# Assistance with IPFW Rules



## vijayrajah (Jul 7, 2014)

Hello,

I'm a FreeBSD Newbie.. I have a VPS, from a hosting provider. I'm using IPFW as my firewall system... I have the following firewall rules.. I want to know if the rules are ok, of if there are any loopholes in it.

everything seems to be working.. Just wanted to get a second opinion on this.


```
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="xn0"     # interface name of NIC attached to Internet

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0

$cmd 00101 check-state #to check dynamic rules table

##Enable all outbound connections
$cmd 00101 allow all from any to any out keep-state

###############INBOUND RULES#############3

#Enable ssh to port 1234
$cmd 00501 allow tcp from any to any 1234 via $pif keep-state

#Allow Dhcp
$cmd 0502 allow udp from any 67 to 255.255.255.255 68 in

#Allow xxxxx-host (x.x.x.x) to access all port
$cmd 00501 allow all from x.x.x.x to any via $pif keep-state

###IPv6 RULES
##Allow all outbound
$cmd 00601 allow ip6 from any to any out keep-state

##Allow inbound icmp6
$cmd 00602 allow ipv6-icmp from any to any keep-state

##Allow ssh to port 1234
$cmd 00603 allow ip6 from any to any 1234 in via $pif keep-state

##Deny All other ports
$cmd 00999 deny all from any to any
```

-Thanks in Advance
Vijay

PS: I'm a Linux system admin (with 10+ yrs exp)... I'm just new to FreeBSD...


EDIT: the system has a single NIC(xn0) connected to internet with a public IPv4 & IPv6 addresses .


----------



## obsigna (Jul 7, 2014)

A few comments:

The rule numbers 101 and 501 have been assigned doubly.
Common practice for stateful firewall rules is to check for setup in TCP packets, so I would divide your second 101 rule into the two following rules 200 and 201:

```
$cmd 200 allow tcp from any to any out setup keep-state
$cmd 201 allow all from any to any out keep-state
```

There is no need to keep-state for incoming packets, so rule 501 could be simplified to:

```
$cmd 501 allow tcp from any to any 1234 in
```

Your second rule having number 501 is unnecessary since this is covered by 200/201 (former 101#2).
Rules 601 and 602 are unnecessary, these are covered already by 200/201 (former 101#2) since all includes ipv4 and ipv6.
Rule 603 is unnecessary, this is covered by rule 501, since the protocol tcp includes ipv4 and ipv6.

PS: Perhaps, you want to add an antispoof rule:

```
...
$cmd 90 deny all from any to any not antispoof in
...
```


----------

