[wplug-bsd] exciting Saturday night: IPF
Tom Rhodes
trhodes at FreeBSD.org
Mon Aug 9 10:48:51 EDT 2004
On Sun, 8 Aug 2004 02:46:05 -0400 (EDT)
Brandon Kuczenski <brandon at 301south.net> wrote:
> I've been putting together my IPF rules and was wondering if someone here
> could look over them briefly. I'm *pretty* sure I understand how IPF is
> supposed to work, but I'm not *totally* sure.
>
> The intention here is to masquerade (or NAT, whatever) my internal
> network, allow incoming TCP SYN requests for certain services (ports 22,
> 80, 443) and allow TCP SYN requests for port 25 except those from problem
> domains that were swamping me with spam. Plus I want to allow replies to
> DNS lookups and NTPD synchronization. I think my comments are reasonably
> good.
>
> The files are available here:
> http://301south.net/stuff/ipf.rules # for filtering
> http://301south.net/stuff/ipnat.rules # for nat (obviously)
My IPF knowledge is meager as I don't use it; however:
>pass in quick on rl0 proto icmp from any to 209.195.172.207 icmp-type 11 group 20
>pass in quick on rl0 proto icmp from any to 209.195.172.207 icmp-type 3 group 20
>pass in quick on rl0 proto icmp from any to 209.195.172.207 icmp-type 0 group 20
Why are not allowing type 8? It is considered a safe type IIRC.
>
> Thanks for any help; I'm particularly interested in the line where I block
> TCP SYN requests emanating from inside the network on port 25 (if someone
> has a windows machine and ends up with a spammy virus, for example). It's
> line 15 of ipf.rules.
You could also set up a `black hole' using the blackhole(4)
sysctls. Read over the manual page.
--
Tom Rhodes
More information about the wplug-bsd
mailing list