[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: simple, yet secure?
From:       "Ralph M. Churchill" <churchillrm () home ! com>
Date:       2001-01-28 14:24:30
[Download RAW message or body]

I have anti-spoofing and anti-"evil"-packets rules in my firewall. I
simply left them out for brevity. I'm glad I have them too... one of my
windows machines was actually trying to send packets to an unroutable
IP... still haven't figured that one out yet. Even more importantly, it
makes a great diagnostic tool when you accidently plug the wrong cable
into the wrong NIC ;)

RMC

----- Original Message -----
From: "David Kirkby" <drkirkby@ntlworld.com>
To: <ipfilter@coombs.anu.edu.au>
Sent: Sunday, January 28, 2001 4:03 AM
Subject: Re: simple, yet secure?


> "Ralph M. Churchill" wrote:
> >
> > In my constant pursuit of the Ultimate Personal Firewall, I think
I've
> > come up with my final design. I like the idea of "default deny",
but,
> > after all, I'm protecting my home network, not NASA. I've tried in
the
> > past to block everything in both directions, only allowing specific
> > services to connect to specific addresses, etc. But I found it WAY
too
> > restrictive. In the end, I like the simplicity of this ruleset:
"block
> > everything coming in and allow all outgoing connections initiated by
> > me". This should work right? Any and all comments are, as always,
> > appreciated!
>
> Like you, I'm trying to protect a home network, not NASA, but there
are
> a few things I would add that you seem to ommit. These are I belive
not
> restrictive. I'm not convinced I have the ultimate rule set (in fact I
> know I don't as active ftp still gives me a few hassles). However, I
> would add these rules, which I've picked up from somewhere and don't
> claim to be the originator of. I'm using a modem as the external
> interface on ipdptp0, so that should translate to your ep0 (sorry my
> mailer does not support search and replace when composing a message).
>
> # Anything with options gets thrown out, as these can be used to hack.
> block in log quick from any to any with ipopts
>
> # Get rid of all short TCP/IP fragments (too small for valid
comparison)
> # as these can be used for hacking.
> block in log quick proto tcp from any to any with short
> block out log quick proto tcp from any to any with short
>
> # Block all the private routable addresses, as these should never
> # come down the modem.
> block in quick on ipdptp0 from 192.168.0.0/16 to any
> block in quick on ipdptp0 from 172.16.0.0/12 to any
> block in quick on ipdptp0 from 10.0.0.0/8 to any
>
> # Block any packet going out, that is intended for one of the
> # private address ranges.
> # There is no reason to send anything to such an IP address.
>
> block out quick on ipdptp0 from any to 192.168.0.0/16
> block out quick on ipdptp0 from any to 172.16.0.0/12
> block out quick on ipdptp0 from any to 10.0.0.0/8
>
> Anyway, there are my additions. Like Ralph, I'm open to commments.
>
> David Kirkby.
>
> > # Ralph M. Churchill's rule set.
> > # ep0 is external interface, IP w.x.y.z
> > # ne0 is internal interface, IP 192.168.1.1
> >
> > # default policy
> > block in  log from any to any
> > block out log from any to any
> >
> > # loopback interface
> > pass in  quick on lo0 from any to any
> > pass out quick on lo0 from any to any
> >
> > # allow traffic to flow freely within internal network
> > pass in  on ne0 from 192.168.1.0/24 to any
> > pass out on ne0 from any to 192.168.1.0/24
> >
> > # allow ssh connections, incoming
> > pass in  quick on ep0 proto tcp from any to w.x.y.z/32 port = 22
flags S
> > keep state keep frags
> >
> > # allow all outbound connections, initiated by me
> > pass out on ep0 proto tcp  from any to any flags S keep state keep
frags
> > pass out on ep0 proto icmp from any to any keep state
> > pass out on ep0 proto udp  from any to any keep state
>
> --
> Dr. David Kirkby Ph.D,
> email: drkirkby@ntlwold.com (formally davek@medphys.ucl.ac.uk)
> web page: http://www.david-kirkby.co.uk
> Amateur radio callsign: G8WRB

[prev in list] [next in list] [prev in thread] [next in thread]