Firewall rules review

["Matt Simonsen" <matt () careercast com>]

I will probably take this box down in the interest of it's security (in case
my rules suck...) but here is it's firewall script that some of you may do
me the favor of reviewing. PS- these rules were more or less taken from one
web page and modified for my needs, I don't want anybody feeling like I am
trying to take credit for them...

The goal: basically no traffic from the outside in, but all traffic from the
inside out unhindered. Total security (to the extent that it can exist).
Please give me any or all comments on this.

Also, using this rule set, any ideas on how a Pentium 200 w/64m RAM would
handle the load if it were using all the T1 capacity? How about a PIII 800,
j1 gig RAM, on a 25Mbps connection at capacity?

Thanks!

Matt



The script:


#--------------------------------------------------------------------------
# xl0 - external interface
# rl0 - internal interface
#--------------------------------------------------------------------------
# pakets which are too short to be real except echo replies on lo0
pass in log quick on lo0 proto icmp from 127.0.0.1/8 to 127.0.0.1/8 with
short
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
#--------------------------------------------------------------------------
# loopback untouched
pass in log quick on lo0 all
pass out log quick on lo0 all
#--------------------------------------------------------------------------
# Group setup:
# 100 = incoming external (xl0)
# 150 = outgoing external (xl0)
# 200 = incoming internal (rl0)
# 250 = outgoing internal (rl0)
block in log body on xl0 all head 100
block out log body on xl0 all head 150
block in log on rl0 all head 200
block out log on rl0 all head 250
#--------------------------------------------------------------------------
# incoming traffic on external - group 100
# 1) prevent localhost spoofing
block in log quick from 127.0.0.1/32 to any group 100
block in log quick from any to 127.0.0.1/8 group 100
#--------------------------------------------------------------------------
# 2) packets that should never exist on xl0
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from any to 10.0.0.0/8 group 100
block in log quick from 172.16.0.0/16 to any group 100
block in log quick from any to 172.16.0.0/16 group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from any to 192.168.0.0/16 group 100
# 3) policy
pass in log quick proto tcp from 64.47.230.224/255.255.255.224 to
64.47.230.240 port = 22 keep state group 100

# if nothing applies, block and return icmp-replies (unreachable and rst)
block return-icmp(net-unr) in proto udp from any to any group 100
block return-rst in log proto tcp from any to any group 100
#--------------------------------------------------------------------------
# outgoing xl0 traffic - group 150
pass out quick proto tcp/udp from 64.47.230.240 to any keep state group 150
pass out quick proto tcp/udp from 192.168.1.0/24 to any keep state group 150
pass out quick proto icmp from 64.47.230.240 to any keep state keep frags
group 150
pass out quick proto icmp from 192.168.1.0/24 to any keep state keep frags
group 150
#--------------------------------------------------------------------------
# incoming traffic on rl0 - group 200
#--------------------------------------------------------------------------
# 1) prevent localhost spoofing
block in log quick from 127.0.0.0/8 to any group 200
pass in log quick from any to any group 200
#--------------------------------------------------------------------------
# outgoing traffic on rl0 - group 250
#--------------------------------------------------------------------------
block out log quick from 127.0.0.0/8 to any group 250
block out quick from any to 127.0.0.0/8 group 250
pass out log quick from any to any group 250
#--------------------------------------------------------------------------




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards