Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Create a set of stronger firewall rules' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a set of stronger firewall rules
Authored by: winddog on Sep 07, '03 01:09:52PM

After reading all the responses I have modified my firewall rules to this:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00800 allow udp from any 67-68 to any 67-68
00900 check-state
01000 allow ip from any to any keep-state out
01100 deny ip from any to any

My understanding is that rule 01000 keeps the state of all ip except udp; and only works for icmp that returns on the same port like ping. This should help keep things simple.

What is the point of the following rules: Do we need them?
add 0001 deny ip from any to any ipoptions ssrr,lsrr
add 0002 allow ip from any to 255.255.255.255
add 0003 deny ip from 224.0.0.0/3 to any
add 0004 deny tcp from any to 224.0.0.0/3
add 0005 allow tcp from any to any established
add 0006 allow all from any to any frag



[ Reply to This | # ]