Date: Mon, 6 Jan 97 17:45:44 CST From: Joe Greco <jgreco@solaria.sol.net> To: brandon@cold.org (Brandon Gillespie) Cc: security@freebsd.org, hackers@freebsd.org Subject: Re: FreeBSD as a cleanwall Message-ID: <199701062345.RAA02007@solaria.sol.net> In-Reply-To: <no.id> from "Brandon Gillespie" at Jan 6, 97 02:39:20 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> Does anybody have a configuration for packet filtering through a FreeBSD
> router to run a cleanwall? Basically to keep all addresses of a specific
> IP set (say a class C) on the right sides. I.e. only set addresses of
> that set leave the network and don't allow any addresses of that set onto
> the network? I'm mulling through the docs now, but figured to look here
> for any possible pointers, as this seems like it would be a common enough
> operation..
It's called "via" :-)
You want something like this.
This is designed to run on a gateway router. You have a P2P circuit
between you and ISP ("Internet"), and your gateway is on an ethernet.
Not that that's required, but just to explain this particular setup.
---- --------- --------------
ISP|<----------->|Gateway|--------|Internal Net|
---- --------- --------------
^^^ ^^^ ^^^
LINK_IFC GATEWAY_IFC ADDRESS_BLOCK
204.95.219.2 206.55.64.1 206.55.64.0/25
On Gateway, do the following:
ipfw f
echo "Installing Firewall"
#
# ----- IP Bad Address Prevention Section -----
# Block RFC1597 "Private Internets" (inbound)
ipfw addf deny all from 10.0.0.0/8 to 0/0 via ${LINK_IFC}
ipfw addf deny all from 172.16.0.0/12 to 0/0 via ${LINK_IFC}
ipfw addf deny all from 192.168.0.0/16 to 0/0 via ${LINK_IFC}
# Block other "Shouldn't Exist" Internets (inbound)
ipfw addf deny all from 127.0.0.0/8 to 0/0 via ${LINK_IFC}
ipfw addf deny all from 0.0.0.0/8 to 0/0 via ${LINK_IFC}
# Block RFC1597 "Private Internets" as Source Address (outbound)
ipfw addf deny all from 10.0.0.0/8 to 0/0 via ${GATEWAY_IFC}
ipfw addf deny all from 172.16.0.0/12 to 0/0 via ${GATEWAY_IFC}
ipfw addf deny all from 192.168.0.0/16 to 0/0 via ${GATEWAY_IFC}
# Block RFC1597 "Private Internets" as Destination Address (outbound)
ipfw addf deny all from 0/0 to 10.0.0.0/8 via ${GATEWAY_IFC}
ipfw addf deny all from 0/0 to 172.16.0.0/12 via ${GATEWAY_IFC}
ipfw addf deny all from 0/0 to 192.168.0.0/16 via ${GATEWAY_IFC}
# Block other "Shouldn't Exist" Internets as Source Address (outbound)
ipfw addf deny all from 0/0 to 127.0.0.0/8 via ${GATEWAY_IFC}
ipfw addf deny all from 0/0 to 0.0.0.0/8 via ${GATEWAY_IFC}
# Block other "Shouldn't Exist" Internets as Destination Address (outbound)
ipfw addf deny all from 127.0.0.0/8 to 0/0 via ${GATEWAY_IFC}
ipfw addf deny all from 0.0.0.0/8 to 0/0 via ${GATEWAY_IFC}
#
# ----- IP Spoofing Prevention Section -----
# Block inbound pkts from addresses "on" my net (inbound)
# (add as many lines as needed)
ipfw addf deny all from ${ADDRESS_BLOCK} to 0/0 via ${LINK_IFC}
#
# Disallow all Source Addresses (outbound)
ipfw addf deny all from 0/0 to 0/0 via ${GATEWAY_IFC}
# Only allow outbound pkts from addresses "on" my net (outbound)
# (add as many lines as needed)
ipfw addf accept all from ${ADDRESS_BLOCK} to 0/0 via ${GATEWAY_IFC}
#
# Disallow all Destination Addresses (inbound)
ipfw addf deny all from 0/0 to 0/0 via ${LINK_IFC}
# Only allow inbound pkts to addresses "on" my net (inbound)
# (add as many lines as needed)
ipfw addf accept all from 0/0 to ${LINK_IFC} via ${LINK_IFC}
ipfw addf accept all from 0/0 to ${ADDRESS_BLOCK} via ${LINK_IFC}
#
This was clearly designed for use on a low speed (SLIP) router, there
are lots of optimizations. I wrote it for clarity. I also wrote it
under 2.1.0R, so there may be some syntax differences.
This will do a pretty thorough job of preventing bogus addresses; it
is certainly a good starting point for a "cleanwall" :-)
The comments were what I had in the file. If any of it is unclear
after inspection, let me know and I will try to clarify.
The router itself is mildly trusted to DTRT, by the way, and there
are some minor holes. In particular, it is possible for a remote
host to send packets with a source address of ${LINK_IFC} which
could be fixed by
ipfw addf deny all from ${LINK_IFC} to 0/0 via ${LINK_IFC}
Some folks will say that this is the long way of doing this. They
are right. But it was meant to potentially deal with multiple
interfaces...
... Joe
-------------------------------------------------------------------------------
Joe Greco - Systems Administrator jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI 414/342-4847
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701062345.RAA02007>