VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us

Firewall Testing



3.5 What are some reasonable filtering rules for a kernel-based packet screen?

  This example is written specifically for ipfwadm on Linux, but the principles (and even much of the syntax) applies for other kernel interfaces for packet screening on ``open source'' Unix systems.

There are four basic categories covered by the ipfwadm rules:

Packet Accounting
Input firewall
Output firewall
Forwarding firewall

ipfwadm also has masquerading (-M) capabilities. For more information on switches and options, see the ipfwadm man page.

3.5.1 Implementation

Here, our organization is using a private (RFC 1918) Class C network Our ISP has assigned us the address for our gateway's external interface and for our external mail server. Organizational policy says:

  • Allow all outgoing TCP connections
  • Allow incoming SMTP and DNS to external mail server
  • Block all other traffic

The following block of commands can be placed in a system boot file (perhaps rc.local on Unix systems).

      ipfwadm -F -f
      ipfwadm -F -p deny
      ipfwadm -F -i m -b -P tcp -S 1024:65535 -D 25
      ipfwadm -F -i m -b -P tcp -S 1024:65535 -D 53
      ipfwadm -F -i m -b -P udp -S 1024:65535 -D 53
      ipfwadm -F -a m -S -D -W eth0

      /sbin/route add -host gw

3.5.2 Explanation

  • Line one flushes (-f) all forwarding (-F) rules.
  • Line two sets the default policy (-p) to deny.
  • Lines three through five are input rules (-i) in the following format:

    ipfwadm -F (forward) -i (input) m (masq.) -b (bi-directional) -P protocol)[protocol]-S (source)[subnet/mask] [originating ports]-D (destination)[subnet/mask][port]

  • Line six appends (-a) a rule that permits all internal IP addresses out to all external addresses on all protocols, all ports.
  • Line eight adds a route so that traffic going to will be directed to the internal address
Vesaria, LLC

Firewall FAQ
Table of Contents

Previous Section: What are some cheap packet screening tools?

Next Section: What are some reasonable filtering rules for a Cisco?

Find out more about VESARiA Firewall Testing.

© 2000 - 2018 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact