How to properly configure ipfw for a web server

Question

How to properly configure ipfw for a web server

FreeBSD 10.1, nginx, php 5.6? mysql 5.6, then there will be a mail server, joomla 3.4 is behind the router in which 22, 80,110, 25, 443 are open Should I configure ipfw on the server itself in this case? If yes, then tell me with the rules

I still have the following, but freebsd and joomla are not updated, download something or go to another server via ssh is not possible. It seems that requests to dns servers on port 53 do not pass, although it seems to be open (see below.) tell me what rules need to be corrected?

#ipfw list
00001 unreach port ip from table(1) to me
00015 reject log logamount 10000 tcp from any to any tcpflags syn,fin,ack,psh,rst,urg via ae0
00016 reject log logamount 10000 tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg via ae0
00017 reject log logamount 10000 tcp from any to any not established tcpflags fin via ae0
00018 deny log logamount 10000 ip from any to any not verrevpath in via ae0
00050 allow log logamount 10000 ip from any to any via lo0
00055 allow log logamount 10000 ip from me to any
00056 allow log logamount 10000 tcp from me to any keep-state
00057 allow log logamount 10000 udp from me to any keep-state
00058 allow log logamount 10000 icmp from me to any keep-state
00075 allow tcp from any to any established
00076 check-state
00100 allow log logamount 10000 icmp from any to any
00150 allow log logamount 10000 ip from 192.168.1.1 to me via ae0
00151 allow log logamount 10000 ip from 192.168.1.5 to me via ae0
00170 allow log logamount 10000 tcp from any to me dst-port 20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,10000,2812 via ae0
00171 allow log logamount 10000 udp from any to me dst-port 53,3306 via ae0
00200 allow tcp from any to any dst-port 80 out via ae0.
00225 allow tcp from any to any dst-port 25 out via ae0
00227 allow tcp from any to any dst-port 110 out via ae0
00250 allow log logamount 10000 icmp from any to any out via ae0 keep-state
00255 allow log logamount 10000 ip from any to any dst-port 123 out via ae0
00300 allow log logamount 10000 tcp from any to any dst-port 22 out via ae0 setup keep-state
10000 deny log logamount 10000 ip from any to any
65535 deny ip from any to any

#ipfw show
00001    39    3324 unreach port ip from table(1) to me
00015     0       0 reject log logamount 10000 tcp from any to any tcpflags syn,fin,ack,psh,rst,urg via ae0
00016     0       0 reject log logamount 10000 tcp from any to any tcpflags !syn,!fin,!ack,!psh,!rst,!urg via ae0
00017     0       0 reject log logamount 10000 tcp from any to any not established tcpflags fin via ae0
00018     0       0 deny log logamount 10000 ip from any to any not verrevpath in via ae0
00050 15224 3393588 allow log logamount 10000 ip from any to any via lo0
00055  5919 1215317 allow log logamount 10000 ip from me to any
00056     0       0 allow log logamount 10000 tcp from me to any keep-state
00057     0       0 allow log logamount 10000 udp from me to any keep-state
00058     0       0 allow log logamount 10000 icmp from me to any keep-state
00075  6031 7579870 allow tcp from any to any established
00076     0       0 check-state
00100   554   15512 allow log logamount 10000 icmp from any to any
00150   167   13026 allow log logamount 10000 ip from 192.168.1.1 to me via ae0
00151    12     624 allow log logamount 10000 ip from 192.168.1.5 to me via ae0
00170    30    1604 allow log logamount 10000 tcp from any to me dst-port 20,21,22,25,53,80,110,143,443,587,993,995,3306,8080,10000,2812 via ae0
00171     0       0 allow log logamount 10000 udp from any to me dst-port 53,3306 via ae0
00200     0       0 allow tcp from any to any dst-port 80 out via ae0.
00225     0       0 allow tcp from any to any dst-port 25 out via ae0
00227     0       0 allow tcp from any to any dst-port 110 out via ae0
00250     0       0 allow log logamount 10000 icmp from any to any out via ae0 keep-state
00255     0       0 allow log logamount 10000 ip from any to any dst-port 123 out via ae0
00300     0       0 allow log logamount 10000 tcp from any to any dst-port 22 out via ae0 setup keep-state
10000  4254  457568 deny log logamount 10000 ip from any to any
65535     0       0 deny ip from any to any

In the log

Apr 28 01:47:46 passat kernel: ipfw: 10000 Deny UDP ip_dns_сервера:53 192.168.1.7:2232 in via ae0
Apr 28 01:47:50 passat kernel: ipfw: 10000 Deny UDP ip_dns_сервера:53 192.168.1.7:2236 in via ae0

1

freebsd ipfw

Author: Magi, 2015-04-29

Source

1 answers

score 1 · Answer 1

For a simple WEB server, these rules should be enough:

allow ip from any to any via lo0 # Разрешаем все на обратной петле
deny ip from any to 127.0.0.0/8 # Запрещаем прохождение извне внутрь петли
deny ip from 127.0.0.0/8 to any # Запрещаем прохождение из петли во внешние
allow tcp from any to any established # Разрешить уже установленные
allow ip from any to any frag # Разрешить фрагментированные пакеты
allow tcp from any to me dst-port 25,465,587 setup # Разрешить подключение с любого к серверу SMTP
allow tcp from any to me dst-port 110,143,995 setup # Разрешить подключение с любого к серверу POP3
allow tcp from any to me dst-port 53 setup # Разрешить DNS
allow udp from any to me dst-port 53 # Разрешить DNS
allow udp from me 53 to any # Разрешить DNS
allow tcp from any to me dst-port 80,8080,443 setup  # Разрешить HTTP, HTTPS
allow tcp from any to me dst-port 22 setup # Разрешить подключение с любого к серверу SSH
allow tcp from me to any setup # Разрешить подключение с сервера к любому внешнему
deny tcp from any to any setup # Запретить установку всех остальных TCP подключений
allow udp from me to any dst-port 53 keep-state # Разрешить динамические DNS
allow udp from me to any dst-port 123 keep-state # Разрешить динамические NTP
deny ip from any to any # Закрыть всё для всех