OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: nascar24 (nascar24home.nl)
Date: Mon Jul 01 2002 - 20:05:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This is my current ruleset:

    # allow loopback traffic
    add 100 allow ip from any to any via lo0

    # protect loopback address
    add 200 deny log ip from 127.0.0.1 to any
    add 249 deny log ip from any to 127.0.0.1

    # block spoofs
    add 400 deny log ip from me to any in via ed0

    # enable NATD
    add 425 divert 8668 ip from any to any via ed0

    # check dynamic rules
    add 450 check-state

    # make dynamic entries for all outgoing traffic
    add 500 allow log tcp from me to any 1-65535 keep-state out
    add 550 allow log udp from me to any 1-65535 keep-state out

    # services we offer to the world
    add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in

    # pass ICMP
    add 700 allow log icmp from me to any out
    add 750 allow log icmp from any to me in

    # pass everything on private LAN
    add 800 allow log all from 192.168.0.0/16 to any
    add 850 allow log all from any to 192.168.0.0/16

    # log rejects that have fallen through
    add 65000 deny log ip from any to any

    Whith this ruleset I can browse websites, FTP sites etc.

    But when I replace rules 500 and 550 with this:

    add 500 allow log tcp from me to any 21,80 keep-state out
    add 550 allow log udp from me to any 21,80 keep-state out

    I cannot acces any websites nor FTP sites. But I guess I had just allowed
    it?

    Or is the 'out' the problem here.

    Marcel.

    On Monday 01 July 2002 06:45 pm, nascar24 wrote:
    > What I mean is that I want to grand acces to the internet. But only to
    > ports I 'trust', like 80,21,22 etc. But when I make a rule like:
    >
    > add 550 allow ip from me to any 80,21,22
    >
    > I cannot acces a website, that puzzles me.
    >

    There is a problem with the rule in the example: You allowed traffic to
    leave
    through those ports, but not to enter. We can fix this rule:

    add 550 allow tcp from me to any 80,21,22 keep-state

    I noticed you already had a rule 550 - you may want to give it a different
    number. IPFW (running 4.5R here) gives the following error when trying to
    load your rule:

    ipfw: only TCP and UDP protocols are valid with port specifications

    hence why i changed it from ip to tcp.

    GL 

    --
----------
Ramsey G. Brenner
rgbrennermyrealbox.com
http://rgbrenner.cjb.net/

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message