Firewall Wizards mailing list archives
Firewall rules review
From: "Matt Simonsen" <matt () careercast com>
Date: Wed, 20 Jun 2001 16:25:41 -0700
I will probably take this box down in the interest of it's security (in case my rules suck...) but here is it's firewall script that some of you may do me the favor of reviewing. PS- these rules were more or less taken from one web page and modified for my needs, I don't want anybody feeling like I am trying to take credit for them... The goal: basically no traffic from the outside in, but all traffic from the inside out unhindered. Total security (to the extent that it can exist). Please give me any or all comments on this. Also, using this rule set, any ideas on how a Pentium 200 w/64m RAM would handle the load if it were using all the T1 capacity? How about a PIII 800, j1 gig RAM, on a 25Mbps connection at capacity? Thanks! Matt The script: #-------------------------------------------------------------------------- # xl0 - external interface # rl0 - internal interface #-------------------------------------------------------------------------- # pakets which are too short to be real except echo replies on lo0 pass in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with short block in log quick all with short block in log quick all with opt lsrr block in log quick all with opt ssrr #-------------------------------------------------------------------------- # loopback untouched pass in log quick on lo0 all pass out log quick on lo0 all #-------------------------------------------------------------------------- # Group setup: # 100 = incoming external (xl0) # 150 = outgoing external (xl0) # 200 = incoming internal (rl0) # 250 = outgoing internal (rl0) block in log body on xl0 all head 100 block out log body on xl0 all head 150 block in log on rl0 all head 200 block out log on rl0 all head 250 #-------------------------------------------------------------------------- # incoming traffic on external - group 100 # 1) prevent localhost spoofing block in log quick from 127.0.0.1/32 to any group 100 block in log quick from any to 127.0.0.1/8 group 100 #-------------------------------------------------------------------------- # 2) packets that should never exist on xl0 block in log quick from 10.0.0.0/8 to any group 100 block in log quick from any to 10.0.0.0/8 group 100 block in log quick from 172.16.0.0/16 to any group 100 block in log quick from any to 172.16.0.0/16 group 100 block in log quick from 192.168.0.0/16 to any group 100 block in log quick from any to 192.168.0.0/16 group 100 # 3) policy pass in log quick proto tcp from 64.47.230.224/255.255.255.224 to 64.47.230.240 port = 22 keep state group 100 # if nothing applies, block and return icmp-replies (unreachable and rst) block return-icmp(net-unr) in proto udp from any to any group 100 block return-rst in log proto tcp from any to any group 100 #-------------------------------------------------------------------------- # outgoing xl0 traffic - group 150 pass out quick proto tcp/udp from 64.47.230.240 to any keep state group 150 pass out quick proto tcp/udp from 192.168.1.0/24 to any keep state group 150 pass out quick proto icmp from 64.47.230.240 to any keep state keep frags group 150 pass out quick proto icmp from 192.168.1.0/24 to any keep state keep frags group 150 #-------------------------------------------------------------------------- # incoming traffic on rl0 - group 200 #-------------------------------------------------------------------------- # 1) prevent localhost spoofing block in log quick from 127.0.0.0/8 to any group 200 pass in log quick from any to any group 200 #-------------------------------------------------------------------------- # outgoing traffic on rl0 - group 250 #-------------------------------------------------------------------------- block out log quick from 127.0.0.0/8 to any group 250 block out quick from any to 127.0.0.0/8 group 250 pass out log quick from any to any group 250 #-------------------------------------------------------------------------- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall rules review Matt Simonsen (Jun 21)