Firewall Wizards mailing list archives
Re: Feedback on IPFW (Ripper Roo)
From: Roger Marquis <marquis () roble com>
Date: Tue, 8 Jan 2002 10:31:27 -0800 (PST)
"Ripper Roo" wrote:
I am currently evaluating FreeBSD(4.4)/IPFW and would like to receive feedback from experimented users, so good news and bad news are very welcomed.
We've installed ipfw on several FreeBSD servers and firewalls over the past 2 years. It works as advertised. Can't comment on its stateful filtering, divert, pipe, bridging, or IPv6 features but for straight IP (v4) packet filtering it's very nice. I would recommend carefully evaluating the default /etc/rc.firewall however. We typically roll our own from something like this: #!/bin/sh - # run by /etc/rc.local # host-based packet filter, not for gateway systems ############################################################### IPFW=/sbin/ipfw ETH=... OURIPS=... BLACKHOLELIST=/usr/local/etc/blackhole_ips if [ ! -x $IPFW ]; then echo "ERROR: $IPFW not found" exit 1 elif [ ! -s $BLACKHOLELIST ]; then echo "ERROR: $BLACKHOLELIST not found" exit 1 fi ############################################################### ## reset counters $IPFW -q flush ############################################################### ## block ip-options (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options) #$IPFW add 80 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr ## allow only certain icmp types $IPFW add 90 allow icmp from any to any icmptypes 0,3,4,8,11 $IPFW add 91 deny log icmp from any to any ## allow localhost-localhost: $IPFW add 100 allow all from any to any via lo0 $IPFW add 101 deny ip from any to 127.0.0.0/8 $IPFW add 102 deny ip from 127.0.0.0/8 to any ## spoof/smurf $IPFW add 110 deny log ip from $OURIPS to any recv $ETH $IPFW add 115 allow ip from $OURIPS to any out xmit $ETH $IPFW add 116 deny log ip from any to any out xmit $ETH # allow all from remote #$IPFW add 117 allow ip from ... to any via any ## rpc, ident, netbios $IPFW add 120 deny tcp from any to any 111,113,135-139 $IPFW add 130 deny udp from any to any 135-139 ## ospf $IPFW add 140 deny ospf from any to any ## honeypot (...-...) $IPFW add 160 deny log ip from any to ... ## rfc1918 $IPFW add 151 deny ip from 10.0.0.0/8 to any $IPFW add 151 deny ip from 169.254.0.0/16 to any $IPFW add 151 deny ip from 172.16.0.0/12 to any $IPFW add 151 deny ip from 192.0.2.0/24 to any $IPFW add 151 deny ip from 192.168.0.0/16 to any $IPFW add 151 deny ip from 128.0.0.0/16 to any ############################################################### if [ -s $BLACKHOLELIST ]; then #### read the database of blackholed IPs for ip in `grep -v ^# $BLACKHOLELIST|sort -u` ; do if [ "`echo $ip|grep -v ^[1-9]`" != "" ]; then echo "ERROR: $ip is not a valid IP address" else /sbin/ipfw add 210 deny ip from $ip to any fi done else echo "ERROR: $BLACKHOLELIST not found" fi ############################################################### ## kernel default = "allow anything else" ############################################################### The only real drawback to ipfw, and ipfilter, pf, ... IMHO, is the syntax. I'd prefer to use something more similar to Cisco's IOS command set than the idiosyncratic syntax of freeware packet filters. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Feedback on IPFW (Ripper Roo) Roger Marquis (Jan 09)
- <Possible follow-ups>
- RE: Re: Feedback on IPFW (Ripper Roo) Hammerle, Tye F (Jan 09)