Date: Wed, 27 Apr 2011 21:43:58 -0500 From: Antonio Olivares <olivares14031@gmail.com> To: vogelke+unix@pobox.com Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: easy Firewall setup Message-ID: <BANLkTin0Pvio14y6%2B_Bu1nftCqPdr-Cmxg@mail.gmail.com> In-Reply-To: <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil> References: <BANLkTi=Ve56c_QhFnA5c0xoRPf82eZZ=1w@mail.gmail.com> <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Karl for your script :) this will help tremendously Also thanks to Daniel & Polytropon & Krad & Warren & Fbsd for your suggestions & help. Sorry I could not get back since the network went down. I will report back as soon as I can get going again. Regards, Antonio On Tue, Apr 26, 2011 at 1:48 PM, Karl Vogel <vogelke+unix@pobox.com> wrote: >>> On Mon, 25 Apr 2011 19:43:33 -0500, >>> Antonio Olivares <olivares14031@gmail.com> said: > > A> Is there an easy firewall setup available somewhere (like the one > A> referenced below but for FreeBSD)? > > =A0 Here's a script you can use to generate a rules file for IPF. > > -- > Karl Vogel =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0I don't speak for t= he USAF or my company > > The only freedom which deserves the name, is that of pursuing our own goo= d > in our own way, so long as we do not attempt to deprive others of theirs, > or impede their efforts to obtain it. =A0 =A0 =A0 =A0--John Stuart Mill, = "On Liberty" > > -------------------------------------------------------------------------= -- > #!/bin/sh > # This is a shell archive (produced by GNU sharutils 4.6). > # To extract the files from this archive, save it to some FILE, remove > # everything before the `!/bin/sh' line above, then type `sh FILE'. > # > # Existing files will *not* be overwritten unless `-c' is specified. > # This format requires very little intelligence at unshar time. > # "if test", "echo", "mkdir", and "sed" may be needed. > # > # This shar contains: > # length mode =A0 =A0 =A0 name > # ------ ---------- ------------------------------------------ > # =A0 7197 -rw-r--r-- ipf-sample-ruleset > # =A0 =A0 71 -rw-r--r-- ipf.break > # =A0 =A0144 -rw-r--r-- ipf.header > # =A0 =A0 64 -rw-r--r-- ipf.whitelist > # =A0 4977 -rwxr-xr-x make-ipf-rules > # > echo=3Decho > shar_tty=3D shar_n=3D shar_c=3D' > ' > mkdir _sh14472 || ( echo 'failed to create locking directory' '_sh14472';= exit 1 ) > # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf-sample-ruleset =3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > if test -f 'ipf-sample-ruleset' && test "$first_param" !=3D -c; then > =A0$echo 'x -' SKIPPING 'ipf-sample-ruleset' '(file already exists)' > else > =A0$echo 'x -' extracting 'ipf-sample-ruleset' '(text)' > =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf-sample-ruleset' && > X################################################################# > X# http://www.pc-freak.net/handbook/firewalls-ipf.html > X# No restrictions on Inside LAN Interface for private network > X# Not needed unless you have LAN > X################################################################# > X > X#pass out quick on xl0 all > X#pass in quick on xl0 all > X > X################################################################# > X# No restrictions on Loopback Interface > X################################################################# > Xpass in quick on lo0 all > Xpass out quick on lo0 all > X > X################################################################# > X# Interface facing Public Internet (Outbound Section) > X# Interrogate session start requests originating from behind the > X# firewall on the private network > X# or from this gateway server destine for the public Internet. > X################################################################# > X > X# Allow out access to my ISP's Domain name server. > X# xxx must be the IP address of your ISP's DNS. > X# Dup these lines if your ISP has more than one DNS server > X# Get the IP addresses from /etc/resolv.conf file > Xpass out quick on dc0 proto tcp from any to xxx port =3D 53 flags S keep= state > Xpass out quick on dc0 proto udp from any to xxx port =3D 53 keep state > X > X# Allow out access to my ISP's DHCP server for cable or DSL networks. > X# This rule is not needed for 'user ppp' type connection to the > X# public Internet, so you can delete this whole group. > X# Use the following rule and check log for IP address. > X# Then put IP address in commented out rule & delete first rule > Xpass out log quick on dc0 proto udp from any to any port =3D 67 keep sta= te > X#pass out quick on dc0 proto udp from any to z.z.z.z port =3D 67 keep st= ate > X > X > X# Allow out non-secure standard www function > Xpass out quick on dc0 proto tcp from any to any port =3D 80 flags S keep= state > X > X# Allow out secure www function https over TLS SSL > Xpass out quick on dc0 proto tcp from any to any port =3D 443 flags S kee= p state > X > X# Allow out send & get email function > Xpass out quick on dc0 proto tcp from any to any port =3D 110 flags S kee= p state > Xpass out quick on dc0 proto tcp from any to any port =3D 25 flags S keep= state > X > X# Allow out Time > Xpass out quick on dc0 proto tcp from any to any port =3D 37 flags S keep= state > X > X# Allow out nntp news > Xpass out quick on dc0 proto tcp from any to any port =3D 119 flags S kee= p state > X > X# Allow out gateway & LAN users non-secure FTP ( both passive & active m= odes) > X# This function uses the IPNAT built in FTP proxy function coded in > X# the nat rules file to make this single rule function correctly. > X# If you want to use the pkg_add command to install application packages > X# on your gateway system you need this rule. > Xpass out quick on dc0 proto tcp from any to any port =3D 21 flags S keep= state > X > X# Allow out secure FTP, Telnet, and SCP > X# This function is using SSH (secure shell) > Xpass out quick on dc0 proto tcp from any to any port =3D 22 flags S keep= state > X > X# Allow out non-secure Telnet > Xpass out quick on dc0 proto tcp from any to any port =3D 23 flags S keep= state > X > X# Allow out FBSD CVSUP function > Xpass out quick on dc0 proto tcp from any to any port =3D 5999 flags S ke= ep state > X > X# Allow out ping to public Internet > Xpass out quick on dc0 proto icmp from any to any icmp-type 8 keep state > X > X# Allow out whois for LAN PC to public Internet > Xpass out quick on dc0 proto tcp from any to any port =3D 43 flags S keep= state > X > X# Block and log only the first occurrence of everything > X# else that's trying to get out. > X# This rule enforces the block all by default logic. > Xblock out log first quick on dc0 all > X > X################################################################# > X# Interface facing Public Internet (Inbound Section) > X# Interrogate packets originating from the public Internet > X# destine for this gateway server or the private network. > X################################################################# > X > X# Block all inbound traffic from non-routable or reserved address spaces > Xblock in quick on dc0 from 192.168.0.0/16 to any =A0 =A0#RFC 1918 privat= e IP > Xblock in quick on dc0 from 172.16.0.0/12 to any =A0 =A0 #RFC 1918 privat= e IP > Xblock in quick on dc0 from 10.0.0.0/8 to any =A0 =A0 =A0 =A0#RFC 1918 pr= ivate IP > Xblock in quick on dc0 from 127.0.0.0/8 to any =A0 =A0 =A0 #loopback > Xblock in quick on dc0 from 0.0.0.0/8 to any =A0 =A0 =A0 =A0 #loopback > Xblock in quick on dc0 from 169.254.0.0/16 to any =A0 =A0#DHCP auto-confi= g > Xblock in quick on dc0 from 192.0.2.0/24 to any =A0 =A0 =A0#reserved for = docs > Xblock in quick on dc0 from 204.152.64.0/23 to any =A0 #Sun cluster inter= connect > Xblock in quick on dc0 from 224.0.0.0/3 to any =A0 =A0 =A0 #Class D & E m= ulticast > X > X##### Block a bunch of different nasty things. ############ > X# That I do not want to see in the log > X > X# Block frags > Xblock in quick on dc0 all with frags > X > X# Block short tcp packets > Xblock in quick on dc0 proto tcp all with short > X > X# block source routed packets > Xblock in quick on dc0 all with opt lsrr > Xblock in quick on dc0 all with opt ssrr > X > X# Block nmap OS fingerprint attempts > X# Log first occurrence of these so I can get their IP address > Xblock in log first quick on dc0 proto tcp from any to any flags FUP > X > X# Block anything with special options > Xblock in quick on dc0 all with ipopts > X > X# Block public pings > Xblock in quick on dc0 proto icmp all icmp-type 8 > X > X# Block ident > Xblock in quick on dc0 proto tcp from any to any port =3D 113 > X > X# Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession > X# Netbios is MS/Windows sharing services. > X# Block MS/Windows hosts2 name server requests 81 > Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 1= 37 > Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 1= 38 > Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 1= 39 > Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 8= 1 > X > X# Allow traffic in from ISP's DHCP server. This rule must contain > X# the IP address of your ISP's DHCP server as it's the only > X# authorized source to send this packet type. Only necessary for > X# cable or DSL configurations. This rule is not needed for > X# 'user ppp' type connection to the public Internet. > X# This is the same IP address you captured and > X# used in the outbound section. > Xpass in quick on dc0 proto udp from z.z.z.z to any port =3D 68 keep stat= e > X > X# Allow in standard www function because I have apache server > Xpass in quick on dc0 proto tcp from any to any port =3D 80 flags S keep = state > X > X# Allow in non-secure Telnet session from public Internet > X# labeled non-secure because ID/PW passed over public Internet as clear = text. > X# Delete this sample group if you do not have telnet server enabled. > X#pass in quick on dc0 proto tcp from any to any port =3D 23 flags S keep= state > X > X# Allow in secure FTP, Telnet, and SCP from public Internet > X# This function is using SSH (secure shell) > Xpass in quick on dc0 proto tcp from any to any port =3D 22 flags S keep = state > X > X# Block and log only first occurrence of all remaining traffic > X# coming into the firewall. The logging of only the first > X# occurrence stops a .denial of service. attack targeted > X# at filling up your log file space. > X# This rule enforces the block all by default logic. > Xblock in log first quick on dc0 all > X################### End of rules file ##################################= ### > SHAR_EOF > =A0: || $echo 'restore of' 'ipf-sample-ruleset' 'failed' > fi > # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf.break =3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D > if test -f 'ipf.break' && test "$first_param" !=3D -c; then > =A0$echo 'x -' SKIPPING 'ipf.break' '(file already exists)' > else > =A0$echo 'x -' extracting 'ipf.break' '(text)' > =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf.break' && > X# -------------------------------------------------------------------- > SHAR_EOF > =A0: || $echo 'restore of' 'ipf.break' 'failed' > fi > # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf.header =3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D > if test -f 'ipf.header' && test "$first_param" !=3D -c; then > =A0$echo 'x -' SKIPPING 'ipf.header' '(file already exists)' > else > =A0$echo 'x -' extracting 'ipf.header' '(text)' > =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf.header' && > X# > X# NAME: > X# =A0 =A0/etc/ipf.rules > X# > X# DESCRIPTION: > X# =A0 =A0Ruleset for IPF packet filter. > X# > X# AUTHOR: > X# =A0 =A0Antonio Olivares <olivares14031@gmail.com> > X > SHAR_EOF > =A0: || $echo 'restore of' 'ipf.header' 'failed' > fi > # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf.whitelist =3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D > if test -f 'ipf.whitelist' && test "$first_param" !=3D -c; then > =A0$echo 'x -' SKIPPING 'ipf.whitelist' '(file already exists)' > else > =A0$echo 'x -' extracting 'ipf.whitelist' '(text)' > =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf.whitelist' && > Xfriend@some.host.com =A0 =A01.2.3.4 > Xbuddy@somewhere.else =A0 =A01.2.3.5 > SHAR_EOF > =A0: || $echo 'restore of' 'ipf.whitelist' 'failed' > fi > # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D make-ipf-rules =3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D > if test -f 'make-ipf-rules' && test "$first_param" !=3D -c; then > =A0$echo 'x -' SKIPPING 'make-ipf-rules' '(file already exists)' > else > =A0$echo 'x -' extracting 'make-ipf-rules' '(text)' > =A0sed 's/^X//' << 'SHAR_EOF' > 'make-ipf-rules' && > X#!/bin/ksh > X# > X# $Date: 2011-04-26 14:22:54-04 $ > X# $Source: /home/vogelke/notebook/2011/0324/ipf/RCS/make-ipf-rules,v $ > X# $UUID: eaf3390f-4ef2-3cda-85ad-583f1413d9e0 $ > X# > X#<make-ipf-rules: Make IPF rules using list of valid hosts. > X > Xexport PATH=3D/usr/local/bin:/bin:/usr/bin:/usr/sbin:/sbin > Xtag=3D${0##*/} > X > Xversion () { > X =A0 =A0rcs=3D'$Revision: 1.10 $' > X =A0 =A0set X $rcs > X =A0 =A0echo $tag v$3 > X} > X > X# Network interface; set directly or run ifconfig. > Xset X $(ifconfig -a | grep RUNNING | grep -v LOOPBACK | tr -d ':') > Xoif=3D$2 > X > X# Abbreviations and templates. > Xks=3D"keep state" > Xfks=3D"flags S keep state" > X > Xheader=3D'ipf.header' > Xtest -f "$header" || { echo $header not found; exit 1; } > X > Xgood=3D'ipf.whitelist' > Xtest -f "$good" || { echo $good not found; exit 1; } > X > Xsec=3D'' > Xtest -f "ipf.break" && sec=3D$(cat ipf.break) > X > X# -------------------------------------------------------------------- > X# This is boilerplate that should always be included. > X > Xecho "# Generated by $(version) at $(date)" > Xcat $header > X > Xcat << PART1 > X$sec > X# We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. > Xblock in quick on $oif proto udp =A0from any to any port =3D 68 > Xblock in quick on $oif proto udp =A0from any to any port =3D 137 > Xblock in quick on $oif proto udp =A0from any to any port =3D 138 > Xblock in quick on $oif proto igmp from any to any > X > X$sec > X# Now block everything coming down the network. > Xblock in =A0log =A0on $oif all > Xblock out log =A0on $oif all > X > X$sec > X# Get rid of anything with options, as these can be used to hack. > Xblock in =A0log quick =A0 =A0 from any to any with ipopts > X > X$sec > X# Get rid of short TCP/IP fragments (too small for valid comparison) > X# as these can be used to hack. > Xblock in =A0log quick proto tcp from any to any with short > X > X$sec > X# Allow all traffic on loopback. > Xpass =A0in =A0quick on lo0 all > Xpass =A0out quick on lo0 all > X > X$sec > X# Block all the private routable addresses, as these should never > X# come down the network, nor should we be talking to them. > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 192.168.= 0.0/16 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 172.16.0= .0/12 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 127.0.0.= 0/8 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 10.0.0.0= /8 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 0.0.0.0/= 8 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 169.254.= 0.0/16 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 192.0.2.= 0/24 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 204.152.= 64.0/23 > Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 224.0.0.= 0/3 > X > Xblock in =A0quick on $oif from 192.168.0.0/16 =A0 =A0to any > Xblock in =A0quick on $oif from 172.16.0.0/12 =A0 =A0 to any > Xblock in =A0quick on $oif from 10.0.0.0/8 =A0 =A0 =A0 =A0to any > Xblock in =A0quick on $oif from 127.0.0.0/8 =A0 =A0 =A0 to any > Xblock in =A0quick on $oif from 0.0.0.0/8 =A0 =A0 =A0 =A0 to any > Xblock in =A0quick on $oif from 169.254.0.0/16 =A0 =A0to any > Xblock in =A0quick on $oif from 192.0.2.0/24 =A0 =A0 =A0to any > Xblock in =A0quick on $oif from 204.152.64.0/23 =A0 to any > Xblock in =A0quick on $oif from 224.0.0.0/3 =A0 =A0 =A0 to any > X > X$sec > X# Block and log portmapper attempts. > Xblock in log quick on $oif proto tcp/udp from any to any port =3D 111 $k= s > X > X$sec > X# Allow outbound state related packets. > Xpass =A0out quick on $oif proto tcp from any to any $fks > Xpass =A0out quick on $oif proto udp from any to any $ks > X > X$sec > X# Allow ping and traceroute. =A0Since we're doing everything quick, > X# we must have passes before blocks. > Xpass =A0in quick on $oif proto icmp from any to any icmp-type =A00 $ks > Xpass =A0in quick on $oif proto icmp from any to any icmp-type =A08 $ks > Xpass =A0in quick on $oif proto icmp from any to any icmp-type 11 $ks > Xpass out quick on $oif proto icmp from any to any icmp-type =A00 $ks > Xpass out quick on $oif proto icmp from any to any icmp-type =A08 $ks > Xpass out quick on $oif proto icmp from any to any icmp-type 11 $ks > Xblock in log quick on $oif proto icmp from any to any > X > X$sec > X# Allow DNS; should this be just from nameservers? > Xpass in quick on $oif proto tcp from any to any port =3D 53 $fks > Xpass in quick on $oif proto udp from any to any port =3D 53 $ks > X > X$sec > X# Allow ssh and mail from anywhere: tcpserver filters addresses > Xpass in quick on $oif proto tcp from any to any port =3D 22 $fks > Xpass in quick on $oif proto tcp from any to any port =3D 25 $fks > X > XPART1 > X > X# -------------------------------------------------------------------- > X# This is host-specific. =A0"sortcmd" sorts IP addresses correctly. > X > Xecho "$sec" > Xecho '# Allow http from selected addresses.' > Xsortcmd=3D'/bin/sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n' > X > Xawk '{print $2}' $good | $sortcmd | uniq | > Xwhile read ip; do > X =A0 =A0echo "pass in quick on $oif proto tcp from $ip to any port =3D 8= 0 $fks" > Xdone > Xecho > X > Xecho "$sec" > Xecho '# Allow secure http from selected addresses.' > Xawk '{print $2}' $good | $sortcmd | uniq | > Xwhile read ip; do > X =A0 =A0echo "pass in quick on $oif proto tcp from $ip to any port =3D 4= 43 $fks" > Xdone > X > X# -------------------------------------------------------------------- > X# Footer. > X > Xcat << FOOTER > X > X$sec > X# Copyright (C) $(date +%Y) $COMPANY > X# EOF > XFOOTER > X > Xexit 0 > SHAR_EOF > =A0: || $echo 'restore of' 'make-ipf-rules' 'failed' > fi > $echo $shar_n 'x -' 'lock directory' "\`_sh14472': " $shar_c > if rm -fr _sh14472; then > =A0$echo 'removed' > else > =A0$echo 'failed to remove' > fi > exit 0 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTin0Pvio14y6%2B_Bu1nftCqPdr-Cmxg>