Re: jailed "system" needs IPV4 access
From: Alan Hicks (1001298936_at_carrier.lizella.net)
Date: 02/27/04
- Next message: Steinar Haug: "Re: jailed "system" needs IPV4 access"
- Previous message: Steinar Haug: "Re: Vinum raid5 proformance problem"
- In reply to: John38: "Re: jailed "system" needs IPV4 access"
- Next in thread: Steinar Haug: "Re: jailed "system" needs IPV4 access"
- Reply: Steinar Haug: "Re: jailed "system" needs IPV4 access"
- Reply: Lowell Gilbert: "Re: jailed "system" needs IPV4 access"
- Reply: John38: "Re: jailed "system" needs IPV4 access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 27 Feb 2004 12:44:15 -0600
Egad! What a mess!
In comp.unix.bsd.freebsd.misc, John38 dared to utter,
> OK, here is the output:
>
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
These three rules are redundant. 127.0.0.0/8 is always on lo0. Try
this.
00100 allow ip from 127.0.0.0/8 to 127.0.0.0/8
> 00400 allow ip from 1.0.0. to realip.add.r..0/28
> 00500 allow ip from realip.add.r.0/28 to 1.0.0.
I'm not entirely sure what you mean by realip.add.r.0/28. Is this your
jailed IP address? From reading I gather that you actually have valid
public ip addresses that begin with 1.0. ? It's very unclear.
> 00600 allow tcp from any to any established
You should seriously consider dumping this in favor of check-state.
"established" doesn't set up dynamic rules, and IIRC simply checks to
see if the ACK flag is set on a tcp packet. A black hat can generate
ACK packets by the bucket load. Also, established only works with tcp
packets. check-state and keep-state will work on tcp, udp, and icmp.
> 00700 allow ip from any to any frag
Any particular reason why you're allow fragments? Typically frag is
used to drop packet fragments, which again are a good black hat tool to
DOS a system with. Also, due to the placement of this rule, any
fragments sent to your machine will be accepted regaurdless of the port
you want to allow them on. Below you've got a list of ports that you
want open. For argument's sake, let's assume you're running an HTTP
proxy on ort 8080. A fragment packet could be used to speak to that
without an explicit rules allowing such communication.
> 00800 allow tcp from any to 1.0.0. 20 setup
> 00900 allow tcp from any to 1.0.0. 21 setup
> 01000 allow tcp from any to 1.0.0. 25 setup
> 01100 allow tcp from any to 1.0.0. 22 setup
> 01200 allow tcp from any to 1.0.0. 53 setup
Nothing wrong here.
> 01300 allow udp from any to 1.0.0. 53
> 01400 allow udp from 1.0.0. 53 to any
Here's where check-state would help you out by eliminating a rule in
your chain.
> 01500 allow tcp from any to 1.0.0. 80 setup
> 01600 allow tcp from any to 1.0.0. 110 setup
> 01700 allow tcp from any to 1.0.0. 113 setup
> 01800 allow tcp from any to 1.0.0. 123 setup
> 01900 allow tcp from any to 1.0.0. 443 setup
> 02000 allow tcp from 1.0.0. to any setup
Again, nothing wrong here.
> 02100 deny tcp from any to any setup
You should drop the setup flag. That just checks to see if the packet
is a SYN packet, and if so, drops it. From your ruleset, it seems you
want to drop all tcp packets that don't match a previous rule here.
Delete the setup flag and you're all set.
> 02200 allow udp from 1.0.0. to any 53 keep-state
> 02300 allow udp from 1.0.0. to any 123 keep-state
Without using check-state somewhere above, the keep-state option just
creates a dynamic rule that will never be checked.
> 65535 deny ip from any to any
I don't understand everything you're trying to do, but the more and
more I look at it, the more and more it seems to me like you've only
got a single public IP address, and you want to have jailed services on
this machine running through a non-routable (at least for other
machines) private IP. I can't gaurantee that the below will work, but
here's my best shot.
This is a firewall script I use on a NAT router. dc1 is the external
interface. dc0 is the internal interface.
00100 deny ip from any to any frag
00200 allow ip from 127.0.0.1 to 127.0.0.1
00500 deny log ip from 192.160.1.0/24 to any in via dc1
00600 deny log ip from 10.0.0.0/8 to any in via dc1
00700 deny log ip from 172.16.0.0/16 to any in via dc1
00800 deny log ip from not 192.168.1.0/24 to any in via dc0
01000 divert 8668 ip from any to any
02000 check-state
03000 allow tcp from me to any keep-state
03100 allow tcp from 192.168.1.0/24 to any keep-state
05000 allow log tcp from any to me dst-port 22 setup keep-state
10000 allow udp from me to any keep-state
11000 allow udp from 192.168.1.0/24 to any keep-state
20000 allow icmp from me to any keep-state
21000 allow icmp from 192.168.1.0/24 to any keep-state
65535 deny ip from any to any
00100 The very first rule drops any and all packet fragments, even before
checking dynamic rules.
00200 This allows traffic from localhost to localhost.
00500 - 00800 These just prevent packet spoofing. They drop all private
IPs coming in the external interface, and drop all non-LAN IPs from
coming through the internal interface. The last rule is especially
important on LANs that have wireless bridges.
01000 This just passes things to natd.
02000 Now we're checking dynamic rules. Note that at this point none of
our firewalls rules have set dynamic rules. We'll only set those AFTER
checking state.
03000 - 03100 This allows out all tcp packets on any port from my
machine or the local NAT network, and creates a dynamic rule to match
the return packets.
05000 This is the type of rule you want to use on your services. This
allows all tcp traffic on port 22 (SSH) to talk to any interface on my
firewall IF the tcp packet is a SYN packet. Note that rule 00100 keeps
any packet fragments from even getting this far and possibly setting up
an unwanted connection. Then it creates a dynamic rule to match that
connection. It also logs these connections.
10000 - 21000 These just allow udp and icmp packets out of the LAN and
firewall, and setup dynamic rules to match the replies that should be
received.
> What I want to acheive is a virtual machine with a real IP. The router
> is .1 and the host is .2 and the virt. machine is .3 and the .3 will be
> in DNS. The virt. machine needs routing in and out. (I forgot that ping
> and traceroute is disabled on the host via fw rules, sorry)
You need something similar. By router, I'm assuming you are implying
that this is the machine your ipfw ruleset is on. In that case, it
should be simple. Try something like this.
00100 deny ip from any to any frag
00200 allow ip from 127.0.0.1 to 127.0.0.1
00500 deny log ip from 192.160.1.0/24 to any in via dc1
00600 deny log ip from 10.0.0.0/8 to any in via dc1
00700 deny log ip from 172.16.0.0/16 to any in via dc1
02000 check-state
03000 allow tcp from me to any keep-state
04000 allow log tcp from any to 1.0.1.3 dst-port 22 setup keep-state
10000 allow udp from me to any keep-state
11000 allow udp from 1.0.1.3 to any keep-state
20000 allow icmp from me to any keep-state
21000 allow icmp from 1.0.1.3 to any keep-state
65535 deny ip from any to any
This allows any tcp setup traffic to port 22 on your virtual host, sets
up a dynamic rule for it, and blocks all other tcp traffic to and from
that machine. Of course you can edit this to include more rules for
your ports. Routing shouldn't be any different just because you're on
a virtual NIC as long as your IP settings are correct, such as your
address and gateway. The above assumes that "me" is the gateway 1.0.1.1
and the virtual host is 1.0.1.3. No effort has been made to include
rules for 1.0.1.2, but again you can add these as needed.
Can some one tell me if I'm overlooking something? This all seems too
simple to be this difficult.
-- It is better to hear the rebuke of the wise, Than for a man to hear the song of fools. Ecclesiastes 7:5
- Next message: Steinar Haug: "Re: jailed "system" needs IPV4 access"
- Previous message: Steinar Haug: "Re: Vinum raid5 proformance problem"
- In reply to: John38: "Re: jailed "system" needs IPV4 access"
- Next in thread: Steinar Haug: "Re: jailed "system" needs IPV4 access"
- Reply: Steinar Haug: "Re: jailed "system" needs IPV4 access"
- Reply: Lowell Gilbert: "Re: jailed "system" needs IPV4 access"
- Reply: John38: "Re: jailed "system" needs IPV4 access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
