Subject: ipf.conf rulesets for outside firewall.
To: None <port-i386@netbsd.org>
From: Alicia da Conceicao <alicia@cyberstation.ca>
List: port-i386
Date: 01/06/2000 12:49:20
I realize that this isn't a specific NetBSD question, but I haven't any
luck finding this info on the ipfilter website:
http://coombs.anu.edu.au/ipfilter/
or elsewhere on the net.
Basically I have a NetBSD gateway computer, with two ethernet cards
(fxp0 & fxp1), acting as a firewall. fxp0 is the ethernet device for
the internal non-routable 192.168.0.0/16 network, and fxp1 is the for
the external network 1.2.3.4/32. I am running IPF & IPNAT, included
with NetBSD, plus squid, which all works great. Everyone on the
internal lan can surf the net, send/receive e-mail, etc. However I
wish to strengthen the security of the firewall. To that end, I have
put the following rulesets in my "/etc/ipf.conf" file:
block in quick all with frag
block in quick proto tcp all with short
block in quick log all with ipopts
block in quick on fxp1 from any to 192.168.0.0/16
block in quick on fxp1 from any to 127.0.0.0/8
block in quick on fxp1 from 192.168.0.0/16 to any
block in quick on fxp1 from 172.16.0.0/12 to any
block in quick on fxp1 from 10.0.0.0/8 to any
block in quick on fxp1 from 127.0.0.0/8 to any
The first section insures that bad (fragmentated or short) packets, or
packets with options, are rejected.
The second section insures that no packets coming from the outside, with
a destination for the internal lan, are allowed in. (Packets from outside
for internal lan, must be always be converted by ipnat.)
The third section insures that my firewall cannot be used for IP spoofing
of non-routable IP numbers to the outside. (This makes me a good net
citizen.)
What I need now, is a forth section of rules that block everything comming
into the external ethernet device (fxp1), except those services that I
allow through, in such a manner, that those in the internal lan can still
make any connection they wish to the outside. (For example, I may only
wish to allow people on the outside to access the ssh (22-tcp) port and
domain (53-udp) port, while allowing everyone inside the firewall to
access everything on the outside. If someone on the outside tries to
access my squid proxy (3128-tcp) port on my firewall, ipf will block their
packets.)
Any ideas on what rulesets I need for ipf.conf to do this.
Thanks in advance. Sincerely, Alicia.