Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Oct 2002 09:23:06 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Nelis Lamprecht <nelis@brabys.co.za>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw ruleset
Message-ID:  <20021004082306.GB31681@happy-idiot-talk.infracaninophi>
In-Reply-To: <5.1.0.14.2.20021004085609.012ed3c8@192.96.48.11>
References:  <5.1.0.14.2.20021004085609.012ed3c8@192.96.48.11>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 04, 2002 at 08:58:50AM +0200, Nelis Lamprecht wrote:
> Hi People,
> 
> I'm trying to setup my firewall using ipfw on 4.6 Stable. I have read 
> through the man pages and also several howto's but now I need your advice. 
> I would like to setup a DNS server that will respond to queries and my 
> current ruleset does not seem to permit this. Please tell me what I am 
> doing wrong.
> 
> My Ruleset: ( ip's omitted )
> 
> add 00301 check-state
> add 00302 allow tcp from any to any established

Um... This rule is probably not what you want.  Essentially it makes
all the later tcp rules pointless...  Try:

    add 00302 deny log tcp from any to any established

The idea is that the 'setup' packet for a tcp connection will generate
a specific dynamic rule via keep-state, and that will match at rule
00301.  Any other tcp packets should be denied.

> add 00303 allow tcp from any to any out setup keep-state
> add 00304 allow tcp from any to $lan 22,25,80,443 setup

Modify this to say:

   add 00304 allow tcp from any to $lan 22,25,53,80,443 setup

DNS uses tcp connections for zone transfers and also it will fall back
to tcp if the response generated is too big for a single UDP packet.

> add 00400 allow udp from any to any out
> add 00401 allow udp from $lan to any 53
> add 00402 allow udp from any 53 to $lan in recv rl0

If DNS is the only UDP service you use (which is quite possible), then
drop your rule 00400.  Otherwise, move it to after the DNS specific
rules.

You need to allow your server to perform recursive lookups on your
behalf:

    add 00401 allow udp from $lan to any 53 keep-state out via rl0

and to let other people query your server:

    add 00402 allow udp from any to $lan 53 keep-state in via rl0

Using dynamic rules for a DNS server like this gives a good level of
security and is OK for a low traffic site, but it would probably
overwhelm IPFW's dynamic rule capacity if there was any significant
DNS traffic.  If you want to use static rules only, you need something
like

    add 00401 add allow udp from $lan to any 53 out via rl0
    add 00402 add allow udp from any 53 to $lan in via rl0

    add 00403 add allow udp from any to $lan 53 in via rl0
    add 00404 add allow udp from $lan 53 to any out via rl0

Unfortunately if going the static rule way, rule 00402 will expose all
of your UDP ports to a sufficiently wily cracker.  This section in the
default /etc/namedb/named.conf may prove illuminating:

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;

That will let you lock down both source and destination ports in rules
00401 and 00402.

> #allow some icmp types (codes not supported)
> ##allow path-mtu in both directions
> add 00600 allow icmp from any to any icmptypes 3
> ##allow source quench in and out
> add 00601 allow icmp from any to any icmptypes 4
> ##allow me to ping out and receive response back
> add 00602 allow icmp from any to any icmptypes 8 out
> add 00603 allow icmp from any to any icmptypes 0 in
> ##allow me to run traceroute
> add 00604 allow icmp from any to any icmptypes 11 in
> #allow ident requests
> add 00700 allow tcp from any to any 113 keep-state setup
> #deny syn and fin bits used for OS finger printing using nmap
> add 00701 deny log tcp from any to any in tcpflags syn,fin
> #log anything that falls through
> add 09000 deny log ip from any to any

	Cheers,

	Matthew


-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021004082306.GB31681>