Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Jan 97 17:45:44 CST
From:      Joe Greco <jgreco@solaria.sol.net>
To:        brandon@cold.org (Brandon Gillespie)
Cc:        security@freebsd.org, hackers@freebsd.org
Subject:   Re: FreeBSD as a cleanwall
Message-ID:  <199701062345.RAA02007@solaria.sol.net>
In-Reply-To: <no.id> from "Brandon Gillespie" at Jan 6, 97 02:39:20 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> Does anybody have a configuration for packet filtering through a FreeBSD
> router to run a cleanwall?  Basically to keep all addresses of a specific
> IP set (say a class C) on the right sides.  I.e. only set addresses of
> that set leave the network and don't allow any addresses of that set onto
> the network?  I'm mulling through the docs now, but figured to look here
> for any possible pointers, as this seems like it would be a common enough
> operation.. 

It's called "via" :-)

You want something like this.

This is designed to run on a gateway router.  You have a P2P circuit
between you and ISP ("Internet"), and your gateway is on an ethernet.
Not that that's required, but just to explain this particular setup.

----             ---------        --------------
ISP|<----------->|Gateway|--------|Internal Net|
----             ---------        --------------
		^^^	^^^		^^^
	   LINK_IFC	GATEWAY_IFC	ADDRESS_BLOCK
       204.95.219.2	206.55.64.1	206.55.64.0/25

On Gateway, do the following:


ipfw f
echo "Installing Firewall"
#
# ----- IP Bad Address Prevention Section -----
# Block RFC1597 "Private Internets" (inbound)
ipfw addf deny all from 10.0.0.0/8 to 0/0 via ${LINK_IFC}
ipfw addf deny all from 172.16.0.0/12 to 0/0 via ${LINK_IFC}
ipfw addf deny all from 192.168.0.0/16 to 0/0 via ${LINK_IFC}
# Block other "Shouldn't Exist" Internets (inbound)
ipfw addf deny all from 127.0.0.0/8 to 0/0 via ${LINK_IFC}
ipfw addf deny all from 0.0.0.0/8 to 0/0 via ${LINK_IFC}
# Block RFC1597 "Private Internets" as Source Address (outbound)
ipfw addf deny all from 10.0.0.0/8 to 0/0 via ${GATEWAY_IFC}
ipfw addf deny all from 172.16.0.0/12 to 0/0 via ${GATEWAY_IFC}
ipfw addf deny all from 192.168.0.0/16 to 0/0 via ${GATEWAY_IFC}
# Block RFC1597 "Private Internets" as Destination Address (outbound)
ipfw addf deny all from 0/0 to 10.0.0.0/8 via ${GATEWAY_IFC}
ipfw addf deny all from 0/0 to 172.16.0.0/12 via ${GATEWAY_IFC}
ipfw addf deny all from 0/0 to 192.168.0.0/16 via ${GATEWAY_IFC}
# Block other "Shouldn't Exist" Internets as Source Address (outbound)
ipfw addf deny all from 0/0 to 127.0.0.0/8 via ${GATEWAY_IFC}
ipfw addf deny all from 0/0 to 0.0.0.0/8 via ${GATEWAY_IFC}
# Block other "Shouldn't Exist" Internets as Destination Address (outbound)
ipfw addf deny all from 127.0.0.0/8 to 0/0 via ${GATEWAY_IFC}
ipfw addf deny all from 0.0.0.0/8 to 0/0 via ${GATEWAY_IFC}
#
# ----- IP Spoofing Prevention Section -----
# Block inbound pkts from addresses "on" my net (inbound)
# (add as many lines as needed)
ipfw addf deny all from ${ADDRESS_BLOCK} to 0/0 via ${LINK_IFC}
#
# Disallow all Source Addresses (outbound)
ipfw addf deny all from 0/0 to 0/0 via ${GATEWAY_IFC}
# Only allow outbound pkts from addresses "on" my net (outbound)
# (add as many lines as needed)
ipfw addf accept all from ${ADDRESS_BLOCK} to 0/0 via ${GATEWAY_IFC}
#
# Disallow all Destination Addresses (inbound)
ipfw addf deny all from 0/0 to 0/0 via ${LINK_IFC}
# Only allow inbound pkts to addresses "on" my net (inbound)
# (add as many lines as needed)
ipfw addf accept all from 0/0 to ${LINK_IFC} via ${LINK_IFC}
ipfw addf accept all from 0/0 to ${ADDRESS_BLOCK} via ${LINK_IFC}
#

This was clearly designed for use on a low speed (SLIP) router, there
are lots of optimizations.  I wrote it for clarity.  I also wrote it
under 2.1.0R, so there may be some syntax differences.

This will do a pretty thorough job of preventing bogus addresses; it
is certainly a good starting point for a "cleanwall"  :-)

The comments were what I had in the file.  If any of it is unclear
after inspection, let me know and I will try to clarify.

The router itself is mildly trusted to DTRT, by the way, and there
are some minor holes.  In particular, it is possible for a remote
host to send packets with a source address of ${LINK_IFC} which
could be fixed by

ipfw addf deny all from ${LINK_IFC} to 0/0 via ${LINK_IFC}

Some folks will say that this is the long way of doing this.  They
are right.  But it was meant to potentially deal with multiple
interfaces...

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701062345.RAA02007>