netbsd-users: Is my ipfilter list secure?

Subject: Is my ipfilter list secure?
To: None <netbsd-users@netbsd.org>
From: Roger Fischer <roger@aileron.org>
List: netbsd-users
Date: 04/25/2002 23:48:45
I'm putting together a NetBSD box to replace my linux gateway.

I'll be running two ethernet interfaces.
External IF is DHCP via roadrunner cable modem.
Internal IF is nat'ted to my single external IP.

On the gateway I intend to run
	HTTP server (externally visible)
	SMTP server (externally visible)
	SSHD server (externally visible from limited sites)
	BIND server (for internal net)
	NTP  server (for internal net / external client)

Internal network should have full access.

After spending two days reading the ipf-howto I've come up with the 
following rule set.
Does anybody see any major holes in it before I put this into service?

(A year ago when I put up my linux box on the net I thought the 
ipchains script I wrote was secure, but somebody broke into it about 
5 days after I put it up.  I used a script to configure it the second 
time after a full reinstall.)

Thanks,
Roger


# file /etc/ipf.conf
# eth0 is the external interface
# $myip is my external ip address
# $ssh-allowed is the ip I allow to ssh into my machine


# Default policy Deny
     block in on eth0

# Anti-Spoofing
     block in log quick on eth0 from 192.168.0.0/16  to any
     block in log quick on eth0 from 172.16.0.0/12   to any
     block in log quick on eth0 from 10.0.0.0/8      to any
     block in log quick on eth0 from 127.0.0.0/8     to any
     block in log quick on eth0 from 0.0.0.0/8       to any
     block in log quick on eth0 from 169.254.0.0/16  to any  # 
Autoconfig systems
     block in log quick on eth0 from 192.0.2.0/24    to any  # 
Reserved example IP block
     block in log quick on eth0 from 204.152.64.0/23 to any  # Reserved by Sun
     block in log quick on eth0 from 224.0.0.0/3     to any  # Class 
D&E Multicast

# Let internal network have full access
     pass  out    quick on eth0 proto tcp/udp from 192.168.0.0/24 to 
any  keep state
     pass  out    quick on eth0 proto icmp    from 192.168.0.0/24 to 
any  keep state

# Uncomment to allow other to ping/trace us
#   pass  in     quick on eth0 proto icmp from any to $myip icmp-type 0  # ping
#   pass  in     quick on eth0 proto icmp from any to $myip icmp-type 
11 # Traceroute

# Otherwise, block all icmp.
     block in log quick on eth0 proto icmp from any to any

# Finally, allow access to our SSH, SMTP and HTTP Servers
     pass  in     quick on eth0 proto tcp  from $ssh-allowed  to $myip 
port = 22  flags S  keep state
     pass  in     quick on eth0 proto tcp  from any           to $myip 
port = 25  flags S  keep state
     pass  in     quick on eth0 proto tcp  from any           to $myip 
port = 80  flags S  keep state
#   pass  in     quick on eth0 proto tcp  from any           to 0/32 
port = 80  flags S  keep state
#   does 0/32 work in ipf or is that only for nat?

# Throw off casual snoopers.
     block return-rst in log    proto tcp  from any           to $myip port = 21
     block return-rst in log    proto tcp  from any           to $myip port = 22
     block return-rst in log    proto tcp  from any           to $myip port = 23
     block return-rst in log    proto tcp  from any           to $myip port = 53
     block return-rst in log    proto tcp  from any           to $myip 
port = 443
     block return-rst in log    proto tcp  from any           to $myip 
port = 445
     block return-rst in log    proto tcp  from any           to $myip 
port = 515
# Should I replace the 7 previous rules with this?
#   block return-rst in log    proto tcp  from any           to $myip 
#port = any???

#   block return-icmp-as-dest(port-unr) in log quick on eth0 proto 
udp from any to $myip port = 111