# IPFW - Best or optimal ruleset? Please, advice !



## Unixworld (Dec 8, 2009)

Hello all,

I'm trying to "sum up" and gather all good defence mechanisms
for building up "the ultimate" IPFW. 
Today i have played around with the Mac OS X's IPFW, which should
actually be the same as in our FreeBSD (as for Snow Leopard).

The experiment is intended for a standalone desktop workstation,
which doesn't run any servers, but only essential web-surfing
and ftp/torrents downloading.Some more details :
- i get my ip from a DHCP server
- i connect to my ISP through PPPoE
- don't have a home LAN/routers etc., just traditional cable 

Here's what i have done till now, and saved it as a startup
script, so the system will load these rules instead of the defaults:


```
add 00090 check-state
add 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
add 00110 deny log ip from 127.0.0.0/8 to any in
add 00120 deny log ip from any to 127.0.0.0/8 in
add 00130 deny log ip from 224.0.0.0/3 to any in
add 00140 deny log tcp from any to 224.0.0.0/3 in
add 00150 deny ip from 224.0.0.0/4 to any in
add 00160 deny ip from 0.0.0.0/8 to any
add 00170 deny tcp from any 0 to any
add 00180 deny tcp from any to any dst-port 0 in
add 00190 deny udp from any 0 to any
add 00200 deny udp from any to any dst-port 0 in
add 00210 deny tcp from any to any dst-port 81 in via ppp0
add 00220 deny tcp from any to any dst-port 113 in via ppp0
add 00230 deny tcp from any to any dst-port 137 in via ppp0
add 00240 deny tcp from any to any dst-port 138 in via ppp0
add 00250 deny tcp from any to any dst-port 139 in via ppp0
add 00260 deny tcp from any to any tcpflags syn,fin
add 00270 deny tcp from any to any tcpflags syn,rst
add 00280 deny ip from any to any ipoptions rr
add 00290 deny ip from any to any ipoptions ts
add 00300 deny ip from any to any ipoptions lsrr
add 00310 deny ip from any to any ipoptions ssrr
add 00400 allow tcp from me to any established
add 00410 allow tcp from me to any setup keep-state
add 00420 allow udp from me to any keep-state
add 65531 deny tcp from any to any established in via ppp0
add 65532 deny udp from any to any in
add 65533 deny icmp from any to any
add 65534 deny log logamount 1000 ip from any to any
add 65535 allow ip from any to any
```

After restarting, i found out that i can browse the web at least,
after having made such a mess 
I'm not advanced in Unix and i try learning the more i can,
focused on IPFW momentarily 

Please, help identifying wrong config lines/weaknesses in this setup, and advice what would be better/optimal instead.
I also hope that this thread would also help other people in my
position and anybody else wishing to learn more and more.

Any help and hints will be greatly appreciated !


Greetings,
Unixworld


----------



## Unixworld (Dec 8, 2009)

No one wants to give a hand ?


----------



## mickey (Dec 8, 2009)

My advice would be, to switch to PF, as it is generally considered superior to ipfw. No offence, I have been using ipfw myself for years, but now I am a happy PF user.

If you decide to go with IPFW, you should change it's default to deny, so that rule 65535 denies everything, in case something gets through there.


----------



## Unixworld (Dec 8, 2009)

Hey, Mickey, and thanx for answering.

Well, ok, i think starting with PF now, when i do not have enough
IPFW skills would be far too much for me 

I (try) learn how all this works, i know IPFW is hard,
but won't quit that easily 

So, my ask was more in the way "tell me, if i have made a good
rules table, cause i'm not sure for holes", i wanted to ask people for assistance in finding mistakes/holes/dumb lines 
in the table.

I know for the last rule 65535, but it's system rule and cannot be modified. The example table was made for Mac OS X 10.6.

Could you please point out unnecessary/wrong stuff in my trial
table otherwise, just to know if i am on the right path ?

Thanx !


----------



## mickey (Dec 9, 2009)

It's been a while since I used ipfw, but lets see...

You could change the ordering of some rules. I would loosely order the rules from least-specific to most-specific. For example, put the rules that filter packets with various IP option flags set (rules 280-310) somewhere near the top.

You should rethink, whether you really want to filter all ICMP traffic (rule 65533).

As it seems you are not going to allow any inbound tcp connections anyway, so there should be no need to filter specific ports (rules 210-250). These should be denied by a catch-all rule at the end.


----------



## varda (Dec 10, 2009)

First of all you need to deside what purposes is set for all those rules. There is no need to make rules for the sake of rules. In fact you do need filter at all if you do not have some internal services (that can't limit binding or restrict access themselves) to which tou want prevent network access from outside. Or if you experienced malicious incoming traffic and needs to prevent it. But if you got traffic you got it, like DDOS attac. Is it very likely for your dynamic address? To all unlistened ports OS itself refuse connection. Advanced services/daemons like ssh, ftp can set basic limitations (throttle, connection number limiting...) by itself.


----------



## Unixworld (Dec 11, 2009)

Thanx for answering, Varda

Well, i got what you mean, but not that much (since i'm noob )
I played around with many rulesets, browsed the web for answers
and advices from experienced people.
I decided to stick with the shipped IPFW, using the "workstation"
set, a little bit modified :


```
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 check-state
00500 allow tcp from me to any established
00600 allow tcp from me to any setup keep-state
00700 allow udp from me to any keep-state
00800 allow icmp from me to any keep-state
00900 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
01000 allow udp from any 67 to me dst-port 68 in
01100 allow udp from any 67 to 255.255.255.255 dst-port 68 in
65000 count ip from any to any
65100 allow tcp from any to me dst-port 51000 in setup keep-state
65200 allow udp from any to me dst-port 51000 in keep-state
65300 deny { tcp or udp } from any to any dst-port 135-139,445 in
65400 deny { tcp or udp } from any to any dst-port 1026,1027 in
65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
65500 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any dst-port 520 in
65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
65500 deny ip from any to any
65535 deny ip from any to any
```

Momentarily, only with a incoming port for Deluge...
Many recommended using OpenBSD's PF, though. But since i am not
that experienced that i wish and that not so many people helped
out clearing this situation, i'll stick with this setup for now...
======================================================================

P.S. Well, i don't know how this thread has been marked as "Solved".
I didn't do it myself, neither do i consider it being "solved".
Perhaps, because i have been "answering myself" throughout the whole thread,
and finally "told myself i found the way", the thread is considered as [Solved] ?!
Thanx for the dozens of suggestions,too.That helped me a lot finding the right
direction and banging my head against the wall the whole time.

Well, thanx a lot for this. I thought forums were the place for discussions
and helping each other.Apparently i was very wrong.Bye.


----------



## malexe (Dec 14, 2009)

> P.S. Well, i don't know how this thread has been marked as "Solved".
> I didn't do it myself, neither do i consider it being "solved".
> Perhaps, because i have been "answering myself" throughout the whole thread,
> and finally "told myself i found the way", the thread is considered as [Solved] ?!
> ...



All that for 8 characters added to your subject ? x(

What is wrong ? You got two person who answered your posts... What did you expect? Your problem solved in 30 min for a 0$/hour fee ?

As for your ipfw rules, it is a matter of taste, and only you can decide what you want open, and what you want closed. A firewall is nothing magical, only a list of rule your network will follow.


----------



## DutchDaemon (Dec 14, 2009)

'Solved' doesn't mean 'closed'. This thread can continue. To me, saying 





> i'll stick with this setup for now...


 means it's not an 'open acute problem', so it's marked solved. No need to get all defensive and sensitive about it. This the Unix world.


----------

