netbsd-help: Re: IPF Configuration

Subject: Re: IPF Configuration
To: Richard Ibbotson <richard@sheflug.co.uk>
From: Rasputin <rasputin@idoru.mine.nu>
List: netbsd-help
Date: 10/23/2003 10:27:50
--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Richard Ibbotson <richard@sheflug.co.uk> [1057 21:57]:
> Hi
>=20
>=20
>=20
> Will this do?
> <snip 80-odd lines>
> -----------------------------------
>=20
> # assumes that ippp0 is frontend
>=20
> # POLICY
> block in log all
>=20
> # lo0: LOOPBACK POLICY completely open
> pass in quick on lo0 all
> pass out quick on lo0 all
>=20
> # state rules - last one is ping
> pass out on ippp0 proto tcp/udp from any to any keep state
> pass out on ippp0 proto icmp from any to any
> pass out on ippp0 proto icmp from any to any icmp-type 8 keep state
>=20
> # servers
>=20
> # ssh
> pass in on ippp0 proto tcp from any to any port =3D ssh flags S keep=20
> state keep frags

> Probably :)  It's a lot simpler and more elegant than my own weak=20
> effort.  Bit worried about allowing SSH in but I suppose that it has=20
> to happen.
=20
Not unless you run an ssh server, no. 'keep state' handles=20
keeping track of your outbound stuff.

> So, this will allow ftp, web pages, ssh and e-mail ?  Could it be=20
> improved in any way ?  Such as blocking any connection to X-windows. =20
> I would suppose that the default policy at the top would be the answer=20
> to that.  Something like allowing a service such as SSH but filtering=20
> it so that any strange requests are blocked.  I think you would=20
> probably use PAM for that kind of thing anyway.
=20
[ NB: you only need to read on if you run a server; if not remove the ssh
line ]

the 'flags S' only allows SYN packets i.e. starting connections - other than
that you can change the=20

pass in on ippp0 proto tcp from any to any port =3D ssh .........

to

pass in on ippp0 proto tcp from 1.2.3.4/32 to any port =3D ssh .........

to only allow certain IPs in - for completeness stick=20

---------------------------------

# drop RFC1918 source IPs
# (OK to block 10/8 etc now, since valid LAN traffic already passed)
block in log quick from 192.168.0.0/16 to any
block in log quick from 172.16.0.0/12 to any
block in log quick from 127.0.0.0/8 to any
block in log quick from 0.0.0.0/8 to any
block in log quick from 10.0.0.0/8 to any

---------------------------------

in between the lo0 and state rules to keep reserved IPs out too.

> How about sending over the rest of it off the list and I'll have a=20
> quiet think about it for a day or two :)

There isnt any more of it :) I said it was simple ...
--=20
Bacchus, n.:
	A convenient deity invented by the ancients as an excuse for
getting drunk.
		-- Ambrose Bierce, "The Devil's Dictionary"
Rasputin :: Jack of All Trades - Master of Nuns

--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQE/l58WVFnamZKfe00RAhqzAJ0c3gzH3mvWOIlWfd+mU4dhAII5PwCfU2bh
XkPyKIdg6ziJpHj21t2Q8nY=
=c/5b
-----END PGP SIGNATURE-----

--u3/rZRmxL6MmkK24--