[geeks] ipf fun

[Mike Meredith]

On Tuesday 04 June 2002 20:56, Bill Bradford wrote:
> I also know exactly what is running on the box - why block ports that
> nothing is running on ?

Because you'll never be taken seriously in the firewall world with
'default allow'. This of course could be a good thing :)

If someone hits you with a 0-day exploit on a port that is open to the
world, you'll find yourself running a root shell on some strange port
number. With a rule set like mine, you'll still be protected to some
extent; whereas you'll find yourself running some IRC bot.

My ipf.rules file (which hasn't been updated for *far* too long and may
not run enough services to keep some happy) :-

# Loopback rules first

pass out quick on lo0
pass in quick on lo0

# Rules from mkfilter blocking "unusual" traffic

block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short

# Block traffic coming in on hme0 from private networks

block in log quick on hme0 from 192.168.0.0/16 to any
block in log quick on hme0 from 172.16.0.0/12 to any
block in log quick on hme0 from 10.0.0.0/8 to any
block in log quick on hme0 from 127.0.0.0/8 to any
#
block in log on hme0
#  Default is to block service

#
# services which we run
pass in quick proto icmp from 148.197.0.0/16 to any
#  Ping and the like. Note should block a bit more here.
pass in quick proto tcp from 148.197.0.0/16 to any port = 22
# SSH
pass out quick on hme0 proto tcp from any to any keep state
pass out quick on hme0 proto udp from any to any keep state
pass out quick on hme0 proto icmp from any to any keep state
pass out quick on hme0 from any to any
#  Hopefully that should allow me to send any traffic, and receive
#  replies.

--
peace, love, and chocolate chip cookies