Date: Sun, 14 Sep 2003 12:58:19 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Robert Storey" <y2kbug@ms25.hinet.net>, <freebsd-questions@freebsd.org> Subject: RE: firewall Message-ID: <MIEPLLIBMLEEABPDBIEGIENJEFAA.fbsd_user@a1poweruser.com> In-Reply-To: <20030914172715.20a91c69.y2kbug@ms25.hinet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Your problem is that you are using the sample rules file provided by IPFW. You are correct, you do not understand what you are doing. You are suppose to edit the sample rules file to create your own rules file. That sample is only there as a starting point for you to build your own rules. You need to do a lot of reading about ipfw rules, check the man pages. I know that the FBSD handbook gives the reader the impression that IPFW is the only firewall available to FBSD, but that is a false impression. FBSD has IPFILTER which is also a built in firewall like IPFW and the netbsd firewall IPF has been ported to FBSD so there other options. I have used both IPFW and IPFILTER, IPFW's keep state rules do not function correctly on a DSL or cable internet connection, it has just been upgraded in FBSD 5.2 with a lot fluff that does nothing but confuses the general user. For a newbe, you should use IPFILTER firewall. It's rules are documented to all most anyone with some knowledge can write rules unlike IPFW. Here is my IPFILTER environment config. I have also included some other hard to find kernel internal knobs to add tighter packet security. http://www.obfuscation.org/ipf/ http://www.obfuscation.org/ipf/ipf-howto.html NOTE: beware of line wrap in the below lines /etc/rc.conf # Activate IPFILTER IPNAT function auto start at boot time ipfilter_enable="YES" # Start ipfilter firewall ipfilter_flags="" # turn off flags ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipmon_enable="YES" # Start ip monitor log ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq fields # n = map ip & port to names # Extra kernel tcp/ip stack packet security options log_in_vain="YES" # NO is default. YES enables logging of # connection attempts to ports that have no # listening socket on them. Puts msg on console icmp_drop_redirect="YES" # YES will cause the kernel to ignore # ICMP REDIRECT packets. icmp_log_redirect="YES" # YES will cause the kernel to log ignored # ICMP REDIRECT packets. #tcp_drop_synfin="YES" # YES will cause the kernel to ignore TCP # frames that have both the SYN and FIN flags # set. Only available if the kernel was built # with the TCP_DROP_SYNFIN option. # change to NO if webserver behind firewall. tcp_restrict_rst="YES" # YES will cause the kernel to refrain from # emitting TCP RST frames in response to # invalid TCP packets (e.g., frames destined # for closed ports). This option is only # available if the kernel was built with the # TCP_RESTRICT_RST option. syslogd_flags="-ss" # Don't use network sockets so portscan # will not find (security tip) portmap_enable="NO" # Don't allow nfs portmapper (security tip) /etc/ipnat.rules # Provide NAT services for LAN users. # NAT my private LAN ip address to what every my dynamic ISP address is. map rl0 10.0.10.0/29 -> 0/32 # Provide NAT services for user ppp Dial in tun0 connections. map rl0 10.0.0.0/29 -> 0/32 # Provide special NAT services for Active FTP from LAN users. map rl0 0/0 -> 0/32 proxy port 21 ftp/tcp /etc/ipf.rules # usage notes: # 1. rule line numbers in rule file are not used in # ipfstat -ion listing of active rules # 2. keep state is applied on private ip address before being # handed off to nat function. # 3. /etc/rc.conf file has ipfilter options to tell ipfmon what # info to log. -a rule with log option + nat convert + keep state ################################################################# # # Generic for all interfaces # ################################################################# @010 block in log quick all with opt lsrr @011 block in log quick all with opt ssrr @012 block in log quick all with ipopts @013 block in log quick all with short @014 block in log quick all with frag ################################################################# # Outside Interface to Public internet (Outbound Section) # Interrogate packets originating from behind the firewall, private net. # destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. @100 pass out quick on rl0 proto tcp from any to 24.50.201.66 port = 53 flags S keep state @101 pass out quick on rl0 proto udp from any to 24.50.201.66 port = 53 keep state @102 pass out quick on rl0 proto tcp from any to 24.50.201.67 port = 53 flags S keep state @103 pass out quick on rl0 proto udp from any to 24.50.201.67 port = 53 keep state @104 pass out quick on rl0 proto tcp from any to 24.50.201.69 port = 53 flags S keep state @105 pass out quick on rl0 proto udp from any to 24.50.201.69 port = 53 keep state # Allow out access to my ISP's DHCP server. @106 pass out quick on rl0 proto udp from any to 24.50.201.66 port = 67 keep state # Allow out non-secure standard www function @110 pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL @115 pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function @130 pass out quick on rl0 proto tcp from any to any port = 110 flags S keep state @131 pass out quick on rl0 proto tcp from any to any port = 25 flags S keep state # Allow out Time @140 pass out quick on rl0 proto tcp from any to any port = 37 keep state # Allow out nntp news #@150 pass out quick on rl0 proto tcp from any to any port = 119 @150 pass out quick on rl0 proto tcp from any to any port = 119 flags S keep state # Allow out passive FTP for LAN PC FTP to public Internet @160 pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state @161 pass out quick on rl0 proto tcp from any to any port > 1023 flags S keep state # Allow out ping to public Internet @170 pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state # Allow out whois for LAN PC to public Internet @172 pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state # Allow out traceroute to public Internet pass out quick on rl0 proto udp from any to any port 33434 > < 33690 keep state # block ports that show on log and are ok to stop logging # Deny tcp port 81 - hosts2 name server. winme is doing this. @190 block out quick on rl0 proto tcp from any to any port = 81 # Deny Everything else trying to get out. @199 block out log quick on rl0 all ################################################################# # Outside Interface to Public internet (Inbound Section) # Interrogate packets originating from behind the firewall, private net. # destine for the public internet. ################################################################# # Allow traffic in from ISP's DHCP server. @300 pass in quick on rl0 proto udp from 24.50.201.66 to any port = 68 keep state # Deny all Adelphia broadcast stuff so it does not show in log as default block @310 block in quick on rl0 proto udp from any to 255.255.255.255 @311 block in quick on rl0 proto tcp/udp from 0.0.0.0 to any @312 block in quick on rl0 proto igmp from any to any # Allow in non-secure standard www function @320 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port = 80 flags S keep state # Allow in Telnet @330 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port = 23 flags S keep state # Allow in ping from public Internet @340 pass in quick on rl0 proto icmp from 63.70.155.0/24 to any icmp-type 8 keep state # Deny ping so it does not show in log @350 block in quick on rl0 proto icmp all # Deny ident so it does not show in log @351 block in quick on rl0 proto tcp from any to any port = 113 # Block and log all remaining traffic coming into the firewall @399 block in log quick on rl0 all ################################################################# # Inside Interface local Lan Nic ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic #---------------------------------------------------------------- @500 pass out quick on xl0 proto tcp from any to any @501 pass out quick on xl0 proto udp from any to any @502 pass out quick on xl0 proto icmp from any to any @503 block out log quick on xl0 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic #---------------------------------------------------------------- @520 pass in quick on xl0 proto tcp from any to any @501 pass in quick on xl0 proto udp from any to any @502 pass in quick on xl0 proto icmp from any to any @503 block in log quick on xl0 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- @700 pass in quick on lo0 all @701 pass out quick on lo0 all kernel source compile options options IPFILTER # Adds filtering code into kernel options IPFILTER_LOG # enable logging options IPFILTER_DEFAULT_BLOCK #block all packets by default # # The following options add sysctl variables for controlling how certain # TCP packets are handled by the kernel. # options ICMP_BANDLIM # Enables icmp error response bandwidth # limiting. This will help protect from # D.O.S. packet attacks. options RANDOM_IP_ID # Randomizes the packet sequence number #options TCP_DROP_SYNFIN # Adds support for ignoring TCP packets # with SYN+FIN. This prevents nmap from # identifying the TCP/IP stack, but # breaks support for RFC1644 extensions # & is not recommended for web servers # behind the firewall. # not supported in 4.4 and newer #options TCP_RESTRICT_RST # Adds support for blocking emission of # TCP RST packets. Useful in limiting # SYN floods & port scaning. Replaced by # the sysctl knob blackhole. /etc/sysctl.conf #################################################################### # # # The sysctl.conf file contains MIB's to change the default setting of # internal options of the kernel at boot up time. Mib's which control # how packets are handled get control before the packet is handed off # to the firewall (IPFW or IPFILTER). Some of these MIB's may seem # like they are doing the say thing, but because there is no FBSD # provided documentation on the order these MIB's get control, they # all get enabled here and we let the kernel do it's thing. # # NOTE: Some of these MIB's can also be set in rc.conf and or the kernel # source. This will not hurt anything. # # This sysctl.conf created 3/22/2002 by Joe Barbish. # #################################################################### # To defend against SYN attacks more commonly known as SYNFLOOD attacks, # the two queues which are targeted by this type of attack should have it's # size increased so that the queues can withstand an attack of low to moderate # intensity with little to no effect on the stability or availability of the # server. FBSD maintains separate queues for inbound socket connection # requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), # the other queue for fully-open sockets awaiting an accept() call from the # application. The following statement increases the queue size from 128. kern.ipc.somaxconn=1024 # Redirect attacks is the purposeful mass issuing of redirects. # In a normal network, redirects to the end stations should not be required. # To defend against this type of attack both the sending and accepting of # should be disabled". In the following statements, the first 1 enables the # special kernel MIB to drop these attacks, the second turns off the logging # of attacks because there in no limit and this could fill up your logs # consuming your whole hard drive and the last statements changes the # the FBSD default from yes to no. net.inet.icmp.drop_redirect=1 net.inet.icmp.log_redirect=0 net.inet.ip.redirect=0 # Source routing is another way for an attacker to try to reach non routable # addresses behind your box. It can also be used to probe for information # about your internal networks. These functions come enabled as part of the # standard FBSD core system. The following will disable them. net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 # By allowing aged ARP entries to remain cached or lying around allows for # the possibility of a hacker to create a resource exhaustion or # performance degradation by filling the IP route cache with bogus # ARP entries. This in turn can be used as Denial of Service attack. # To prevent this sort of problem the following statement shortens the # amount of time an ARP will be cached from 1200. net.link.ether.inet.max_age=600 # To protect your box from the well publicized SMURF attack. This attack # works by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast address # from a spoofed address. If the host is a firewall (router), it should # not propagate directed broadcasts. # The following statement sets the default to no broadcasts. net.inet.icmp.bmcastecho=0 # To change the system behavior when connection requests are received # on TCP or UDP ports where there is no socket listening. The normal behavior, # when a TCP SYN segment is received on a port where there is no socket # accepting connections, is for the system to return a RST segment, and drop # the connection. The connecting system will see this as a # "Connection reset by peer". # # By turning the TCP black hole MIB on to a numeric value of one, the # incoming SYN segment is merely dropped, and no RST is sent, making the # system appear as a blackhole. # # By setting the MIB value to two, any segment arriving on a closed port is # dropped without returning a RST. # This provides some degree of protection against stealth port scans. # The following enables this MIB. net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 # The log_in_vain MIB will provide you with logging of attempted connections # to your box on any port which does not have a server running on it. # For example, if you do not have DNS server on your computer and someone # would try to access your computer through DNS port 53, you would see a # message such as: Connection attempt to UDP yourIP:53 from otherIP:X # (where X is some high port #) displayed on the root console screen. This # message also gets posted to /var/log/messages & /var/log/security.log. # The following statements enable this function. net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 # To increases the size of your TCP window to allow for more efficient # transfers, particularly bulk transfers such as FTP. The maximum value # suggested is 32768 bytes. Change from 16384. In release 4.5 the defaults # for these values changed upwards to what they are below. net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=65536 -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond Militante Sent: Friday, January 31, 2003 3:37 PM To: JoeB; freebsd-questions@freebsd.org Subject: Re: please comment on my nat/ipfw rules (resent) hi you've sold me :) do you have any good online tutorials to recommend for setting up a gateway/firewall/natd machine using ipfilter/ipnat? thanks redmond > 1. Your firewall rules are not working at all, except for the natd > redirect option. This is caused by the kernel compile time option > IPFIREWALL_DEFAULT_TO_ACCEPT. This option tell your firewall that > any packet that does not match a rule is allowed to pass on through > the firewall. Comment out that option in your kernel options source > and recompile your kernel to take the default of default-to-deny and > your current rules set will stop functioning. > > 2. You are using the simplest of the rule types 'state-less'. Using > this type of rules you have to not only have a rule to allow the > packet out you also have to have a rule to allow the packet in. See > rules 220 & 230 of your posted rule set to see how it should be > done. > > 3. There are 3 classes of rules, each class has separate packet > interrogation abilities. Each proceeding class has greater packet > interrogation abilities than the previous one. These are stateless, > simple stateful, and advanced stateful. The advanced stateful rule > class is the only class having technically advanced interrogation > abilities capable of defending against the flood of different attack > methods currently employed by perpetrators. Stateless and Simple > Stateful IPFW firewall rules are inadequate to protect the users > system in today's internet environment and leaves the user > unknowingly believing they are protected when in reality they are > not. > > > 4. The advanced stateful rule option keep-state works as documented > only when used in a rule set that does not use the divert rule. > Simply stated the IPFW advanced stateful rule option keep-state does > not function correctly when used in a IPFW firewall that also is > using the IPFW built in NATD function. For the most complete > keep-state protection the other FIREWALL solution (IPFILTER) that > comes with FBSD should be used. Just checkout the IPFW list archives > and you will see this subject discussed in detail with out any > solution forthcoming. > > > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond > Militante > Sent: Friday, January 31, 2003 8:18 AM > To: freebsd-questions@freebsd.org > Subject: please comment on my nat/ipfw rules (resent) > > > hi all > > i have my test machine set up as a gateway box, with ipfw/natd > configured on it, set up to filter/redirect packets bound for a > client on my internal network. > > external ip of my internal client is aliased to the outside nic of > the gateway box > > > gateway machine's kernel has been recompiled with: > > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_VERBOSE > > > > gateway's /etc/rc.conf looks like > > defaultrouter="129.x.x.1" > hostname="hostname.com" > ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0" > #aliasing internal client's ip to the outside nic of gateway box > ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0" > #inside nic of gateway box > ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" > gateway_enable="YES" > firewall_enable="YES" > #firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > natd_enable="YES" > #natd interface is outside nic > natd_interface="xl0" > #natd flags redirect any traffic bound for ip of www3 to internal > ip of www3 > natd_flags="-redirect_address 10.0.0.2 129.x.x.20" > kern_securelevel_enable="NO" > ......... > > > > internal client's /etc/rc.conf looks like > > second machine's /etc/rc.conf: > > defaultrouter="10.0.0.1" > ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" > ................ > > > looks like this setup is working. the internal client is a basic > webserver/ftp server. i am able to ftp to it, ssh to it, view > webpages that it serves up, etc. with it hooked up to the internal > nic of the gateway box. > > i am now trying to come up with a good set of firewall rules on the > gateway box to filter out all unnecessary traffic to my internal > network. the following is my /etc/ipfw.rules on the gateway box. > > -----------------------------snip------------------------------ > > # firewall_type="/etc/ipfw.rules" > # enquirer ipfw.rules > > # NAT > add 00100 divert 8668 ip from any to any via xl0 > > # loopback > add 00210 allow ip from any to any via lo0 > add 00220 deny ip from any to 127.0.0.0/8 > add 00230 deny ip from 127.0.0.0/8 to any > > #allow tcp in for nfs shares > #add 00301 allow tcp from 129.x.x.x to any in via xl0 > #add 00302 allow tcp from 129.x.x.x to any in via xl0 > > #allow tcp in for ftp,ssh, smtp, httpd > add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0 > > #deny rest of incoming tcp > add 00309 deny log tcp from any to any in established > > #from man 8 ipfw: allow only outbound tcp connections i've created > add 00310 allow tcp from any to any out via xl0 > > > #allow udp in for gateway for DNS > add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 > > #allow udp in for nfs shares > #add 00401 allow udp from 129.x.x.x to any in recv xl0 > #add 00402 allow udp from 129.x.x.x to any in recv xl0 > > #allow all udp out from machine > add 00404 allow udp from any to any out via xl0 > > #allow some icmp types (codes not supported) > ##########allow path-mtu in both directions > add 00500 allow icmp from any to any icmptypes 3 > ##########allow source quench in and out > add 00501 allow icmp from any to any icmptypes 4 > ##########allow me to ping out and receive response back > add 00502 allow icmp from any to any icmptypes 8 out > add 00503 allow icmp from any to any icmptypes 0 in > ##########allow me to run traceroute > add 00504 allow icmp from any to any icmptypes 11 in > add 00600 deny log ip from any to any > > #--- end ipfw.rules ---# > > -----------------------------snip------------------------------ > > > any comments on how i could improve this set of ipfw rules to > better secure my internal client would be appreciated. thanks again > > redmond > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Robert Storey Sent: Sunday, September 14, 2003 5:27 AM To: freebsd-questions@freebsd.org Subject: firewall Dear All, I'm having a hard time configuring a firewall. I ALMOST understand it, but I've run into one problem. I think I don't actually have my /etc/rc.firewall set up properly. Maybe I don't really understand what the "ip" setting should be, and I've made it the same as my "net" setting. Anyway, what I can say is that with the configuration I have, I can access my internal (ethernet) network, but ppp is totally blocked, which of course I don't want. Below are the configuration settings I've made, and the results I get. I hope that somebody can help. best regards, Robert Storey FROM /etc/rc.conf: firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="client" FROM /etc/rc.firewall: # set these to your network and netmask and ip net="192.168.0.2" mask="255.255.255.0" ip="192.168.0.2" CONTENT OF /etc/hosts: # ::1 localhost localhost.utopia.com 127.0.0.1 localhost localhost.utopia.com # 192.168.0.3 ibm.utopia.com ibm 192.168.0.2 sonic.utopia.com sonic 192.168.0.1 pro.utopia.com pro OUTPUT OF "ipfw -a list": 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 allow ip from 192.168.0.2 to 192.168.0.0/24 00500 0 0 allow ip from 192.168.0.0/24 to 192.168.0.2 00600 0 0 allow tcp from any to any established 00700 0 0 allow ip from any to any frag 00800 0 0 allow tcp from any to 192.168.0.2 dst-port 25 setup 00900 0 0 allow tcp from 192.168.0.2 to any setup 01000 0 0 deny tcp from any to any setup 01100 0 0 allow udp from 192.168.0.2 to any dst-port 53 keep-state 01200 0 0 allow udp from 192.168.0.2 to any dst-port 123 keep-state 65535 0 0 deny ip from any to any _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGIENJEFAA.fbsd_user>