Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create a set of stronger firewall rules Network
After testing port scanners on OS 10.2.6 using the built in firewall (IPFW), and then trying Brickhouse, I did some further investigation into the details of IPFW.

I hope that my rules below, which enable the stateful behavior of the firewall are more secure than the default or Brickhouse default rules. You can, of course, use Brickhouse to implement these rules:
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
check-state
allow ip from any to 255.255.255.255
allow udp from any 67-68 to any 67-68
allow icmp from any to any in icmptype 3
allow ip from any to any keep-state out
deny ip from any to any
[robg adds: To add these rules using ipfw in the Terminal, you'd use ipfw add allow ip...etc -- see man ipfw for more information. Note that I have not tested these settings. Comments on their validity, anyone?]
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (1 vote cast)
 
[12,400 views]  

Create a set of stronger firewall rules | 18 comments | Create New Account
Click here to return to the 'Create a set of stronger firewall rules' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Fantastic job!
Authored by: Anonymous on Sep 03, '03 06:22:22PM

Winddog, excellent work. I recently discovered Mike Rose's weblog, which also has a very detailed and secure ipfw configuration using stateful packet inspection. You can find it here:

http://michaelrose.org/marathon/archives/000311.html

You can enter any set of rules in Brickhouse, under Expert Configuration; that's where I've entered mine. The only server I run is SSH; I've also opened holes for BitTorrent. Towards the end of the script, I've made rules to allow my web server, rendezvous, and itunes streaming through my firewall-- however, since I generally would like those things closed, they're commented out with #s. My firewall script (adapted from the link listed above) is as follows:


#################################################
# Allow anything already in the state table
#################################################
add 1000 check-state


#################################################
# Allow loopback
#################################################
add 1010 allow ip from any to any via lo0


#################################################
# Deny non-lo0 packets purporting to be from 127/8
#################################################
add 1020 drop ip from 127.0.0.0/8 to any
add 1021 drop ip from any to 127.0.0.0/8


#################################################
# Drop established tcp packets that failed the check-state test above
#################################################
add 1030 drop tcp from any to any established


#################################################
## Allow outbound TCP connections I've created
#################################################
add 1040 allow tcp from any to any out setup keep-state


#################################################
## Reset incoming identd lookups
#################################################
add 1050 reset tcp from any to any 113


#################################################
## Deny source routed packets
#################################################
add 1060 unreach host ip from any to any ipoptions ssrr,lsrr


#################################################
## Allow broadcast traffic
## Note that this is iffy, and should probably be disabled?
#################################################
add 1070 allow ip from any to 255.255.255.255


#################################################
## Allow DHCP
#################################################
add 1080 allow udp from any 67-68 to any 67-68


#################################################
# ICMP traffic
# 1090: Allow path-mtu and source quench
# 1091: Allow me to run traceroute
# 1092-3: Allow me to ping out and receive response
#################################################
add 1090 allow icmp from any to any icmptypes 3,4
add 1091 allow icmp from any to any icmptypes 11 in
add 1092 allow icmp from any to any icmptypes 8 out
add 1093 allow icmp from any to any icmptypes 0 in


#################################################
## Allow network time (NTP)
#################################################
add 1100 allow udp from any to any ntp out keep-state


#################################################
## Allow DNS
#################################################
add 1110 allow udp from any to any 53 out keep-state


#################################################
## SSH server
#################################################
add 1120 allow tcp from any to any 22 keep-state


#################################################
## Snapperhead
#################################################
add 1130 allow tcp from any to any 8080 keep-state


#################################################
## BitTorrent
#################################################
add 1140 allow tcp from any to any 6881-6999 keep-state


#################################################
## HTTP server
#################################################
##add 1150 allow tcp from any to any 80 keep-state
#################################################
##
##
#################################################
## Rendezvous
#################################################
## add 1160 allow tcp from any to any 5298 keep-state
#################################################
##
##
#################################################
## iTunes streaming
#################################################
## add 1170 allow tcp from any to any 3689 keep-state
#################################################


#################################################
## Blanket policy
#################################################
add 1180 drop ip from any to any



[ Reply to This | # ]
Fantastic job!
Authored by: ppatoray on Sep 04, '03 05:21:29AM

I've recently been tinkering with redoing my firewall settings, also following the information found in Mike's Marathon Blog. Here is what I have done:

Created /Library/StartupItems/IPFW

For simplicity, I've elected to store all related files in this one place. I have an IPFW executable and StartupParameters.plist, similar to Mike's setup, but have moved ipfw.rules here, and created a short applescript so I could restart with a quick double click while I am testing new things. My StartFirewall.app contains one line:

do shell script "/Library/StartupItems/IPFW/IPFW start" with administrator privileges


My ipfw.rules contain the following:
#!/bin/sh

# Firewall Configuration
# usage: ipfw -q /etc/ipfw.rules
############################################################
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Clear The Rulebase
flush

# Allow Loopback
add 1000 allow ip from any to any via lo*

# (Housecleaning - Referenced from
# http://forums.macosxhints.com/showthread.php?s=&threadid=9821)
add 1001 deny ip from 127.0.0.0/8 to any
add 1002 deny ip from any to 127.0.0.0/8
add 1003 deny ip from 224.0.0.0/3 to any
add 1004 deny tcp from any to 224.0.0.0/3

# Check Dynamic Rules Table
add 1005 check-state

# Allow packets from existing connections
add 1006 allow tcp from any to any established
add 1007 allow all from any to any frag

# Allow Essential ICMP Traffic
add 1008 allow icmp from any to any icmptype 3,4,11,12

#################################################
## Rules for the en0 interface
#################################################
## Allow DHCP/BOOTP
add 2000 allow udp from any 67-68 to any 67-68 via en0

## Allow Broadcast (for DHCP)
add 2001 allow udp from any to 255.255.255.255 67-68 via en0

## Deny Source Routed Packets
add 2002 unreach host log ip from any to any ipopt ssrr,lsrr via en0

## Allow Network Time (NTP)
add 2003 allow udp from any 123 to any 1024-65535,123 via en0

## Allow All ICMP Packets
#add 2004 allow icmp from any to any via en0

## Allow FTP-Data port
add 2005 allow tcp from any 20-21 to any 1024-65535 in via en0

## Allow DNS
add 2006 allow udp from any 1024-65535 to any 53 keep-state out via en0
add 2006 allow udp from any 53 to any 1024-65535 keep-state in via en0

## World Wide Web
add 2007 allow tcp from any to any 80 setup keep-state in via en0

## File Transfer (FTP)
add 2008 allow tcp from any to any 20-21 setup keep-state in via en0

## Mail (SMTP, IMAP)
add 2008 allow tcp from any to any 25,110,143,993 setup keep-state in via en0

## Snapperhead (2000)
add 2009 allow tcp from any to any 2000 setup keep-state in via en0

## MP3 Sushi (8010,8888)
add 2010 allow tcp from any to any 8010,8888 setup keep-state in via en0

## No Office PID check
add 2020 deny udp from any 2222 to any
add 2021 deny udp from any to any 2222

#################################################
## * * * Default Filter Policies * * *
#################################################
## Allow All Outgoing Services
add 52009 allow all from any to any keep-state out via en0

## Deny All Incoming Services
add 52010 deny log all from any to any in via en0

## Drop All
add 52030 drop log all from any to any


Here are my results from 'sudo ipfw show' after approx 5 days:
01000 938344 1470339716 allow ip from any to any via lo*
01001 0 0 deny ip from 127.0.0.0/8 to any in
01002 0 0 deny ip from any to 127.0.0.0/8 in
01003 0 0 deny ip from 224.0.0.0/3 to any in
01004 0 0 deny tcp from any to 224.0.0.0/3 in
01005 0 0 check-state
01006 118407 65609457 allow tcp from any to any established
01007 0 0 allow ip from any to any frag
01008 11 616 allow icmp from any to any icmptype 3,4,11,12
02000 113519 41271494 allow udp from any 67-68 to any 67-68 via en0
02001 0 0 allow udp from any to 255.255.255.255 67-68 via en0
02002 0 0 unreach host log ip from any to any via en0 ipopt ssrr,lsrr
02003 138 10488 allow udp from any 123 to any 1024-65535,123 via en0
02005 16 960 allow tcp from any 20-21 to any 1024-65535 in recv en0
02006 3597 514338 allow udp from any 1024-65535 to any 53 keep-state out xmit en0
02006 1 63 allow udp from any 53 to any 1024-65535 keep-state in recv en0
02007 5247 2144426 allow tcp from any to any 80 keep-state in recv en0 setup
02008 109 6807 allow tcp from any to any 20-21 keep-state in recv en0 setup
02008 109 53611 allow tcp from any to any 25,110,143,993 keep-state in recv en0 setup
02009 0 0 allow tcp from any to any 2000 keep-state in recv en0 setup
02010 6340 4636648 allow tcp from any to any 8010,8888 keep-state in recv en0 setup
02020 0 0 deny udp from any 2222 to any
02021 4009 488570 deny udp from any to any 2222
52009 3597099 3260485784 allow ip from any to any keep-state out xmit en0
52010 10660 1067668 deny log ip from any to any in recv en0
52030 0 0 deny log ip from any to any
65535 434 58397 allow ip from any to any</code>



I do have some questions about some of my settings, namely icmptype settings, and in looking at rule 52010 vs 52030, I'm not sure exactly what the difference is, or which I would want, but in looking at the statistics, rule 52030 is rewritten to deny, and 52010 is taking precidence anyway.

Can anyone see any glaring holes or changes that should be made? From looking at swannman's rules, I see some differences that I am going to add, and I do have a question: Rule 1050, Reset incoming identd lookups. My default rules seem to deny this, as I see this come through from time to time, and it is from a remote linux server we use for hosting websites. It comes through when I send an email, but even though it is denied, I am able to send the message just fine.

I plan putting a page together with sample files available as soon as I get the chance, hell I could have probably done it in the time I typed into this tiny little box! No offence!

Thanks in advance for any input or ideas.

Patrick



[ Reply to This | # ]
Fantastic job!
Authored by: Anonymous on Sep 04, '03 02:43:16PM

Patrick,

You're definitely on the right track! Rule 52010 can be removed, since it's the same as (but weaker than) rule 52030. However, rules like 2005 allow me to connect to *any* port on your machine (higher than 1024, anyways) if I launch my attach from ports 20 or 21, locally; it was smart of you to restrict me to only the higher, non-privileged ports, but I'm still not sure that you should be allowing this. If you check "Use Passive FTP Mode" in your Network preference pane, that rule can be done away with. The DNS and NTP rules have the same sort of issue; in my ruleset, I told ipfw to allow me to make outgoing DNS requests, and remember who I made them to (the keep-state flag)... that way if I make a DNS request, it knows to allow a response from my DNS server without my creating a rule for it. (Not sure if that's the clearest explanation I can come up with... basically, "keep-state" on an outgoing rule means that the firewall should allow responses to my requests; I don't have to explicitly allow both ends of the conversation to go through my firewall, only the outgoing end.)

In terms of ICMP, do a "man icmp" in Terminal and look for the line where it explains which icmp numbers are associated with which protocol. Generally you want to allow at least echo request out and echo reply in, so that you can ping machines on the network.. by default you should be blocking echo reply from leaving your computer, making you invisible to pings. (See my icmp rules for a good example of this.. since I didn't say that echo reply could go out, it can't.) I'd delete rule 2004 in your config, since that overrides the more secure rule 1008.

Now on to my rule 1050 to reset incoming identd lookups! Without that rule, your SMTP server will attempt to connect to your identd port (113)... your firewall will eat the connection packet, and the SMTP server will just sit there waiting for a reply. Then it'll try again, and wait longer... and again, until it finally times out and allows you to send email. My rule tells the firewall to send a "reset" packet back to anyone who tries to connect on that port-- instead of getting no response and waiting to time out, the SMTP server will get a "that port's not open" reply from my machine. Tends to speed things up quite a bit!

Best of luck,
Matt



[ Reply to This | # ]
Here is what I have now.
Authored by: ppatoray on Sep 04, '03 03:22:33PM

Matt,

Thanks for the help!

I believe that I took rule 2005 directly from apple's original firewall setup that I had setup through sys. prefs. Allowing ftp access via the ftp checkbox seemed to add both this rule, as well as my rule 2008. I tried taking it out, but it seemed to slow down our web host when I tried connecting. I'll play around with turning it off and try passive mode and see if it makes a difference.

So if I understand you correctly, the drop command is better to use than the deny command (52010 vs 52030)?

Thanks for catching 2004, and the explaination on ICMP.

Here's my new configuration, incorporating the new changes. Let me know what you think. I'm going to try it out and see if I see any problems over the next few days:

Thanks again!

Patrick

#!/bin/sh

# Firewall Configuration
############################################################
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Clear The Rulebase
flush

# Allow Loopback
add 1000 allow ip from any to any via lo*

# Some General Housecleaning
add 1001 deny ip from 127.0.0.0/8 to any
add 1002 deny ip from any to 127.0.0.0/8
add 1003 deny ip from 224.0.0.0/3 to any
add 1004 deny tcp from any to 224.0.0.0/3

# Check Dynamic Rules Table
add 1005 check-state

# Allow packets from existing connections
add 1006 allow tcp from any to any established
add 1007 allow all from any to any frag

# Allow Essential ICMP Traffic
#add 1008 allow icmp from any to any icmptype 3,4,11,12

## ICMP traffic
## Allow path-mtu and source quench
add 1090 allow icmp from any to any icmptypes 3,4

## Allow me to run traceroute
add 1091 allow icmp from any to any icmptypes 11 in

## Allow me to ping out and receive response
add 1092 allow icmp from any to any icmptypes 8 out
add 1093 allow icmp from any to any icmptypes 0 in


#################################################
## Rules for the en0 interface
#################################################
## Allow DHCP/BOOTP
add 2000 allow udp from any 67-68 to any 67-68 via en0

## Allow Broadcast (for DHCP)
add 2001 allow udp from any to 255.255.255.255 67-68 via en0

## Deny Source Routed Packets
add 2002 unreach host log ip from any to any ipopt ssrr,lsrr via en0

## Allow Network Time (NTP)
add 2003 allow udp from any 123 to any 1024-65535,123 via en0

## Reset incoming identd lookups
add 2004 reset tcp from any to any 113

## Allow FTP-Data port
##add 2005 allow tcp from any 20-21 to any 1024-65535 in via en0

## Allow DNS
##add 2006 allow udp from any 1024-65535 to any 53 keep-state out via en0
##add 2006 allow udp from any 53 to any 1024-65535 keep-state in via en0
add 2006 allow udp from any to any 53 out keep-state

## World Wide Web
add 2007 allow tcp from any to any 80 setup keep-state in via en0

## File Transfer (FTP)
add 2008 allow tcp from any to any 20-21 setup keep-state in via en0

## Mail (SMTP, IMAP)
add 2008 allow tcp from any to any 25,110,143,993 setup keep-state in via en0

## Snapperhead (2000)
## add 2009 allow tcp from any to any 2000 setup keep-state in via en0

## MP3 Sushi (8010,8888)
## add 2010 allow tcp from any to any 8010,8888 setup keep-state in via en0

## Rendezvous
## add 1160 allow tcp from any to any 5298 keep-state

## iTunes streaming
## add 1170 allow tcp from any to any 3689 keep-state

## No Office PID check
add 2020 deny udp from any 2222 to any
add 2021 deny udp from any to any 2222

## Shut my PC up!
add 2022 deny UDP from any to any 137,138

#################################################
## * * * Default Filter Policies * * *
#################################################
## Allow All Outgoing Services
add 52009 allow all from any to any keep-state out

## Deny All Incoming Services
add 52010 drop log all from any to any



[ Reply to This | # ]
Here is what I have now.
Authored by: Another osX User on Sep 04, '03 05:28:45PM

Drop does not send a reply to the remote host attempting the connection. Deny sends a ICMP 'unreachable' packet back to the remote host.

Drop is preferred to Deny, because with Drop the remote host doesn't know you exist. Deny tells the remote host that there is a machine at the IP that it is trying to connect to (yours), and may cause the remote host to try other means of connecting (or worse, a DOS attack).



[ Reply to This | # ]
Drop vs. Deny
Authored by: Anonymous on Sep 04, '03 05:50:35PM

Actually, when I do an "ipfw show" in Terminal, all my "drop"s are converted to "deny"s... drop and deny seem to be synonyms for the same thing. The man page for ipfw confirms that they're "aliases" on one another, so feel free to use whichever you find more pleasing to the eye!



[ Reply to This | # ]
Just a few more questions
Authored by: ppatoray on Sep 04, '03 05:55:43PM

Thanks, You guys are a wealth of information.

I had changed it from 'deny' to 'drop' a couple of hours ago, when I last posted. Since then, this is what my 'sudo ipfw show' shows me:

01000 8136 1130846 allow ip from any to any via lo*
01001 0 0 deny ip from 127.0.0.0/8 to any
01002 0 0 deny ip from any to 127.0.0.0/8
01003 0 0 deny ip from 224.0.0.0/3 to any
01004 0 0 deny tcp from any to 224.0.0.0/3
01005 0 0 check-state
01006 33 7920 allow tcp from any to any established
01007 0 0 allow ip from any to any frag
01090 0 0 allow icmp from any to any icmptype 3,4
01091 0 0 allow icmp from any to any in icmptype 11
01092 0 0 allow icmp from any to any out icmptype 8
01093 0 0 allow icmp from any to any in icmptype 0
02000 371 126658 allow udp from any 67-68 to any 67-68 via en0
02001 0 0 allow udp from any to 255.255.255.255 67-68 via en0
02002 0 0 unreach host log ip from any to any via en0 ipopt ssrr,lsrr
02003 0 0 allow udp from any 123 to any 1024-65535,123 via en0
02004 1 60 reset tcp from any to any 113
02006 100 15002 allow udp from any to any 53 keep-state out
02007 46 28840 allow tcp from any to any 80 keep-state in recv en0 setup
02008 9 552 allow tcp from any to any 20-21 keep-state in recv en0 setup
02008 0 0 allow tcp from any to any 25,110,143,993 keep-state in recv en0 setup
02020 0 0 deny udp from any 2222 to any
02021 70 8540 deny udp from any to any 2222
02022 210 19651 deny udp from any to any 137,138
52009 21909 11309907 allow ip from any to any keep-state out
52010 13 3444 deny log ip from any to any
65535 744 99863 allow ip from any to any

The way I read this, it looks like my 52010 rule, which is in my ipfw.rules as 'drop', is being rewritten as deny. Any ideas as to why?

Also, I dont understand exactly what rule 65535 is for. I don't have it in my rules, so I am assuming that it is some sort of default. I had done a search on google for this rule at one point and came across some text referring to rebuilding the kernel on a unix box to change this rule from allow to deny.

I would expect for the count for rule 65535 to be zero, instead of showing logged traffic? Shouldn't rule 52010 deny this traffic before rule 65535 kicks in?



[ Reply to This | # ]
Just a few more questions
Authored by: yellow on Sep 04, '03 06:25:04PM

It is indeed a default rule built into ipfw. Don't worry about it.



[ Reply to This | # ]
Just a few more questions
Authored by: Anonymous on Sep 04, '03 06:35:36PM

Patrick,

Read my post a few minutes ago about drop vs deny.. they're the same thing. Whichever one you right, they come out as "deny".. the man page for ipfw says so, too.

Rule 65535 is compiled into the kernel by default... think about it this way, if you don't configure your firewall, it's still enabled and running-- so rule 65535 means that every packet will pass through unless you say otherwise.

Rule 65535 has a non-zero count because packets go through your system (especially on the loopback interface) before you load your firewall rules.. if you want to zero it out, go to Terminal and type "ipfw zero 65535".

Hope that helps!

Best of luck,
Matt



[ Reply to This | # ]
Just a few more questions
Authored by: bluehz on Sep 06, '03 12:53:14AM

I tried this ruleset and it cutoff access to the other macs via AppleShare on my LAN. Watching the log I could see it was the last two rules. I had to disable these two rules to get access again.

#################################################
## * * * Default Filter Policies * * *
#################################################
## Allow All Outgoing Services
#add 52009 allow all from any to any keep-state out

## Deny All Incoming Services
#add 52010 drop log all from any to any

Disabled those and my AppleShare worked again. Thats not right is it? Also followed the directions for setting up a StartupItem but it never startsup.



[ Reply to This | # ]
Just a few more questions
Authored by: bluehz on Sep 06, '03 10:08:47AM

Few more questions:

* I like to use LittleSnitch to notify me of outgoing connections and create rules - will using this IPFW method affect LittleSnitch

* I would like to send the firewall log info to a seperate firewall.log so I followed instructions listed here and added this to my syslog.conf

authpriv,remoteauth,ftp.none;kern.debug /var/log/firewall.log

but it doesn't seem to be loggin any info to firewall.log. How can I set this up to log to a seperate firewall.log.

* how do I fix the AppleShare problem, noted above



[ Reply to This | # ]
Just a few more questions
Authored by: ppatoray on Sep 08, '03 08:31:06AM

Instead of removing the blanket rules, you should figure out what port your network needs to be allowed on and then add a rule allowing that port access. I don't use appleshare, so my rules probably don't allow for the traffic.



[ Reply to This | # ]
Rule 52010 vs 52030
Authored by: Anonymous on Sep 04, '03 05:54:07PM

Patrick,

Actually, the reason "drop log all from any to any" was a stronger rule is because your other rule only denied incoming packets.. this one denies everything in *and* out, unless otherwise specified. Always best to lock both sides down!

Looks great + happy to help,
Matt



[ Reply to This | # ]
Create a set of stronger firewall rules
Authored by: winddog on Sep 07, '03 01:09:52PM

After reading all the responses I have modified my firewall rules to this:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00800 allow udp from any 67-68 to any 67-68
00900 check-state
01000 allow ip from any to any keep-state out
01100 deny ip from any to any

My understanding is that rule 01000 keeps the state of all ip except udp; and only works for icmp that returns on the same port like ping. This should help keep things simple.

What is the point of the following rules: Do we need them?
add 0001 deny ip from any to any ipoptions ssrr,lsrr
add 0002 allow ip from any to 255.255.255.255
add 0003 deny ip from 224.0.0.0/3 to any
add 0004 deny tcp from any to 224.0.0.0/3
add 0005 allow tcp from any to any established
add 0006 allow all from any to any frag



[ Reply to This | # ]
Create a set of stronger firewall rules
Authored by: TigerKR on Sep 08, '03 10:27:47AM

Here's the firewall.conf:

<code>#IPFW Ruleset 09/08/2003


#################################################
## Flush all rules
#################################################
flush

#################################################
## Allow loopback
#################################################
add allow ip from any to any via lo*

#################################################
## Divert traffic to natd for IP sharing
#################################################
add divert natd ip from any to any via en0

#################################################
## Deny not local IP ranges in
## Deny not local IP range out
#################################################
#add deny ip from any to not *local IP range* in recv en0
add deny ip from not *local IP range* to any out xmit en0

#################################################
## Deny spoofing IP ranges in
## Deny spoofing IP range out
#################################################
add deny ip from 192.168.0.0/16 to any in recv en0
add deny ip from 172.16.0.0/12 to any in recv en0
add deny ip from 10.0.0.0/8 to any in recv en0
add deny ip from 127.0.0.0/8 to any in recv en0
add deny ip from 0.0.0.0/8 to any in recv en0
add deny ip from 169.254.0.0/16 to any in recv en0
add deny ip from 192.0.2.0/24 to any in recv en0
add deny ip from 204.152.64.0/23 to any in recv en0
add deny ip from 224.0.0.0/3 to any in recv en0
add deny ip from any to 192.168.0.0/16 out xmit en0
add deny ip from any to 172.16.0.0/12 out xmit en0
add deny ip from any to 10.0.0.0/8 out xmit en0
add deny ip from any to 127.0.0.0/8 out xmit en0
add deny ip from any to 0.0.0.0/8 out xmit en0
add deny ip from any to 169.254.0.0/16 out xmit en0
add deny ip from any to 192.0.2.0/24 out xmit en0
add deny ip from any to 204.152.64.0/23 out xmit en0
add deny ip from any to 224.0.0.0/3 out xmit en0

#################################################
## Allow DHCP
#################################################
add allow udp from *ISP DHCP server* 67 to any 68 in recv en0
#add allow udp from any 67 to 255.255.255.255 68 in recv en0

#################################################
## Allow DNS
#################################################
#add allow udp from *ISP DNS server* 53 to any in recv en0
#add allow udp from *ISP DNS server* 53 to any in recv en0
add allow tcp from any to any 53 in recv en0
add allow tcp from any 53 to any out xmit en0
add allow udp from any to any 53 in recv en0
add allow udp from any 53 to any out xmit en0

#################################################
## Reset AUTH traffic
#################################################
add reset tcp from any to any 113 in recv en0

#################################################
## Allow SSH
#################################################
add allow tcp from any to any 22 in recv en0
add allow tcp from any 22 to any out xmit en0

#################################################
## Allow FTP
#################################################
add allow tcp from any to any 20-21 in recv en0
add allow tcp from any 20-21 to any out xmit en0

#################################################
## Allow ARD
#################################################
add allow udp from any to any 3283 in recv en0
add allow udp from any 3283 to any out xmit en0

#################################################
## Allow AIM
#################################################
add allow udp from any to any 5190 in recv en0
add allow udp from any 5190 to any out xmit en0

#################################################
## Allow icmp (destination unreachable, source quench,
## time exceeded, parameter problem)
## Deny other icmp
## Deny source routed packets
#################################################
add allow icmp from any to any via en0 icmptype 0,3,4,8,11,12
add deny icmp from any to any via en0
add unreach host ip from any to any via en0 ipopt ssrr,lsrr

#################################################
## Allow udp fragments
#################################################
add allow udp from any to any via en0 frag

#################################################
## Allow anything from the state table
## Deny established not from the state table
#################################################
add check-state
#add deny log tcp from any to any in recv en0 established

#################################################
## Allow outbound packets and add to state table
#################################################
add allow tcp from any to any out xmit en0 setup keep-state
add allow ip from any to any out xmit en0 keep-state

#################################################
## Allow local traffic
#################################################
add allow ip from any to any via en1

#################################################
## Deny everything else
#################################################
#add deny log ip from any to any
</code>

en0 = WAN NIC
en1 = LAN NIC
lo* = Loopback

*local IP range* *ISP DHCP server* *ISP DNS server* are all actual IP addresses in the real file.

Ok, but when I do an 'ipfw show' the check-state rule isn't getting any use. Also, I had to comment out 'add deny log tcp from any to any in recv en0 established' and 'add deny log ip from any to any' in order to get anything to work from a LAN client.

How come check-state isn't being used? Both keep-state rules are being used...

Your help is most appreciated, thank you in advance.



[ Reply to This | # ]
Create a set of stronger firewall rules
Authored by: WAW401 on Sep 08, '03 05:01:16PM

One thing to note, every packet is examined against these rules (at least until a matching rule is found). So the longer the ruleset, the more processing involved.



[ Reply to This | # ]
Create a set of stronger firewall rules
Authored by: TigerKR on Sep 09, '03 11:20:22PM

I figured out why the

add deny log tcp from any to any in recv en0 established

wasn't working. I needed to keep-state traffic on en1 as well as en0.

Also, I've tweaked the list order so that the more common rules are hit sooner (the sooner a rule is hit, the less CPU goes into the process) without compromising security. I still have kinks to work out and improvements to make.

You can view the updated firewall.conf file here:

http://www.tigerkr.com/ars/firewall09_09.conf



[ Reply to This | # ]
we have a winner
Authored by: TigerKR on Sep 11, '03 04:32:34AM

This firewall.conf is a winner. Its been error tested and optimized for security, speed, and measured accessibility. I recommend that you also install Little Snitch on your LAN clients (that way, you're able to block attacks from outside, and within).

firewall.conf

I found that I was running out of dynamic rules, so I also had to alter the Firewall startup item created by brickhouse (which is located at /Library/StartupItems/Firewall/Firewall ) so that more dynamic rules could be accommodated. It now looks like this:

#!/bin/sh
# Firewall Boot Script
# Generated by BrickHouse
# Altered by TigerKR


#===========================================================
# Enable IP Sharing
#===========================================================
# Enable IP Forwarding in the kernel
/usr/sbin/sysctl -w net.inet.ip.forwarding=1

# Start the natd server
/usr/sbin/natd -f /etc/natd.conf

# Add additional gateway IP addresses and routes
/sbin/ifconfig en1 inet 192.168.0.1 netmask 255.255.255.0 alias up
/sbin/route add -host 192.168.0.1 -interface 127.0.0.1


#===========================================================
# Enable IP Firewall Logging
#===========================================================
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Put a limit on each rule's logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=500


#===========================================================
# Double the number of possible dynamic rules
#===========================================================
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_buckets=512
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_max=2000


#===========================================================
# Process Firewall Rules File
#===========================================================
/sbin/ipfw -q /etc/firewall.conf


I hope that this is helpful for someone. It took a long time for me to find out what the everything was and what it did. And then there was the error checking and optimizing ;)



[ Reply to This | # ]