From owner-freebsd-security Mon Jan 6 15:45:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA10874 for security-outgoing; Mon, 6 Jan 1997 15:45:55 -0800 (PST) Received: from anacreon.sol.net (anacreon.sol.net [206.55.64.116]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id PAA10869; Mon, 6 Jan 1997 15:45:50 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by anacreon.sol.net (8.6.12/8.6.12) with ESMTP id RAA01178; Mon, 6 Jan 1997 17:45:49 -0600 Received: from localhost by solaria.sol.net (8.5/8.5) id RAA02007; Mon, 6 Jan 1997 17:45:46 -0600 From: Joe Greco Message-Id: <199701062345.RAA02007@solaria.sol.net> Subject: Re: FreeBSD as a cleanwall To: brandon@cold.org (Brandon Gillespie) Date: Mon, 6 Jan 97 17:45:44 CST Cc: security@freebsd.org, hackers@freebsd.org In-Reply-To: from "Brandon Gillespie" at Jan 6, 97 02:39:20 pm X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Does anybody have a configuration for packet filtering through a FreeBSD > router to run a cleanwall? Basically to keep all addresses of a specific > IP set (say a class C) on the right sides. I.e. only set addresses of > that set leave the network and don't allow any addresses of that set onto > the network? I'm mulling through the docs now, but figured to look here > for any possible pointers, as this seems like it would be a common enough > operation.. It's called "via" :-) You want something like this. This is designed to run on a gateway router. You have a P2P circuit between you and ISP ("Internet"), and your gateway is on an ethernet. Not that that's required, but just to explain this particular setup. ---- --------- -------------- ISP|<----------->|Gateway|--------|Internal Net| ---- --------- -------------- ^^^ ^^^ ^^^ LINK_IFC GATEWAY_IFC ADDRESS_BLOCK 204.95.219.2 206.55.64.1 206.55.64.0/25 On Gateway, do the following: ipfw f echo "Installing Firewall" # # ----- IP Bad Address Prevention Section ----- # Block RFC1597 "Private Internets" (inbound) ipfw addf deny all from 10.0.0.0/8 to 0/0 via ${LINK_IFC} ipfw addf deny all from 172.16.0.0/12 to 0/0 via ${LINK_IFC} ipfw addf deny all from 192.168.0.0/16 to 0/0 via ${LINK_IFC} # Block other "Shouldn't Exist" Internets (inbound) ipfw addf deny all from 127.0.0.0/8 to 0/0 via ${LINK_IFC} ipfw addf deny all from 0.0.0.0/8 to 0/0 via ${LINK_IFC} # Block RFC1597 "Private Internets" as Source Address (outbound) ipfw addf deny all from 10.0.0.0/8 to 0/0 via ${GATEWAY_IFC} ipfw addf deny all from 172.16.0.0/12 to 0/0 via ${GATEWAY_IFC} ipfw addf deny all from 192.168.0.0/16 to 0/0 via ${GATEWAY_IFC} # Block RFC1597 "Private Internets" as Destination Address (outbound) ipfw addf deny all from 0/0 to 10.0.0.0/8 via ${GATEWAY_IFC} ipfw addf deny all from 0/0 to 172.16.0.0/12 via ${GATEWAY_IFC} ipfw addf deny all from 0/0 to 192.168.0.0/16 via ${GATEWAY_IFC} # Block other "Shouldn't Exist" Internets as Source Address (outbound) ipfw addf deny all from 0/0 to 127.0.0.0/8 via ${GATEWAY_IFC} ipfw addf deny all from 0/0 to 0.0.0.0/8 via ${GATEWAY_IFC} # Block other "Shouldn't Exist" Internets as Destination Address (outbound) ipfw addf deny all from 127.0.0.0/8 to 0/0 via ${GATEWAY_IFC} ipfw addf deny all from 0.0.0.0/8 to 0/0 via ${GATEWAY_IFC} # # ----- IP Spoofing Prevention Section ----- # Block inbound pkts from addresses "on" my net (inbound) # (add as many lines as needed) ipfw addf deny all from ${ADDRESS_BLOCK} to 0/0 via ${LINK_IFC} # # Disallow all Source Addresses (outbound) ipfw addf deny all from 0/0 to 0/0 via ${GATEWAY_IFC} # Only allow outbound pkts from addresses "on" my net (outbound) # (add as many lines as needed) ipfw addf accept all from ${ADDRESS_BLOCK} to 0/0 via ${GATEWAY_IFC} # # Disallow all Destination Addresses (inbound) ipfw addf deny all from 0/0 to 0/0 via ${LINK_IFC} # Only allow inbound pkts to addresses "on" my net (inbound) # (add as many lines as needed) ipfw addf accept all from 0/0 to ${LINK_IFC} via ${LINK_IFC} ipfw addf accept all from 0/0 to ${ADDRESS_BLOCK} via ${LINK_IFC} # This was clearly designed for use on a low speed (SLIP) router, there are lots of optimizations. I wrote it for clarity. I also wrote it under 2.1.0R, so there may be some syntax differences. This will do a pretty thorough job of preventing bogus addresses; it is certainly a good starting point for a "cleanwall" :-) The comments were what I had in the file. If any of it is unclear after inspection, let me know and I will try to clarify. The router itself is mildly trusted to DTRT, by the way, and there are some minor holes. In particular, it is possible for a remote host to send packets with a source address of ${LINK_IFC} which could be fixed by ipfw addf deny all from ${LINK_IFC} to 0/0 via ${LINK_IFC} Some folks will say that this is the long way of doing this. They are right. But it was meant to potentially deal with multiple interfaces... ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847