From owner-svn-doc-all@FreeBSD.ORG Sat Feb 22 02:43:03 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BBE75FEA; Sat, 22 Feb 2014 02:43:03 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A696B1949; Sat, 22 Feb 2014 02:43:03 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1M2h3kZ099193; Sat, 22 Feb 2014 02:43:03 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1M2h3JL099191; Sat, 22 Feb 2014 02:43:03 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402220243.s1M2h3JL099191@svn.freebsd.org> From: Dru Lavigne Date: Sat, 22 Feb 2014 02:43:03 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44024 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 02:43:03 -0000 Author: dru Date: Sat Feb 22 02:43:03 2014 New Revision: 44024 URL: http://svnweb.freebsd.org/changeset/doc/44024 Log: Cleanup sample ruleset. Move stuff that applies to all firewalls to Concepts section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sat Feb 22 01:58:09 2014 (r44023) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sat Feb 22 02:43:03 2014 (r44024) @@ -170,6 +170,15 @@ selection criteria to create rules which will pass or block services. + To lookup unknown port numbers, refer to + /etc/services. Alternatively, visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers + and do a port number lookup to find the purpose of a + particular port number. + + Check out this link for port numbers used by Trojans http://www.sans.org/security-resources/idfaq/oddports.php. + A firewall ruleset can be either exclusive or inclusive. An exclusive firewall allows all traffic through except for the @@ -1699,7 +1708,7 @@ ipnat_rules="/etc/ipnat.rules" # rule - <application>IPF</application> Rulesets + <application>IPF</application> Rule Syntax IPFILTER @@ -1988,198 +1997,98 @@ ipnat_rules="/etc/ipnat.rules" # rule - - - Inclusive Ruleset Example + Example Ruleset - The following ruleset is an example of an inclusive type - of firewall which only allows services matching - pass rules and blocks all others by - default. Network firewalls intended to protect other machines - should have at least two interfaces, and are generally - configured to trust the LAN and to not - trust the public Internet. Alternatively, a host based - firewall might be configured to protect only the system it is - running on, and is appropriate for servers on an untrusted - network or a desktop system not protected by firewall on the - network. + This section demonstrates how to create an example ruleset + which only allows services matching + pass rules and blocks all others. - &os; uses interface lo0 and IP + &os; uses the loopback interface (lo0) and the IP address 127.0.0.1 - for internal communication within the operating system. The - firewall rules must contain rules to allow free movement of - these internally used packets. - - The interface which faces the public Internet is the one - specified in the rules that authorize and control access of - the outbound and inbound connections. - - In cases where one or more NICs are cabled to private - network segments, those interfaces may require rules to allow - packets originating from those LAN interfaces transit to each - other or to the Internet. - - The rules should be organized into three major - sections: the trusted interfaces, then the public - interface outbound, and lastly, the public untrusted interface - inbound. + for internal communication. The + firewall ruleset must contain rules to allow free movement of + these internally used packets: - The rules in each of the public interface sections should + # no restrictions on loopback interface +pass in quick on lo0 all +pass out quick on lo0 all + + The public interface connected to the Internet is used to + authorize and control access of + all outbound and inbound connections. If one or more interfaces are cabled to private + networks, those internal interfaces may require rules to allow + packets originating from the LAN to flow between the internal networks + or to the interface attached to the Internet. The ruleset should be organized into three major + sections: any trusted internal interfaces, outbound connections through the public + interface, and inbound connections through the public interface. + + These two rules allow all traffic to pass through a trusted + LAN interface named xl0: + + # no restrictions on inside LAN interface for private network +pass out quick on xl0 all +pass in quick on xl0 all + + The rules for the public interface's outbound and inbound sections should have the most frequently matched rules placed before less commonly matched rules, with the last rule in the section - blocking and logging all packets on that interface and + blocking and logging all packets for that interface and direction. - The outbound section in the following ruleset only - contains pass rules which uniquely identify - the services that are authorized for public Internet access. - All the rules use quick, - on, proto, - port, and keep state. - The proto tcp rules include - flag to identify the session start request - as the triggering packet to activate the stateful - facility. - - The inbound section blocks undesirable packets first, for - two different reasons. The first is that malicious packets - may be partial matches for legitimate traffic. These packets - have to be discarded rather than allowed, based on their - partial matches against the allow rules. - The second reason is that known and uninteresting rejects may - be blocked silently, rather than being logged by the last rule - in the section. - - The ruleset should ensure that there is no response - returned for any undesirable traffic. Invalid packets should - be silently dropped so that the attacker has no knowledge if - the packets reached the system. Rules that include a - log first option, will only log the event - the first time they are triggered. This option is included in - the sample nmap OS fingerprint rule. The - security/nmap utility is - commonly used by attackers who attempt to identify the - operating system of the server. - - Any time there are logged messages on a rule with - the log first option, - ipfstat -hio should be executed - to evaluate how many times the rule has been matched. A - large number of matches usually indicates that the system is - being flooded or is under attack. - - To lookup unknown port numbers, refer to - /etc/services. Alternatively, visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers - and do a port number lookup to find the purpose of a - particular port number. - - Check out this link for port numbers used by Trojans http://www.sans.org/security-resources/idfaq/oddports.php. - - The following ruleset creates an - inclusive firewall ruleset which can be - easily customized by commenting out - pass rules for services that should not - be authorized. - - To avoid logging unwanted messages, add a - block rule in the inbound section. - - Change the dc0 interface name in - every rule to the interface name that connects the system to - the public Internet. - - The following statements were added to - /etc/ipf.rules: - - ################################################################# -# No restrictions on Inside LAN Interface for private network -# Not needed unless you have LAN -################################################################# - -#pass out quick on xl0 all -#pass in quick on xl0 all - -################################################################# -# No restrictions on Loopback Interface -################################################################# -pass in quick on lo0 all -pass out quick on lo0 all - -################################################################# -# Interface facing Public Internet (Outbound Section) -# Match session start requests originating from behind the -# firewall on the private network -# or from this gateway server destined for the public Internet. -################################################################# + This set of rules defines the outbound section of the + public interface named dc0. + These rules keep state and identify + the specific services that internal systems are authorized for public Internet access. + All the rules use quick and specify the + appropriate port numbers and, where applicable, destination + addresses. -# Allow out access to my ISP's Domain name server. -# xxx must be the IP address of your ISP's DNS. -# Dup these lines if your ISP has more than one DNS server -# Get the IP addresses from /etc/resolv.conf file -pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state + # interface facing Internet (outbound) +# Matches session start requests originating from or behind the +# firewall, destined for the Internet. + +# Allow outbound access to public DNS servers. +# Replace x.x.x. with address listed in /etc/resolv.conf. +# Repeat for each DNS server. +pass out quick on dc0 proto tcp from any to x.x.x. port = 53 flags S keep state pass out quick on dc0 proto udp from any to xxx port = 53 keep state -# Allow out access to my ISP's DHCP server for cable or DSL networks. -# This rule is not needed for 'user ppp' type connection to the -# public Internet, so you can delete this whole group. -# Use the following rule and check log for IP address. -# Then put IP address in commented out rule & delete first rule +# Allow access to ISP's specified DHCP server for cable or DSL networks. +# Use the first rule, then check log for the IP address of DHCP server. +# Then, uncomment the second rule, replace z.z.z.z with the IP address, +# and comment out the first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state - -# Allow out non-secure standard www function +# Allow HTTP and HTTPS pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state - -# Allow out secure www function https over TLS SSL pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state -# Allow out send & get email function +# Allow email pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state -# Allow out Time +# Allow NTP pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state -# Allow out nntp news -pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state - -# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes) -# This function uses the IPNAT built in FTP proxy function coded in -# the nat rules file to make this single rule function correctly. -# If you want to use the pkg_add command to install application packages -# on your gateway system you need this rule. +# Allow FTP pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state -# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements) -# This function is using SSH (secure shell) +# Allow SSH pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state -# Allow out insecure Telnet -pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state - -# Allow out FreeBSD CVSup -pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state - -# Allow out ping to public Internet +# Allow ping pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state -# Allow out whois from LAN to public Internet -pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state - -# Block and log only the first occurrence of everything -# else that's trying to get out. -# This rule implements the default block -block out log first quick on dc0 all - -################################################################# -# Interface facing Public Internet (Inbound Section) -# Match packets originating from the public Internet -# destined for this gateway server or the private network. -################################################################# +# Block and log everything else +block out log first quick on dc0 all + + This example of the rules in the inbound section of the + public interface blocks all undesirable packets first. + This reduces the number of packets that are + logged by the last rule. + # interface facing Internet (inbound) # Block all inbound traffic from non-routable or reserved address spaces block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP @@ -2191,67 +2100,52 @@ block in quick on dc0 from 192.0.2.0/24 block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast -##### Block a bunch of different nasty things. ############ -# That I do not want to see in the log - -# Block frags +# Block fragments and too short tcp packets block in quick on dc0 all with frags - -# Block short tcp packets block in quick on dc0 proto tcp all with short # block source routed packets block in quick on dc0 all with opt lsrr block in quick on dc0 all with opt ssrr -# Block nmap OS fingerprint attempts -# Log first occurrence of these so I can get their IP address +# Block OS fingerprint attempts and log first occurrence block in log first quick on dc0 proto tcp from any to any flags FUP # Block anything with special options block in quick on dc0 all with ipopts -# Block public pings +# Block public pings and ident block in quick on dc0 proto icmp all icmp-type 8 - -# Block ident block in quick on dc0 proto tcp from any to any port = 113 -# Block all Netbios service. 137=name, 138=datagram, 139=session -# Netbios is MS/Windows sharing services. -# Block MS/Windows hosts2 name server requests 81 +# Block incoming Netbios services block in log first quick on dc0 proto tcp/udp from any to any port = 137 block in log first quick on dc0 proto tcp/udp from any to any port = 138 block in log first quick on dc0 proto tcp/udp from any to any port = 139 -block in log first quick on dc0 proto tcp/udp from any to any port = 81 +block in log first quick on dc0 proto tcp/udp from any to any port = 81 -# Allow traffic in from ISP's DHCP server. This rule must contain -# the IP address of your ISP's DHCP server as it is the only -# authorized source to send this packet type. Only necessary for -# cable or DSL configurations. This rule is not needed for -# 'user ppp' type connection to the public Internet. -# This is the same IP address you captured and -# used in the outbound section. -pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state - -# Allow in standard www function because I have apache server -pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state + Any time there are logged messages on a rule with + the log first option, run + ipfstat -hio + to evaluate how many times the rule has been matched. A + large number of matches may indicate that the system is + under attack. -# Allow in non-secure Telnet session from public Internet -# labeled non-secure because ID/PW passed over public Internet as clear text. -# Delete this sample group if you do not have telnet server enabled. -#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state + The rest of the rules in the inbound section define which + connections are allowed to be initiated from the Internet. + The last rule denies all connections which were not explicitly + allowed by previous rules in this section. + + +# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with +# the same IP address used in the outbound section. +pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state -# Allow in secure FTP, Telnet, and SCP from public Internet -# This function is using SSH (secure shell) -pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state +# Allow public connections to specified internal web server +pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state -# Block and log only first occurrence of all remaining traffic -# coming into the firewall. The logging of only the first -# occurrence avoids filling up disk with Denial of Service logs. -# This rule implements the default block. -block in log first quick on dc0 all -################### End of rules file ##################################### +# Block and log only first occurrence of all remaining traffic. +block in log first quick on dc0 all