Firewall Wizards mailing list archives
Re: Feedback on IPFW (Ripper Roo)
From: Roger Marquis <marquis () roble com>
Date: Tue, 8 Jan 2002 10:31:27 -0800 (PST)
"Ripper Roo" wrote:
I am currently evaluating FreeBSD(4.4)/IPFW and would like to receive feedback from experimented users, so good news and bad news are very welcomed.
We've installed ipfw on several FreeBSD servers and firewalls over
the past 2 years. It works as advertised. Can't comment on its
stateful filtering, divert, pipe, bridging, or IPv6 features but
for straight IP (v4) packet filtering it's very nice. I would
recommend carefully evaluating the default /etc/rc.firewall however.
We typically roll our own from something like this:
#!/bin/sh -
# run by /etc/rc.local
# host-based packet filter, not for gateway systems
###############################################################
IPFW=/sbin/ipfw
ETH=...
OURIPS=...
BLACKHOLELIST=/usr/local/etc/blackhole_ips
if [ ! -x $IPFW ]; then
echo "ERROR: $IPFW not found"
exit 1
elif [ ! -s $BLACKHOLELIST ]; then
echo "ERROR: $BLACKHOLELIST not found"
exit 1
fi
###############################################################
## reset counters
$IPFW -q flush
###############################################################
## block ip-options (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)
#$IPFW add 80 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr
## allow only certain icmp types
$IPFW add 90 allow icmp from any to any icmptypes 0,3,4,8,11
$IPFW add 91 deny log icmp from any to any
## allow localhost-localhost:
$IPFW add 100 allow all from any to any via lo0
$IPFW add 101 deny ip from any to 127.0.0.0/8
$IPFW add 102 deny ip from 127.0.0.0/8 to any
## spoof/smurf
$IPFW add 110 deny log ip from $OURIPS to any recv $ETH
$IPFW add 115 allow ip from $OURIPS to any out xmit $ETH
$IPFW add 116 deny log ip from any to any out xmit $ETH
# allow all from remote
#$IPFW add 117 allow ip from ... to any via any
## rpc, ident, netbios
$IPFW add 120 deny tcp from any to any 111,113,135-139
$IPFW add 130 deny udp from any to any 135-139
## ospf
$IPFW add 140 deny ospf from any to any
## honeypot (...-...)
$IPFW add 160 deny log ip from any to ...
## rfc1918
$IPFW add 151 deny ip from 10.0.0.0/8 to any
$IPFW add 151 deny ip from 169.254.0.0/16 to any
$IPFW add 151 deny ip from 172.16.0.0/12 to any
$IPFW add 151 deny ip from 192.0.2.0/24 to any
$IPFW add 151 deny ip from 192.168.0.0/16 to any
$IPFW add 151 deny ip from 128.0.0.0/16 to any
###############################################################
if [ -s $BLACKHOLELIST ]; then
#### read the database of blackholed IPs
for ip in `grep -v ^# $BLACKHOLELIST|sort -u` ; do
if [ "`echo $ip|grep -v ^[1-9]`" != "" ]; then
echo "ERROR: $ip is not a valid IP address"
else
/sbin/ipfw add 210 deny ip from $ip to any
fi
done
else
echo "ERROR: $BLACKHOLELIST not found"
fi
###############################################################
## kernel default = "allow anything else"
###############################################################
The only real drawback to ipfw, and ipfilter, pf, ... IMHO, is the
syntax. I'd prefer to use something more similar to Cisco's IOS
command set than the idiosyncratic syntax of freeware packet filters.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Feedback on IPFW (Ripper Roo) Roger Marquis (Jan 09)
- <Possible follow-ups>
- RE: Re: Feedback on IPFW (Ripper Roo) Hammerle, Tye F (Jan 09)