RE: firewall
From: fbsd_user (fbsd_user_at_a1poweruser.com)
Date: 09/14/03
- Previous message: Sebastian Ssmoller: "Gnome2 Logout"
- In reply to: Robert Storey: "firewall"
- Next in thread: Scott Ballantyne: "Re: firewall"
- Reply: Scott Ballantyne: "Re: firewall"
- Reply: Bob Hall: "Re: firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "Robert Storey" <y2kbug@ms25.hinet.net>, <freebsd-questions@freebsd.org> Date: Sun, 14 Sep 2003 12:58:19 -0400
Your problem is that you are using the sample rules file provided by
IPFW. You are correct, you do not understand what you are doing.
You are suppose to edit the sample rules file to create your own
rules file. That sample is only there as a starting point for you to
build your own rules. You need to do a lot of reading about ipfw
rules, check the man pages.
I know that the FBSD handbook gives the reader the impression that
IPFW is the only firewall available to FBSD, but that is a false
impression. FBSD has IPFILTER which is also a built in firewall like
IPFW and the netbsd firewall IPF has been ported to FBSD so there
other options. I have used both IPFW and IPFILTER, IPFW's keep state
rules do not function correctly on a DSL or cable internet
connection, it has just been upgraded in FBSD 5.2 with a lot fluff
that does nothing but confuses the general user.
For a newbe, you should use IPFILTER firewall. It's rules are
documented to all most anyone with some knowledge can write rules
unlike IPFW.
Here is my IPFILTER environment config.
I have also included some other hard to find kernel
internal knobs to add tighter packet security.
http://www.obfuscation.org/ipf/
http://www.obfuscation.org/ipf/ipf-howto.html
NOTE: beware of line wrap in the below lines
/etc/rc.conf
# Activate IPFILTER IPNAT function auto start at boot time
ipfilter_enable="YES" # Start ipfilter firewall
ipfilter_flags="" # turn off flags
ipfilter_rules="/etc/ipf.rules" # rules definition file for
ipfilter
ipnat_enable="YES" # Start ipnat function
ipnat_rules="/etc/ipnat.rules" # rules definition file for
ipnat
ipmon_enable="YES" # Start ip monitor log
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
fields
# n = map ip & port to names
# Extra kernel tcp/ip stack packet security options
log_in_vain="YES" # NO is default. YES enables logging of
# connection attempts to ports that have
no
# listening socket on them. Puts msg on
console
icmp_drop_redirect="YES" # YES will cause the kernel to ignore
# ICMP REDIRECT packets.
icmp_log_redirect="YES" # YES will cause the kernel to log
ignored
# ICMP REDIRECT packets.
#tcp_drop_synfin="YES" # YES will cause the kernel to ignore
TCP
# frames that have both the SYN and FIN
flags
# set. Only available if the kernel was
built
# with the TCP_DROP_SYNFIN option.
# change to NO if webserver behind
firewall.
tcp_restrict_rst="YES" # YES will cause the kernel to refrain
from
# emitting TCP RST frames in response to
# invalid TCP packets (e.g., frames
destined
# for closed ports). This option is only
# available if the kernel was built with
the
# TCP_RESTRICT_RST option.
syslogd_flags="-ss" # Don't use network sockets so portscan
# will not find (security tip)
portmap_enable="NO" # Don't allow nfs portmapper (security
tip)
/etc/ipnat.rules
# Provide NAT services for LAN users.
# NAT my private LAN ip address to what every my dynamic ISP address
is.
map rl0 10.0.10.0/29 -> 0/32
# Provide NAT services for user ppp Dial in tun0 connections.
map rl0 10.0.0.0/29 -> 0/32
# Provide special NAT services for Active FTP from LAN users.
map rl0 0/0 -> 0/32 proxy port 21 ftp/tcp
/etc/ipf.rules
# usage notes:
# 1. rule line numbers in rule file are not used in
# ipfstat -ion listing of active rules
# 2. keep state is applied on private ip address before being
# handed off to nat function.
# 3. /etc/rc.conf file has ipfilter options to tell ipfmon what
# info to log. -a rule with log option + nat convert + keep
state
#################################################################
#
# Generic for all interfaces
#
#################################################################
@010 block in log quick all with opt lsrr
@011 block in log quick all with opt ssrr
@012 block in log quick all with ipopts
@013 block in log quick all with short
@014 block in log quick all with frag
#################################################################
# Outside Interface to Public internet (Outbound Section)
# Interrogate packets originating from behind the firewall, private
net.
# destine for the public internet.
#################################################################
# Allow out access to my ISP's Domain name server.
@100 pass out quick on rl0 proto tcp from any to 24.50.201.66 port =
53 flags S keep state
@101 pass out quick on rl0 proto udp from any to 24.50.201.66 port =
53 keep state
@102 pass out quick on rl0 proto tcp from any to 24.50.201.67 port =
53 flags S keep state
@103 pass out quick on rl0 proto udp from any to 24.50.201.67 port =
53 keep state
@104 pass out quick on rl0 proto tcp from any to 24.50.201.69 port =
53 flags S keep state
@105 pass out quick on rl0 proto udp from any to 24.50.201.69 port =
53 keep state
# Allow out access to my ISP's DHCP server.
@106 pass out quick on rl0 proto udp from any to 24.50.201.66 port =
67 keep state
# Allow out non-secure standard www function
@110 pass out quick on rl0 proto tcp from any to any port = 80 flags
S keep state
# Allow out secure www function https over TLS SSL
@115 pass out quick on rl0 proto tcp from any to any port = 443
flags S keep state
# Allow out send & get email function
@130 pass out quick on rl0 proto tcp from any to any port = 110
flags S keep state
@131 pass out quick on rl0 proto tcp from any to any port = 25 flags
S keep state
# Allow out Time
@140 pass out quick on rl0 proto tcp from any to any port = 37 keep
state
# Allow out nntp news
#@150 pass out quick on rl0 proto tcp from any to any port = 119
@150 pass out quick on rl0 proto tcp from any to any port = 119
flags S keep state
# Allow out passive FTP for LAN PC FTP to public Internet
@160 pass out quick on rl0 proto tcp from any to any port = 21 flags
S keep state
@161 pass out quick on rl0 proto tcp from any to any port > 1023
flags S keep state
# Allow out ping to public Internet
@170 pass out quick on rl0 proto icmp from any to any icmp-type 8
keep state
# Allow out whois for LAN PC to public Internet
@172 pass out quick on rl0 proto tcp from any to any port = 43 flags
S keep state
# Allow out traceroute to public Internet
pass out quick on rl0 proto udp from any to any port 33434 > < 33690
keep state
# block ports that show on log and are ok to stop logging
# Deny tcp port 81 - hosts2 name server. winme is doing this.
@190 block out quick on rl0 proto tcp from any to any port = 81
# Deny Everything else trying to get out.
@199 block out log quick on rl0 all
#################################################################
# Outside Interface to Public internet (Inbound Section)
# Interrogate packets originating from behind the firewall, private
net.
# destine for the public internet.
#################################################################
# Allow traffic in from ISP's DHCP server.
@300 pass in quick on rl0 proto udp from 24.50.201.66 to any port =
68 keep state
# Deny all Adelphia broadcast stuff so it does not show in log as
default block
@310 block in quick on rl0 proto udp from any to 255.255.255.255
@311 block in quick on rl0 proto tcp/udp from 0.0.0.0 to any
@312 block in quick on rl0 proto igmp from any to any
# Allow in non-secure standard www function
@320 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port
= 80 flags S keep state
# Allow in Telnet
@330 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port
= 23 flags S keep state
# Allow in ping from public Internet
@340 pass in quick on rl0 proto icmp from 63.70.155.0/24 to any
icmp-type 8 keep state
# Deny ping so it does not show in log
@350 block in quick on rl0 proto icmp all
# Deny ident so it does not show in log
@351 block in quick on rl0 proto tcp from any to any port = 113
# Block and log all remaining traffic coming into the firewall
@399 block in log quick on rl0 all
#################################################################
# Inside Interface local Lan Nic
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic
#----------------------------------------------------------------
@500 pass out quick on xl0 proto tcp from any to any
@501 pass out quick on xl0 proto udp from any to any
@502 pass out quick on xl0 proto icmp from any to any
@503 block out log quick on xl0 all
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic
#----------------------------------------------------------------
@520 pass in quick on xl0 proto tcp from any to any
@501 pass in quick on xl0 proto udp from any to any
@502 pass in quick on xl0 proto icmp from any to any
@503 block in log quick on xl0 all
#################################################################
# Loopback Interface
#################################################################
#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
@700 pass in quick on lo0 all
@701 pass out quick on lo0 all
kernel source compile options
options IPFILTER # Adds filtering code
into kernel
options IPFILTER_LOG # enable logging
options IPFILTER_DEFAULT_BLOCK #block all packets by
default
#
# The following options add sysctl variables for controlling how
certain
# TCP packets are handled by the kernel.
#
options ICMP_BANDLIM # Enables icmp error response
bandwidth
# limiting. This will help
protect from
# D.O.S. packet attacks.
options RANDOM_IP_ID # Randomizes the packet sequence
number
#options TCP_DROP_SYNFIN # Adds support for ignoring
TCP packets
# with SYN+FIN. This prevents
nmap from
# identifying the TCP/IP
stack, but
# breaks support for RFC1644
extensions
# & is not recommended for web
servers
# behind the firewall.
# not supported in 4.4 and newer
#options TCP_RESTRICT_RST # Adds support for blocking
emission of
# TCP RST packets. Useful in
limiting
# SYN floods & port scaning.
Replaced by
# the sysctl knob blackhole.
/etc/sysctl.conf
####################################################################
#
#
# The sysctl.conf file contains MIB's to change the default setting
of
# internal options of the kernel at boot up time. Mib's which
control
# how packets are handled get control before the packet is handed
off
# to the firewall (IPFW or IPFILTER). Some of these MIB's may seem
# like they are doing the say thing, but because there is no FBSD
# provided documentation on the order these MIB's get control, they
# all get enabled here and we let the kernel do it's thing.
#
# NOTE: Some of these MIB's can also be set in rc.conf and or the
kernel
# source. This will not hurt anything.
#
# This sysctl.conf created 3/22/2002 by Joe Barbish.
#
####################################################################
# To defend against SYN attacks more commonly known as SYNFLOOD
attacks,
# the two queues which are targeted by this type of attack should
have it's
# size increased so that the queues can withstand an attack of low
to moderate
# intensity with little to no effect on the stability or
availability of the
# server. FBSD maintains separate queues for inbound socket
connection
# requests. One queue is for half-open sockets (SYN received,
SYN|ACK sent),
# the other queue for fully-open sockets awaiting an accept() call
from the
# application. The following statement increases the queue size from
128.
kern.ipc.somaxconn=1024
# Redirect attacks is the purposeful mass issuing of redirects.
# In a normal network, redirects to the end stations should not be
required.
# To defend against this type of attack both the sending and
accepting of
# should be disabled". In the following statements, the first 1
enables the
# special kernel MIB to drop these attacks, the second turns off the
logging
# of attacks because there in no limit and this could fill up your
logs
# consuming your whole hard drive and the last statements changes
the
# the FBSD default from yes to no.
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0
# Source routing is another way for an attacker to try to reach non
routable
# addresses behind your box. It can also be used to probe for
information
# about your internal networks. These functions come enabled as part
of the
# standard FBSD core system. The following will disable them.
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
# By allowing aged ARP entries to remain cached or lying around
allows for
# the possibility of a hacker to create a resource exhaustion or
# performance degradation by filling the IP route cache with bogus
# ARP entries. This in turn can be used as Denial of Service attack.
# To prevent this sort of problem the following statement shortens
the
# amount of time an ARP will be cached from 1200.
net.link.ether.inet.max_age=600
# To protect your box from the well publicized SMURF attack. This
attack
# works by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast
address
# from a spoofed address. If the host is a firewall (router), it
should
# not propagate directed broadcasts.
# The following statement sets the default to no broadcasts.
net.inet.icmp.bmcastecho=0
# To change the system behavior when connection requests are
received
# on TCP or UDP ports where there is no socket listening. The normal
behavior,
# when a TCP SYN segment is received on a port where there is no
socket
# accepting connections, is for the system to return a RST segment,
and drop
# the connection. The connecting system will see this as a
# "Connection reset by peer".
#
# By turning the TCP black hole MIB on to a numeric value of one,
the
# incoming SYN segment is merely dropped, and no RST is sent, making
the
# system appear as a blackhole.
#
# By setting the MIB value to two, any segment arriving on a closed
port is
# dropped without returning a RST.
# This provides some degree of protection against stealth port
scans.
# The following enables this MIB.
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
# The log_in_vain MIB will provide you with logging of attempted
connections
# to your box on any port which does not have a server running on
it.
# For example, if you do not have DNS server on your computer and
someone
# would try to access your computer through DNS port 53, you would
see a
# message such as: Connection attempt to UDP yourIP:53 from
otherIP:X
# (where X is some high port #) displayed on the root console
screen. This
# message also gets posted to /var/log/messages &
/var/log/security.log.
# The following statements enable this function.
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
# To increases the size of your TCP window to allow for more
efficient
# transfers, particularly bulk transfers such as FTP. The maximum
value
# suggested is 32768 bytes. Change from 16384. In release 4.5 the
defaults
# for these values changed upwards to what they are below.
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=65536
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond
Militante
Sent: Friday, January 31, 2003 3:37 PM
To: JoeB; freebsd-questions@freebsd.org
Subject: Re: please comment on my nat/ipfw rules (resent)
hi
you've sold me :)
do you have any good online tutorials to recommend for setting up a
gateway/firewall/natd machine using ipfilter/ipnat?
thanks
redmond
> 1. Your firewall rules are not working at all, except for the natd
> redirect option. This is caused by the kernel compile time option
> IPFIREWALL_DEFAULT_TO_ACCEPT. This option tell your firewall
that
> any packet that does not match a rule is allowed to pass on
through
> the firewall. Comment out that option in your kernel options
source
> and recompile your kernel to take the default of default-to-deny
and
> your current rules set will stop functioning.
>
> 2. You are using the simplest of the rule types 'state-less'.
Using
> this type of rules you have to not only have a rule to allow the
> packet out you also have to have a rule to allow the packet in.
See
> rules 220 & 230 of your posted rule set to see how it should be
> done.
>
> 3. There are 3 classes of rules, each class has separate packet
> interrogation abilities. Each proceeding class has greater packet
> interrogation abilities than the previous one. These are
stateless,
> simple stateful, and advanced stateful. The advanced stateful rule
> class is the only class having technically advanced interrogation
> abilities capable of defending against the flood of different
attack
> methods currently employed by perpetrators. Stateless and Simple
> Stateful IPFW firewall rules are inadequate to protect the users
> system in today's internet environment and leaves the user
> unknowingly believing they are protected when in reality they are
> not.
>
>
> 4. The advanced stateful rule option keep-state works as
documented
> only when used in a rule set that does not use the divert rule.
> Simply stated the IPFW advanced stateful rule option keep-state
does
> not function correctly when used in a IPFW firewall that also is
> using the IPFW built in NATD function. For the most complete
> keep-state protection the other FIREWALL solution (IPFILTER) that
> comes with FBSD should be used. Just checkout the IPFW list
archives
> and you will see this subject discussed in detail with out any
> solution forthcoming.
>
>
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond
> Militante
> Sent: Friday, January 31, 2003 8:18 AM
> To: freebsd-questions@freebsd.org
> Subject: please comment on my nat/ipfw rules (resent)
>
>
> hi all
>
> i have my test machine set up as a gateway box, with ipfw/natd
> configured on it, set up to filter/redirect packets bound for a
> client on my internal network.
>
> external ip of my internal client is aliased to the outside nic
of
> the gateway box
>
>
> gateway machine's kernel has been recompiled with:
>
> options IPFIREWALL
> options IPDIVERT
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPFIREWALL_VERBOSE
>
>
>
> gateway's /etc/rc.conf looks like
>
> defaultrouter="129.x.x.1"
> hostname="hostname.com"
> ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0"
> #aliasing internal client's ip to the outside nic of gateway box
> ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0"
> #inside nic of gateway box
> ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0"
> gateway_enable="YES"
> firewall_enable="YES"
> #firewall_script="/etc/rc.firewall"
> firewall_type="/etc/ipfw.rules"
> natd_enable="YES"
> #natd interface is outside nic
> natd_interface="xl0"
> #natd flags redirect any traffic bound for ip of www3 to internal
> ip of www3
> natd_flags="-redirect_address 10.0.0.2 129.x.x.20"
> kern_securelevel_enable="NO"
> .........
>
>
>
> internal client's /etc/rc.conf looks like
>
> second machine's /etc/rc.conf:
>
> defaultrouter="10.0.0.1"
> ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0"
> ................
>
>
> looks like this setup is working. the internal client is a basic
> webserver/ftp server. i am able to ftp to it, ssh to it, view
> webpages that it serves up, etc. with it hooked up to the internal
> nic of the gateway box.
>
> i am now trying to come up with a good set of firewall rules on
the
> gateway box to filter out all unnecessary traffic to my internal
> network. the following is my /etc/ipfw.rules on the gateway box.
>
> -----------------------------snip------------------------------
>
> # firewall_type="/etc/ipfw.rules"
> # enquirer ipfw.rules
>
> # NAT
> add 00100 divert 8668 ip from any to any via xl0
>
> # loopback
> add 00210 allow ip from any to any via lo0
> add 00220 deny ip from any to 127.0.0.0/8
> add 00230 deny ip from 127.0.0.0/8 to any
>
> #allow tcp in for nfs shares
> #add 00301 allow tcp from 129.x.x.x to any in via xl0
> #add 00302 allow tcp from 129.x.x.x to any in via xl0
>
> #allow tcp in for ftp,ssh, smtp, httpd
> add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0
>
> #deny rest of incoming tcp
> add 00309 deny log tcp from any to any in established
>
> #from man 8 ipfw: allow only outbound tcp connections i've
created
> add 00310 allow tcp from any to any out via xl0
>
>
> #allow udp in for gateway for DNS
> add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0
>
> #allow udp in for nfs shares
> #add 00401 allow udp from 129.x.x.x to any in recv xl0
> #add 00402 allow udp from 129.x.x.x to any in recv xl0
>
> #allow all udp out from machine
> add 00404 allow udp from any to any out via xl0
>
> #allow some icmp types (codes not supported)
> ##########allow path-mtu in both directions
> add 00500 allow icmp from any to any icmptypes 3
> ##########allow source quench in and out
> add 00501 allow icmp from any to any icmptypes 4
> ##########allow me to ping out and receive response back
> add 00502 allow icmp from any to any icmptypes 8 out
> add 00503 allow icmp from any to any icmptypes 0 in
> ##########allow me to run traceroute
> add 00504 allow icmp from any to any icmptypes 11 in
> add 00600 deny log ip from any to any
>
> #--- end ipfw.rules ---#
>
> -----------------------------snip------------------------------
>
>
> any comments on how i could improve this set of ipfw rules to
> better secure my internal client would be appreciated. thanks
again
>
> redmond
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Robert
Storey
Sent: Sunday, September 14, 2003 5:27 AM
To: freebsd-questions@freebsd.org
Subject: firewall
Dear All,
I'm having a hard time configuring a firewall. I ALMOST understand
it,
but I've run into one problem. I think I don't actually have my
/etc/rc.firewall set up properly. Maybe I don't really understand
what
the "ip" setting should be, and I've made it the same as my "net"
setting. Anyway, what I can say is that with the configuration I
have, I
can access my internal (ethernet) network, but ppp is totally
blocked,
which of course I don't want.
Below are the configuration settings I've made, and the results I
get. I
hope that somebody can help.
best regards,
Robert Storey
FROM /etc/rc.conf:
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="client"
FROM /etc/rc.firewall:
# set these to your network and netmask and ip
net="192.168.0.2"
mask="255.255.255.0"
ip="192.168.0.2"
CONTENT OF /etc/hosts:
#
::1 localhost localhost.utopia.com
127.0.0.1 localhost localhost.utopia.com
#
192.168.0.3 ibm.utopia.com ibm
192.168.0.2 sonic.utopia.com sonic
192.168.0.1 pro.utopia.com pro
OUTPUT OF "ipfw -a list":
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 allow ip from 192.168.0.2 to 192.168.0.0/24
00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.2
00600 0 0 allow tcp from any to any established
00700 0 0 allow ip from any to any frag
00800 0 0 allow tcp from any to 192.168.0.2 dst-port 25 setup
00900 0 0 allow tcp from 192.168.0.2 to any setup
01000 0 0 deny tcp from any to any setup
01100 0 0 allow udp from 192.168.0.2 to any dst-port 53 keep-state
01200 0 0 allow udp from 192.168.0.2 to any dst-port 123 keep-state
65535 0 0 deny ip from any to any
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Sebastian Ssmoller: "Gnome2 Logout"
- In reply to: Robert Storey: "firewall"
- Next in thread: Scott Ballantyne: "Re: firewall"
- Reply: Scott Ballantyne: "Re: firewall"
- Reply: Bob Hall: "Re: firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
