please scan manapua.sandust.org
Sandi Schneiderman
sandi at sandust.com
Wed Aug 1 21:03:05 PDT 2001
Would someone please scan my firewall from outside for me? I have been
making some changes to my firewall rules and want to see how they work
from outside. It is a slow sparc5, so the scan should take a while.
Use any wierd flags and OS detection you want.
manapua.sandust.org
Thanks,
Dusty
--------here is a copy of my firewall rules---------
There is some odd redundancy, but it is there on purpose and it works.
#############################
# /etc/ipf.rules
# Dustin Cross, OpenBSD 2.8
# August 1, 2001
# ipf -Fa -f /etc/ipf.rules -E
#############################
#############################
# Begin Ruleset
#############################
# Block known problem systems to keep logs clean
# block in quick on le0 from xxx.xxx.xxx.xxx to any
# Loopback device rules
pass out quick on lo0
pass in quick on lo0
# Internal interface
pass in quick on hme0
pass out quick on hme0
# BEGIN RULES FOR PIPE TO THE WORLD
# Block frags
block in log quick on le0 all with frags
# Block short tcp packets
block in log quick on le0 proto tcp all with short
# Drop source routed packets
block in log quick on le0 all with opt lsrr
block in log quick on le0 all with opt ssrr
# Deny nmap OS fingerprint attempts
block in log quick on le0 proto tcp from any to any flags FUP
# Do not allow spoofing of private block addresses (in or out)
block in log quick on le0 from 0.0.0.0/8 to any
block in log quick on le0 from 10.0.0.0/8 to any
block in log quick on le0 from 172.16.0.0/12 to any
block in log quick on le0 from 192.168.0.0/16 to any
block out log quick on le0 from any to 0.0.0.0/8
block out log quick on le0 from any to 10.0.0.0/8
block out log quick on le0 from any to 172.16.0.0/12
block out log quick on le0 from any to 192.168.0.0/16
# Punch holes here
# Flags S/SA only allows packets with the SYN and SYNACK flags set
# This prevents many forms of portscanning such as FIN scanning
pass in log quick on le0 proto tcp from any to le0/32 port = 22 flags
S/SA
pass in log quick on le0 proto tcp from any to le0/32 port = 25 flags
S/SA
pass in quick on le0 proto tcp from any to le0/32 port = 80 flags S/SA
pass in quick on le0 proto tcp from any to le0/32 port = 443 flags S/SA
# Allow ICMP ECHO_REPLY (type 0) and ICMP TTL_EXCEEDED (type 11)
pass in log quick on le0 proto icmp from any to le0/32 icmp-type 0
pass in log quick on le0 proto icmp from any to le0/32 icmp-type 11
# Block and log specific ports to catch common types of attacks
# RETURN-RST returns reset to give the appearence of no packet filter
running and no services running
# RETURN-ICMP-AS-DEST(port-unr) returns port-unreachable to give the
appearence of no packet filter and no services running
block return-rst in log quick on le0 proto tcp from any to any port = 21
block return-rst in log quick on le0 proto tcp from any to any port = 22
block return-rst in log quick on le0 proto tcp from any to any port = 23
block return-rst in log quick on le0 proto tcp from any to any port = 25
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 53
block return-rst in log quick on le0 proto tcp from any to any port = 80
block return-rst in log quick on le0 proto tcp from any to any port =
110
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 111
block return-rst in log quick on le0 proto tcp from any to any port =
111
block return-rst in log quick on le0 proto tcp from any to any port =
135
block return-rst in log quick on le0 proto tcp from any to any port =
137
block return-rst in log quick on le0 proto tcp from any to any port =
139
block return-rst in log quick on le0 proto tcp from any to any port =
443
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 514
block return-rst in log quick on le0 proto tcp from any to any port =
515
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any port = 2049
block return-rst in log quick on le0 proto tcp from any to any port =
2049
block return-rst in log quick on le0 proto tcp from any to any port =
6000
# Deny all inbound traffic by protocol and catch anything that falls
through
# RETURN-RST returns reset to give the appearence of no packet filter
running and no services running
# RETURN-ICMP-AS-DEST(port-unr) returns port-unreachable to give the
appearence of no packet filter and no services running
block return-rst in log quick on le0 proto tcp from any to any
block in log quick on le0 proto icmp from any to any
block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to any
block in log quick on le0 from any to any
# Deny access to systems here...
# block out quick on le0 from any to xxx.xxx.xxx.xxx
# Pass out all traffic and keep state to allow it to return
# Flags S ensures state tracking only on the first outbound tcp packet
pass out quick on le0 proto tcp from any to any flags S keep state
pass out quick on le0 proto udp from any to any keep state
pass out quick on le0 proto icmp from any to any keep state
#############################
# End Ruleset
#############################
More information about the LUAU
mailing list