I'll become the superuser and issue the
ipfw show command to check my
su Password: ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 check-state 00301 0 0 deny tcp from any to any in established 00302 0 0 allow tcp from any to any keep-state setup 00400 0 0 allow udp from 188.8.131.52 53 to any in recv ed0 00401 0 0 allow udp from 184.108.40.206 53 to any in recv ed0 00402 0 0 allow udp from 220.127.116.11 53 to any in recv ed0 00403 0 0 allow udp from any to any out 65535 0 0 deny ip from any to any
Because I need to allow UDP packets, I'll want to specify the DHCP port
numbers and the IP address of my DHCP server. As the superuser, I'll
consider adding the following lines to my
#allow DHCP add 00500 allow udp from any 68 to 18.104.22.168 67 out via ed0 add 00501 allow udp from 22.214.171.124 67 to any 68 in via ed0
These should be the bare minimum rules that will allow my DHCP client to
renew its lease with the DHCP server
126.96.36.199. Whether more rules will
be required will vary according to the dependability of that DHCP server. If the
DHCP server always responds to my renewal requests, I won't have to resort
to sending out UDP broadcasts, pinging my default gateway, or receiving
UDP broadcasts. If my DHCP server is not so dependable, I might have to
also add the following rules:
add 00502 allow udp from any 68 to 255.255.255.255 67 out via ed0
add 00503 allow udp from any 67 to 255.255.255.255 68 in via ed0
I won't immediately add rules 00502 and 00503, though, as up to this point, my DHCP server has been quite dependable. I have made a mental note to myself to remember to keep these rules in mind, just in case my provider ever has problems with this DHCP server or actually changes the IP address of my DHCP server.
Before I save my changes, I'll compare rules 00500 and 00501 to the rest of my ruleset to ensure there aren't any conflicts or overlaps. I immediately notice an overlap between rules 00403 and 00500:
add 00403 allow udp from any to any out add 00500 allow udp from any 68 to 188.8.131.52 67 out via ed0
Since rule 00403 already allows "any" UDP packet to go out of my computer, the more specific rule of only sending out UDP packets from port 68 will never be read. At this point, I need to make a choice between creating a minimum number of rules or using a maximum amount of paranoia and responsibility.
I originally added rule 00403 when I created the rules to allow DNS resolution. (See last week's article.) If I decide to remove rule 00403, I'll have to replace it with three more rules that will allow UDP packets to be sent out to the three DNS servers. Also, if I ever need to access any other type of server that requires me to send it a UDP packet, I'll have to create an extra rule to do so. This will result in adding extra rules, and thus extra overhead, to my ipfw ruleset, instead of using one all-encompassing rule.
This goes against the philosophy of using a minimum amount of rules, but I also need to look at the implications of keeping that one all-encompassing rule. There's no security risk to me if I send out UDP packets, as long as I restrict whom I'm willing to accept UDP packets from. For example, rule 00403 allows me to send out any UDP packet, but rules 00400, 00401, 00402, and 00501 ensure I'll only accept UDP packets from my provider's three DNS servers and one DHCP server. This seems to be an acceptable policy for my standalone FreeBSD computer.
However, I would have to rethink this policy if I ever put any clients behind my FreeBSD firewall. For example, Microsoft clients send out an inordinate amount of UDP packets to advertise their shared resources. It would be both irresponsible of me and a security risk to allow those packets to leave my network by being allowed out through my firewall. In this case, I would have to use the overhead of extra rules to ensure that I was only sending out necessary UDP packets and I would have to remove the rule that allows any UDP packet to leave my firewall.
For now, I'll keep rule 00403 as I'm currently only protecting this standalone FreeBSD computer. I might as well delete rule 00500 as it will never be read. My change to this file now looks like this:
#allow DHCP add 00501 allow udp from 184.108.40.206 67 to any 68 in via ed0