# A bit of background is needed here. # # - nahanni is the name of my machine on my local Ethernet. My local # network is a subnet of a class C network. This subnet has 29 bits for # for the network address and 3 bits for the host address. Consequently, # "nahanni/29" matches anything on my local network. # # - avalon is a (pseudonym) for a machine out on the interned that I trust # completely. # # - zona is the name of my end of the PPP link to my old place of work. # This name corresponds to an IP address on their class C network. # Consequently, "zona/24" matches any IP address on their network. # # - xnahanni is my end of my PPP link to the university (i.e. the Internet). # # - dab-nahanni is my end of the PPP link to my new place of work. They # have a class B network so "dab-nahanni/16" matches any IP address on # their network. # Start from scratch. ipfw flush # Basic accept filters to provide local sanity. # These are the IP addresses of the interfaces on my local machine. # The first is an Ethernet interface. The rest are PPP interfaces. ipfw addf accept all from nahanni to 0/0 ipfw addf accept all from xnahanni to 0/0 # handled below: ipfw addf accept all from zona to 0/0 # handled below: ipfw addf accept all from dab-nahanni to 0/0 # Trust my local network. ipfw addf accept all from nahanni/29 to 0/0 # Allow anything from avalon. ipfw addf accept all from avalon to 0/0 # Allow anything from our old work (they have a class C network so /24 is appropriate). # This also allows anything from zona (our end of the work PPP link). ipfw addf accept all from zona/24 to 0/0 # Allow anything from the new work (and from our end of the PPP link to the # new place of work). ipfw addf accept all from dab-nahanni/16 to 0/0 # Allow me to contact any external UDP service and others to contact a few # of my special udp services. ipfw addf accept udp from 0/0 to 0/0 900:5000 domain bootp talk ntalk route # Allow me to contact other services available on untrusted hosts. # This one is a bit tricky. We allow packets from any foreign port number # to any local port in the range 900 to 5000. When we are outbound, privileged # applications use port numbers slightly less than 1024 and normal applications # allow the local port number to be set by the system (which always picks # port numbers in the range 1024 to 5000. # The only services that we offer are for port numbers either below 900 # or over 5000. # # This approach theoretically allows outsiders to connect to any services # that we may offer in the 900:5000 range. The /etc/services file lists # couple of services in this range (in my humble opinion, this is a bug # in the /etc/services file). Since we don't run any of these services, # allowing outsiders to connect to services in this range doesn't constitute # a security hole. ipfw addf accept tcp from 0/0 to 0/0 900:5000 # Allow others to contact X-servers on my local network. # Depend on xhosts to protect things. ipfw addf accept tcp from 0/0 to nahanni/29 6000 # Allow others to connect to a few basic services. # We don't actually run the auth service. Allowing it means that others # get a "connection refused" which is better than the total silence that # they get if we block it. Also, I've noticed a few sites try to connect # to it when I send them e-mail. Might as well be polite ... # # Note that I don't accept packets destined for sendmail. I send my e-mail # via the Internet but I receive my e-mail via uucp. If you get your e-mail # via the Internet then you'll have to add smtp to the list of ports to allow. ipfw addf accept tcp from 0/0 to 0/0 daytime time nameserver auth # Allow icmp stuff from anywhere (this isn't described in the README - sorry). ipfw addf accept icmp from 0/0 to 0/0