OP
- Thread Starter
- #26
Some allow the use of only sockets. And then one is forced to be local. You cannot route sockets over the internet.
My point was that just because an application is listening on port n, that doesn't mean that a firewall is THE solution for securing port n. You may need to think not about securing port n, or port n+1, but telling the application to behave, which is done via .conf files. It's a bit like having a lock on your door, but also telling your kid/application to behave smartly and not let strangers in.
Sockets can be encapsulated in IP packets, which are routable.
Yep, this is important. The other day I found out that there is no way to turn off a number of Windows "share" related services listening on ports. When you toggle the "off" button what it actually does is add a firewall rule denying that port! How naff is that?
sockstat -l as demonstrated earlier in the thread really is satisfying to see a silent FreeBSD install. Only SSH is allowed for the majority of my machines.
cmd="/sbin/ipfw -q add" # Set rules command prefix
pif="tun0"
localpif="re0"
/sbin/ipfw -q -f flush # Flush out the list before we begin.
# No restrictions on Loopback Interface
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any icmp6types 2,135,136
# The next rule allows the packet through if it matches an existing entry in the dynamic rules table
$cmd 02000 check-state
### INCOMING
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 03000 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 03010 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 03020 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 03030 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 03040 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 03050 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 03060 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 03070 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 03080 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny fragments
$cmd 03100 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 03200 deny tcp from any to any established in via $pif
# Allow incoming access from localnet
$cmd 04050 allow tcp from 192.168.1.0/24 to any in via $localpif setup keep-state
$cmd 04060 allow udp from 192.168.1.0/24 to any in via $localpif keep-state
### OUTGOING
# Allow access to outside
$cmd 04030 allow tcp from any to any out via $pif setup keep-state
$cmd 04040 allow udp from any to any out via $pif keep-state
$cmd 04040 allow icmp from any to any out via $pif keep-state
# Allow access to localnet
$cmd 04050 allow tcp from any to 192.168.1.0/24 out via $localpif setup keep-state
$cmd 04060 allow udp from any to 192.168.1.0/24 out via $localpif keep-state
$cmd 04060 allow icmp from any to 192.168.1.0/24 out via $localpif keep-state
$cmd 05000 deny log all from any to any
/sbin/ipfw list