FreeBSD 10.1, nginx, php 5.6? mysql 5.6, then there will be a mail server, joomla 3.4 Is it worth it behind the router in which 22, 80,110, 25, 443 are open Should I set up ipfw on the server itself in this case? If yes, then tell me the rules

I still have the following, but freebsd and joomla are not updated, I don’t download something or go to another server via ssh. It seems that requests to dns servers on port 53 do not go through, although it seems to be open (see below.) Tell me what rules need to be corrected?

#ipfw list 00001 unreach port ip from table(1) to me 00015 reject log logamount 10000 tcp from any to any tcpflags syn,fin,ack,psh,rst,urg via ae0 00016 reject log logamount 10000 tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg via ae0 00017 reject log logamount 10000 tcp from any to any not established tcpflags fin via ae0 00018 deny log logamount 10000 ip from any to any not verrevpath in via ae0 00050 allow log logamount 10000 ip from any to any via lo0 00055 allow log logamount 10000 ip from me to any 00056 allow log logamount 10000 tcp from me to any keep-state 00057 allow log logamount 10000 udp from me to any keep-state 00058 allow log logamount 10000 icmp from me to any keep-state 00075 allow tcp from any to any established 00076 check-state 00100 allow log logamount 10000 icmp from any to any 00150 allow log logamount 10000 ip from 192.168.1.1 to me via ae0 00151 allow log logamount 10000 ip from 192.168.1.5 to me via ae0 00170 allow log logamount 10000 tcp from any to me dst-port 20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,10000,2812 via ae0 00171 allow log logamount 10000 udp from any to me dst-port 53,3306 via ae0 00200 allow tcp from any to any dst-port 80 out via ae0. 00225 allow tcp from any to any dst-port 25 out via ae0 00227 allow tcp from any to any dst-port 110 out via ae0 00250 allow log logamount 10000 icmp from any to any out via ae0 keep-state 00255 allow log logamount 10000 ip from any to any dst-port 123 out via ae0 00300 allow log logamount 10000 tcp from any to any dst-port 22 out via ae0 setup keep-state 10000 deny log logamount 10000 ip from any to any 65535 deny ip from any to any #ipfw show 00001 39 3324 unreach port ip from table(1) to me 00015 0 0 reject log logamount 10000 tcp from any to any tcpflags syn,fin,ack,psh,rst,urg via ae0 00016 0 0 reject log logamount 10000 tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg via ae0 00017 0 0 reject log logamount 10000 tcp from any to any not established tcpflags fin via ae0 00018 0 0 deny log logamount 10000 ip from any to any not verrevpath in via ae0 00050 15224 3393588 allow log logamount 10000 ip from any to any via lo0 00055 5919 1215317 allow log logamount 10000 ip from me to any 00056 0 0 allow log logamount 10000 tcp from me to any keep-state 00057 0 0 allow log logamount 10000 udp from me to any keep-state 00058 0 0 allow log logamount 10000 icmp from me to any keep-state 00075 6031 7579870 allow tcp from any to any established 00076 0 0 check-state 00100 554 15512 allow log logamount 10000 icmp from any to any 00150 167 13026 allow log logamount 10000 ip from 192.168.1.1 to me via ae0 00151 12 624 allow log logamount 10000 ip from 192.168.1.5 to me via ae0 00170 30 1604 allow log logamount 10000 tcp from any to me dst-port 20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,10000,2812 via ae0 00171 0 0 allow log logamount 10000 udp from any to me dst-port 53,3306 via ae0 00200 0 0 allow tcp from any to any dst-port 80 out via ae0. 00225 0 0 allow tcp from any to any dst-port 25 out via ae0 00227 0 0 allow tcp from any to any dst-port 110 out via ae0 00250 0 0 allow log logamount 10000 icmp from any to any out via ae0 keep-state 00255 0 0 allow log logamount 10000 ip from any to any dst-port 123 out via ae0 00300 0 0 allow log logamount 10000 tcp from any to any dst-port 22 out via ae0 setup keep-state 10000 4254 457568 deny log logamount 10000 ip from any to any 65535 0 0 deny ip from any to any

In the log

 Apr 28 01:47:46 passat kernel: ipfw: 10000 Deny UDP ip_dns_сервера:53 192.168.1.7:2232 in via ae0 Apr 28 01:47:50 passat kernel: ipfw: 10000 Deny UDP ip_dns_сервера:53 192.168.1.7:2236 in via ae0
  • FreeBSD server for NAT is like a Mercedes in the village: very cool, but not to bring manure, to bring the girls to the district center (c) It is easier for you to buy a switch, a second network card, then turn it into a router and then pick it up with ipfw. - igumnov
  • “So with the help of simple devices a trolley bus can be made from a loaf, but why? (C) There is a second card and a switch, but does it make sense? - Magi

1 answer 1

For a simple web server, these rules should suffice:

 allow ip from any to any via lo0 # Разрешаем все на обратной петле deny ip from any to 127.0.0.0/8 # Запрещаем прохождение извне внутрь петли deny ip from 127.0.0.0/8 to any # Запрещаем прохождение из петли во внешние allow tcp from any to any established # Разрешить уже установленные allow ip from any to any frag # Разрешить фрагментированные пакеты allow tcp from any to me dst-port 25,465,587 setup # Разрешить подключение с любого к серверу SMTP allow tcp from any to me dst-port 110,143,995 setup # Разрешить подключение с любого к серверу POP3 allow tcp from any to me dst-port 53 setup # Разрешить DNS allow udp from any to me dst-port 53 # Разрешить DNS allow udp from me 53 to any # Разрешить DNS allow tcp from any to me dst-port 80,8080,443 setup # Разрешить HTTP, HTTPS allow tcp from any to me dst-port 22 setup # Разрешить подключение с любого к серверу SSH allow tcp from me to any setup # Разрешить подключение с сервера к любому внешнему deny tcp from any to any setup # Запретить установку всех остальных TCP подключений allow udp from me to any dst-port 53 keep-state # Разрешить динамические DNS allow udp from me to any dst-port 123 keep-state # Разрешить динамические NTP deny ip from any to any # Закрыть всё для всех
  • I am sure the author would be very grateful to you for the comments on the above listing. - Nicolas Chabanovsky
  • I really hope for it. - RemiZOffAlex