SSH - and only SSH
I have a box I admin. It's got a public address and a private address. This box does all sorts of interesting things on its private network. Whereas on the internet it just needs to allow me SSH access. I have, of course, secured all the services to prevent then from being exploited via all the evil script kiddies out there. But I want ubersecure. I want the box to accept SSH on the public interface and nothing else - except, of course, if it originates on the box. I've built stateful firewalls in the past, but I've never done so with IPFW - which, for no readilly apparent reason, I fancy doing.
First thing to do is to recompile the kernel with IPFW. I could kldload it, only the I need to change the default rule (I've embarased myself that way once too often). The following is the KERNCONF I used:
include GENERIC options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options DUMMYNET options HZ="1000"
Now (see my earlier blog for the specifics) I just need to add the rules:
add 100 allow tcp from any to 10.0.0.1 22 add 110 allow tcp from 10.0.0.1 22 to any add 200 check-state add 300 allow tcp from 10.0.0.1 to any setup keep-state add 310 allow udp from 10.0.0.1 to any keep-state add 900 deny tcp from any to any add 910 deny udp from any to any
All done.