with a port reference 80 would allow short and other stuff
in. ie. you would have to use those relevent block in `s FIRST.
Complicated isn`t it.
So to repeat...
You have to decide whether you are going to be permissive or not and get
into the midset that`s required for that ruleset.
a) are you allowing everything unless explicitly denied
b) or denying everthing unless explicitly allowed
Two totally different types of rulesets and a lot of people mix them together.
# Block everything else
block return-rst in log quick proto tcp all
block in log quick all