TidalWave
Explorer
- Joined
- Mar 6, 2019
- Messages
- 51
Hi guys,
I have a bunch of firewall rules from a Linux Centos server that I'm replacing with a FreeBSD (freenas) server. It's for OpenVPN server so I want to lock it down tight! I need some help to translate these iptables commands into ipfw commands. Please! Any help will be appreciated.
Guidlines, written by some guy who no longer works here, but I want to copy them into FreeNAS.
Drop all packets by default that have no rules for them.
-P INPUT DROP
Allow localhost
-A INPUT -i lo -j ACCEPT
Drop traffic to localhost not originating from localhost
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Accept established connections inbound
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
SSH is allowed.
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
To harden SSH, allow only 5 attempts per IP every 3 mins and drop the rest
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
Allow ICMP only from OpenVPN subnet source address
-A INPUT -s 10.8.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
Allowing TCP services
-A INPUT -p tcp -m tcp --dport [port_no] -m state --state NEW -j ACCEPT
Allowing multiple related services
-A INPUT -p tcp -m tcp -m multiport --dports [port_no],[port_no] -m state --state NEW -j ACCEPT
Allowed UDP services
-A INPUT -p udp -m udp --dport [port_no] -m state --state NEW -j ACCEPT
In case of policy resets
-A INPUT -j REJECT --reject-with icmp-port-unreachable
Make FORWARD filtering more efficient
-I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Sample Rules
*nat
:PREROUTING ACCEPT [167925:9905808]
:POSTROUTING ACCEPT [5926:389524]
:OUTPUT ACCEPT [403:30503]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7019:1831655]
:BKH - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 10.8.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 5666,5667 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
Sample Ruleset
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 13M 4311M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 9 512 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
4 574 55104 ACCEPT icmp -- * * 10.8.0.0/21 0.0.0.0/0 icmp type 8
5 15857 949K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 state NEW
7 2 151 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 state NEW
8 3606 216K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 5666,5667 state NEW
9 203 15046 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Best,
I have a bunch of firewall rules from a Linux Centos server that I'm replacing with a FreeBSD (freenas) server. It's for OpenVPN server so I want to lock it down tight! I need some help to translate these iptables commands into ipfw commands. Please! Any help will be appreciated.
Guidlines, written by some guy who no longer works here, but I want to copy them into FreeNAS.
Drop all packets by default that have no rules for them.
-P INPUT DROP
Allow localhost
-A INPUT -i lo -j ACCEPT
Drop traffic to localhost not originating from localhost
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
Accept established connections inbound
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
SSH is allowed.
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
To harden SSH, allow only 5 attempts per IP every 3 mins and drop the rest
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
Allow ICMP only from OpenVPN subnet source address
-A INPUT -s 10.8.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
Allowing TCP services
-A INPUT -p tcp -m tcp --dport [port_no] -m state --state NEW -j ACCEPT
Allowing multiple related services
-A INPUT -p tcp -m tcp -m multiport --dports [port_no],[port_no] -m state --state NEW -j ACCEPT
Allowed UDP services
-A INPUT -p udp -m udp --dport [port_no] -m state --state NEW -j ACCEPT
In case of policy resets
-A INPUT -j REJECT --reject-with icmp-port-unreachable
Make FORWARD filtering more efficient
-I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Sample Rules
*nat
:PREROUTING ACCEPT [167925:9905808]
:POSTROUTING ACCEPT [5926:389524]
:OUTPUT ACCEPT [403:30503]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7019:1831655]
:BKH - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 10.8.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 5666,5667 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
Sample Ruleset
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 13M 4311M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 9 512 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
4 574 55104 ACCEPT icmp -- * * 10.8.0.0/21 0.0.0.0/0 icmp type 8
5 15857 949K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 state NEW
7 2 151 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 state NEW
8 3606 216K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 5666,5667 state NEW
9 203 15046 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Best,