From owner-freebsd-questions@FreeBSD.ORG Tue Jun 21 19:57:29 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1BE916A41C for ; Tue, 21 Jun 2005 19:57:29 +0000 (GMT) (envelope-from luck@computerking.ca) Received: from mail1.computerking.ca (mail1.computerking.ca [68.146.204.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72C1643D53 for ; Tue, 21 Jun 2005 19:57:29 +0000 (GMT) (envelope-from luck@computerking.ca) Received: from mail1.computerking.ca (localhost.computerking.ca [127.0.0.1]) by mail1.computerking.ca (Postfix) with ESMTP id 1D8BB6C32B for ; Tue, 21 Jun 2005 13:57:27 -0600 (MDT) Received: from [192.168.0.1] (unknown [192.168.0.1]) by mail1.computerking.ca (Postfix) with ESMTP id C65136C294 for ; Tue, 21 Jun 2005 13:57:27 -0600 (MDT) Message-ID: <42B87130.6050203@computerking.ca> Date: Tue, 21 Jun 2005 13:57:36 -0600 From: RYAN vAN GINNEKEN User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: multipart/mixed; boundary="------------030901050306080205090502" X-Virus-Scanned: ClamAV using ClamSMTP Subject: ipf not working correctly??? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 19:57:29 -0000 This is a multi-part message in MIME format. --------------030901050306080205090502 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello all i use FreeBSD stable 4.11 and wish to use built in ipf version 3.x something.i have been using ipfw with type set to open however i have recently been attacked and need to beef up security. I have followed the basic setup that is in the freebsd handbook and read through the world famous ipf howto lots of times. Currently I have the below options compiled into my kernel the docs I have read say you do not need to compile ipfilter options into the kernel to use it. I was going to uncomment the ipfilter stuff and comment out the ipfirewall options when I got ipfilter working. Is it necessary to recompile the kernel without ipfirewall options to make ipfilter work. Kernel OPTIONS======================== options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT #options IPFILTER #options IPFILTER_LOG #options IPFILTER_DEFAULT_BLOCK IN MY /etc/rc.conf========================== #IPF & IPNAT ipfilter_enable="YES" # Start ipf firewall #ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipfilter_rules="/etc/ipfopen.rules" ipmon_enable="YES" # Start IP monitor log ipmon_flags="-Ds" # D = start as daemon, s = log to syslog, v = ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat AS WELL AS THIS TO TURN OF IPFILTER AND NATD #IPFW & NATD firewall_enable="NO firewall_type="OPEN" firewall_quiet="NO" #firewall_scrYESt="/etc/rc.firewall" natd_enable="NO natd_interface="xl0" natd_flags="-f /etc/natd.conf" HERE IS /etc/ipnat.rules============================================= # the rule that forwards everthing map xl0 192.168.0.0/16 -> 0/32 #VNC HOSTS #HOST 1 #java rdr xl0 0/32 port 5801 -> 192.168.0.1 port 5801 #no java rdr xl0 0/32 port 5901 -> 192.168.0.1 port 5901 #HOST 2 #java rdr xl0 0/32 port 5802 -> 192.168.0.1 port 5802 #no java rdr xl0 0/32 port 5902 -> 192.168.0.1 port 5902 =============================================================== PLEASE FIND MY ipf.rules ATTACHED TO this email I have even tried to use the following rules set to see if I could get ipf to work as an open firewall but it still seems to block to much. =============================================================== pass out quick on lo0 all pass in quick on lo0 all pass out quick on xl1 all pass in quick on xl1 all pass out quick on xl0 all pass in quick on xl0 all when I ping google.ca I get errors about unknown hostname. When I ping googles ipaddress I get permission denied over and over again. When I try to use lynx I get alert destination host unreachable. Seems like dns?? When I turn off ipf and use ipfw set to open everything works fine again. Please someone help what is going wrong. ipmon/ipfstat do not seem to help but mabey i need some guidance with these tools. --------------030901050306080205090502 Content-Type: text/plain; name="iprules.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="iprules.txt" ################################################################# # No restrictions on Inside LAN Interface for private network # Not needed unless you have LAN ################################################################# pass out quick on xl1 all pass in quick on xl1 all #fail safe open all on outside interface #pass out quick on x10 all #pass in quick on x10 all #pass out quick on xl0 from any to any all #pass in quick on xl0 from any to any all ################################################################# # No restrictions on Loopback Interface ################################################################# pass in quick on lo0 all pass out quick on lo0 all ################################################################# # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destine for the public Internet. ################################################################# # Allow out access to my ISP's Domain name server. # xxx must be the IP address of your ISP's DNS. # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file #pass out quick on xl0 proto tcp from any to 192.168.0.202 port = 53 flags S keep state #pass out quick on xl0 proto udp from any to 192.168.0.202 port = 53 keep state #pass out quick on xl0 proto tcp from any to 64.59.135.133 port = 53 flags S keep state #pass out quick on xl0 proto udp from any to 64.59.135.135 port = 53 keep state pass out quick on xl0 proto tcp from any to any port = 53 flags S keep state pass out quick on xl0 proto udp from any to any port = 53 keep state # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for 'user ppp' type connection to the # public Internet, so you can delete this whole group. # Use the following rule and check log for IP address. # Then put IP address in commented out rule & delete first rule pass out log quick on xl0 proto udp from any to any port = 67 keep state #pass out quick on xl0 proto udp from any to z.z.z.z port = 67 keep state # Allow out non-secure standard www function pass out quick on xl0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL pass out quick on xl0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function pass out quick on xl0 proto tcp from any to any port = 993 flags S keep state pass out quick on xl0 proto tcp from any to any port = 143 flags S keep state pass out quick on xl0 proto tcp from any to any port = 110 flags S keep state pass out quick on xl0 proto tcp from any to any port = 25 flags S keep state # Allow out Time pass out quick on xl0 proto tcp from any to any port = 37 flags S keep state # Allow out nntp news pass out quick on xl0 proto tcp from any to any port = 119 flags S keep state # Allow out gateway & LAN users non-secure FTP ( both passive & active modes) # This function uses the IPNAT built in FTP proxy function coded in # the nat rules file to make this single rule function correctly. # If you want to use the pkg_add command to install application packages # on your gateway system you need this rule. pass out quick on xl0 proto tcp from any to any port = 21 flags S keep state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) pass out quick on xl0 proto tcp from any to any port = 22 flags S keep state # Allow out non-secure Telnet pass out quick on xl0 proto tcp from any to any port = 23 flags S keep state # Allow out FBSD CVSUP function pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep state # Allow out ping to public Internet pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state # Allow out whois for LAN PC to public Internet pass out quick on xl0 proto tcp from any to any port = 43 flags S keep state # I have added these misc services =========================================== # VNC pass out quick on xl0 proto tcp from any to any port = 5800 flags S keep state pass out quick on xl0 proto tcp from any to any port = 5900 flags S keep state # Most Dlink Router boxes pass out quick on xl0 proto tcp from any to any port = 8080 flags S keep state #============================================================================== # Block and log only the first occurrence of everything # else that's trying to get out. # This rule enforces the block all by default logic. block out log first quick on xl0 all ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Block all inbound traffic from non-routable or reserved address spaces block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on xl0 from 127.0.0.0/8 to any #loopback block in quick on xl0 from 0.0.0.0/8 to any #loopback block in quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on xl0 from 192.0.2.0/24 to any #reserved for docs block in quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast ##### Block a bunch of different nasty things. ############ # That I do not want to see in the log # But I do # Block frags block in log first quick on xl0 all with frags #block in quick on xl0 all with frags # Block short tcp packets block in log first quick on xl0 proto tcp all with short #block in quick on xl0 proto tcp all with short # block source routed packets block in log first quick on xl0 all with opt lsrr #block in quick on xl0 all with opt ssrr # Block nmap OS fingerprint attempts # Log first occurrence of these so I can get their IP address block in log first quick on xl0 proto tcp from any to any flags FUP # Block anything with special options block in log first quick on xl0 all with ipopts #block in quick on xl0 all with ipopts # Block public pings block in log first quick on xl0 proto icmp all icmp-type 8 #block in quick on xl0 proto icmp all icmp-type 8 # Block ident block in log first quick on xl0 proto tcp from any to any port = 113 #block in quick on xl0 proto tcp from any to any port = 113 # Block all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 block in log first quick on xl0 proto tcp/udp from any to any port = 137 block in log first quick on xl0 proto tcp/udp from any to any port = 138 block in log first quick on xl0 proto tcp/udp from any to any port = 139 block in log first quick on xl0 proto tcp/udp from any to any port = 81 # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. Only necessary for # cable or DSL configurations. This rule is not needed for # 'user ppp' type connection to the public Internet. # This is the same IP address you captured and # used in the outbound section. # change from any any should be the ip address mentioned above pass in quick on xl0 proto udp from any to any port = 68 keep state # Allow in standard www function because I have apache server # pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID/PW passed over public Internet as clear text. # Delete this sample group if you do not have telnet server enabled. #pass in quick on xl0 proto tcp from any to any port = 23 flags S keep state # Allow in secure FTP, Telnet, and SCP from public Internet # This function is using SSH (secure shell) pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state # SERVER OPERATIONS======================================================= #Email Server #smtp pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state pass in quick on x10 proto tcp from any to any port = 587 flags S keep state #imap and imaps pass in quick on xl0 proto tcp from any to any port = 143 flags S keep state pass in quick on xl0 proto tcp from any to any port = 993 flags S keep state #pop3 and pop3 secure not being used currently #pass in quick on xl0 proto tcp from any to any port = 110 flags S keep state #pass in quick on xl0 proto tcp from any to any port = 995 flags S keep state #Web Server #http and https pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state pass in quick on xl0 proto tcp from any to any port = 443 flags S keep state #Samba Server? #Mysql Server? #vnc? #games? # Block and log only first occurrence of all remaining traffic # coming into the firewall. The logging of only the first # occurrence stops a .denial of service. attack targeted # at filling up your log file space. # This rule enforces the block all by default logic. block in log first quick on xl0 all #Home world 2 ports #pass in quick on xl0 proto tcp from any to any port = 6737 flags S keep frags keep state #pass in quick on xl0 proto tcp from any to any port = 2302: 2400 flags S keep frags keep state #VNC ################### End of rules file ################ --------------030901050306080205090502--