Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 31 Jan 2003 17:04:43 -0500
From:      "JoeB" <barbish@a1poweruser.com>
To:        "Redmond Militante" <r-militante@northwestern.edu>, <freebsd-questions@freebsd.org>
Subject:   RE: please comment on my nat/ipfw rules (resent)
Message-ID:  <MIEPLLIBMLEEABPDBIEGKEAHDFAA.barbish@a1poweruser.com>
In-Reply-To: <20030131203711.GI29383@darkpossum>

next in thread | previous in thread | raw e-mail | index | archive | help
Here is my IPFILTER environment config.
I have also included some other hard to find kernel
internal knobs to add tighter packet security.

http://www.obfuscation.org/ipf/

http://www.obfuscation.org/ipf/ipf-howto.html


/etc/rc.conf

# Activate IPFILTER IPNAT function auto start at boot time
ipfilter_enable="YES"                # Start ipfilter firewall
ipfilter_flags=""                    # turn off flags
ipfilter_rules="/etc/ipf.rules"      # rules definition file for
ipfilter
ipnat_enable="YES"                   # Start ipnat function
ipnat_rules="/etc/ipnat.rules"       # rules definition file for
ipnat
ipmon_enable="YES"                   # Start ip monitor log
ipmon_flags="-Ds"                    # D = start as daemon
                                     # s = log to syslog
                                     # v = log tcp window, ack, seq
fields
                                     # n = map ip & port to names

# Extra kernel tcp/ip stack packet security options

log_in_vain="YES"           # NO is default. YES enables logging of
                            # connection attempts to ports that have
no
                            # listening socket on them. Puts msg on
console

icmp_drop_redirect="YES"    # YES will cause the kernel to ignore
                            # ICMP REDIRECT packets.

icmp_log_redirect="YES"    # YES will cause the kernel to log
ignored
                            # ICMP REDIRECT packets.

#tcp_drop_synfin="YES"       # YES will cause the kernel to ignore
TCP
                            # frames that have both the SYN and FIN
flags
                            # set. Only available if the kernel was
built
                            # with the TCP_DROP_SYNFIN option.
                            # change to NO if webserver behind
firewall.

tcp_restrict_rst="YES"      # YES will cause the kernel to refrain
from
                            # emitting TCP RST frames in response to
                            # invalid TCP packets (e.g., frames
destined
                            # for closed ports). This option is only
                            # available if the kernel was built with
the
                            # TCP_RESTRICT_RST option.

syslogd_flags="-ss"         # Don't use network sockets so portscan
			          # will not find (security tip)

portmap_enable="NO"         # Don't allow nfs portmapper (security
tip)


/etc/ipnat.rules
# Provide NAT services for LAN users.
# NAT my private LAN ip address to what every my dynamic ISP address
is.
map rl0 10.0.10.0/29 -> 0/32

# Provide NAT services for user ppp Dial in tun0 connections.
map rl0 10.0.0.0/29 -> 0/32

# Provide special NAT services for Active FTP from LAN users.
map rl0 0/0 -> 0/32 proxy port 21 ftp/tcp


/etc/ipf.rules
# usage notes:
# 1. rule line numbers in rule file are not used in
#    ipfstat -ion listing of active rules
# 2. keep state is applied on private ip address before being
#    handed off to nat function.
# 3. /etc/rc.conf file has ipfilter options to tell ipfmon what
#    info to log.  -a  rule with log option + nat convert + keep
state


#################################################################
#
# Generic for all interfaces
#
#################################################################

@010 block in log quick all with opt lsrr
@011 block in log quick all with opt ssrr
@012 block in log quick all with ipopts
@013 block in log quick all with short
@014 block in log quick all with frag

#################################################################
# Outside Interface to Public internet  (Outbound Section)
# Interrogate packets originating from behind the firewall, private
net.
# destine for the public internet.
#################################################################

# Allow out access to my ISP's Domain name server.
@100 pass out quick on rl0 proto tcp from any to 24.50.201.66 port =
53 flags S keep state
@101 pass out quick on rl0 proto udp from any to 24.50.201.66 port =
53 keep state
@102 pass out quick on rl0 proto tcp from any to 24.50.201.67 port =
53 flags S keep state
@103 pass out quick on rl0 proto udp from any to 24.50.201.67 port =
53 keep state
@104 pass out quick on rl0 proto tcp from any to 24.50.201.69 port =
53 flags S keep state
@105 pass out quick on rl0 proto udp from any to 24.50.201.69 port =
53 keep state

# Allow out access to my ISP's DHCP server.
@106 pass out quick on rl0 proto udp from any to 24.50.201.66 port =
67 keep state

# Allow out non-secure standard www function
@110 pass out quick on rl0 proto tcp from any to any port = 80 flags
S keep state

# Allow out secure www function https over TLS SSL
@115 pass out quick on rl0 proto tcp from any to any port = 443
flags S keep state

# Allow out send & get email function
@130 pass out quick on rl0 proto tcp from any to any port = 110
flags S keep state
@131 pass out quick on rl0 proto tcp from any to any port = 25 flags
S keep state

# Allow out Time
@140 pass out quick on rl0 proto tcp from any to any port = 37 keep
state

# Allow out nntp news
#@150 pass out quick on rl0 proto tcp from any to any port = 119
@150 pass out quick on rl0 proto tcp from any to any port = 119
flags S keep state

# Allow out passive FTP for LAN PC FTP to public Internet
@160 pass out quick on rl0 proto tcp from any to any port = 21 flags
S keep state
@161 pass out quick on rl0 proto tcp from any to any port > 1023
flags S keep state

# Allow out ping to public Internet
@170 pass out quick on rl0 proto icmp from any to any icmp-type 8
keep state

# Allow out whois for LAN PC to public Internet
@172 pass out quick on rl0 proto tcp from any to any port = 43 flags
S keep state

# Allow out traceroute to public Internet
pass out quick on rl0 proto udp from any to any port 33434 > < 33690
keep state

# block ports that show on log and are ok to stop logging
# Deny tcp port 81 - hosts2 name server.  winme is doing this.
@190 block out quick on rl0 proto tcp from any to any port = 81

# Deny Everything else trying to get out.
@199 block out log quick on rl0 all


#################################################################
# Outside Interface to Public internet  (Inbound Section)
# Interrogate packets originating from behind the firewall, private
net.
# destine for the public internet.
#################################################################

# Allow traffic in from ISP's DHCP server.
@300 pass in quick on rl0 proto udp from 24.50.201.66 to any port =
68 keep state

# Deny all Adelphia broadcast stuff so it does not show in log as
default block
@310 block in quick on rl0 proto udp from any to 255.255.255.255
@311 block in quick on rl0 proto tcp/udp from 0.0.0.0 to any
@312 block in quick on rl0 proto igmp from any to any

# Allow in non-secure standard www function
@320 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port
= 80 flags S keep state

# Allow in Telnet
@330 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port
= 23 flags S keep state

# Allow in ping from public Internet
@340 pass in quick on rl0 proto icmp from 63.70.155.0/24 to any
icmp-type 8 keep state

# Deny ping so it does not show in log
@350 block in quick on rl0 proto icmp all

# Deny ident so it does not show in log
@351 block in quick on rl0 proto tcp from any to any port = 113

# Block and log all remaining traffic coming into the firewall
@399 block in log quick on rl0 all


#################################################################
# Inside Interface local Lan Nic
#################################################################

#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic
#----------------------------------------------------------------
@500 pass out quick on xl0 proto tcp from any to any
@501 pass out quick on xl0 proto udp from any to any
@502 pass out quick on xl0 proto icmp from any to any
@503 block out log quick on xl0 all

#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic
#----------------------------------------------------------------
@520 pass in quick on xl0 proto tcp from any to any
@501 pass in quick on xl0 proto udp from any to any
@502 pass in quick on xl0 proto icmp from any to any
@503 block in log quick on xl0 all


#################################################################
# Loopback Interface
#################################################################

#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
@700 pass in quick on lo0 all
@701 pass out quick on lo0 all


kernel source compile options
options         IPFILTER                    # Adds filtering code
into kernel
options         IPFILTER_LOG                # enable logging
options         IPFILTER_DEFAULT_BLOCK      #block all packets by
default
#
# The following options add sysctl variables for controlling how
certain
# TCP packets are handled by the kernel.
#
options	        ICMP_BANDLIM	  # Enables icmp error response
bandwidth
                                      # limiting. This will help
protect from
                                      # D.O.S. packet attacks.

options		RANDOM_IP_ID        # Randomizes the packet sequence number

#options         TCP_DROP_SYNFIN       # Adds support for ignoring
TCP packets
                                      # with SYN+FIN. This prevents
nmap from
                                      # identifying the TCP/IP
stack, but
                                      # breaks support for RFC1644
extensions
                                      # & is not recommended for web
servers
                                      # behind the firewall.
# not supported in 4.4 and newer
#options         TCP_RESTRICT_RST     # Adds support for blocking
emission of
                                      # TCP RST packets. Useful in
limiting
                                      # SYN floods & port scaning.
Replaced by
                                      # the sysctl knob blackhole.


/etc/sysctl.conf
####################################################################
#
#
# The sysctl.conf file contains MIB's  to change the default setting
of
# internal options of the kernel at boot up time. Mib's which
control
# how packets are handled get control before the packet is handed
off
# to the firewall (IPFW or IPFILTER). Some of these MIB's may seem
# like they are doing the say thing, but because there is no FBSD
# provided documentation on the order these MIB's get control, they
# all get enabled here and we let the kernel do it's thing.
#
# NOTE: Some of these MIB's can also be set in rc.conf and or the
kernel
# source. This will not hurt anything.
#
# This sysctl.conf created 3/22/2002 by Joe Barbish.
#
####################################################################


# To defend against SYN attacks more commonly known as SYNFLOOD
attacks,
# the two queues which are targeted by this type of attack should
have it's
# size increased so that the queues can withstand an attack of low
to moderate
# intensity with little to no effect on the stability or
availability of the
# server. FBSD maintains separate queues for inbound socket
connection
# requests. One queue is for half-open sockets (SYN received,
SYN|ACK sent),
# the other queue for fully-open sockets awaiting an accept() call
from the
# application. The following statement increases the queue size from
128.

kern.ipc.somaxconn=1024



# Redirect attacks is the purposeful mass issuing of redirects.
# In a normal network, redirects to the end stations should not be
required.
# To defend against this type of attack both the sending and
accepting of
# should be disabled". In the following statements, the first 1
enables the
# special kernel MIB to drop these attacks, the second turns off the
logging
# of attacks because there in no limit and this could fill up your
logs
# consuming your whole hard drive and the last statements changes
the
# the FBSD default from yes to no.

net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0



# Source routing is another way for an attacker to try to reach non
routable
# addresses behind your box. It can also be used to probe for
information
# about your internal networks. These functions come enabled as part
of the
# standard FBSD core system. The following will disable them.

net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0



# By allowing aged ARP entries to remain cached or lying around
allows for
# the possibility of a hacker to create a resource exhaustion or
# performance degradation by filling the IP route cache with bogus
# ARP entries. This in turn can be used as Denial of Service attack.
# To prevent this sort of problem the following statement shortens
the
# amount of time an ARP will be cached from 1200.

net.link.ether.inet.max_age=600



# To protect your box from the well publicized SMURF attack. This
attack
# works by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast
address
# from a spoofed address. If the host is a firewall (router), it
should
# not propagate directed broadcasts.
# The following statement sets the default to no broadcasts.

net.inet.icmp.bmcastecho=0


# To change the  system behavior when connection requests are
received
# on TCP or UDP ports where there is no socket listening. The normal
behavior,
# when a TCP SYN segment is received on a port where there is no
socket
# accepting connections, is for the system to return a RST segment,
and drop
# the connection. The connecting system will see this as a
# "Connection reset by peer".
#
# By turning the TCP black hole MIB on to a numeric value of one,
the
# incoming SYN segment is merely dropped, and no RST is sent, making
the
# system appear as a blackhole.
#
# By setting the MIB value to two, any segment arriving on a closed
port is
# dropped without returning a RST.
# This provides some degree of protection against stealth port
scans.
# The following enables this MIB.

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1




# The log_in_vain MIB will provide you with logging of attempted
connections
# to your box on any port which does not have a server running on
it.
# For example, if you do not have DNS server on your computer and
someone
# would try to access your computer through DNS port 53, you would
see a
# message such as: Connection attempt to UDP yourIP:53 from
otherIP:X
# (where X is some high port #) displayed on the root console
screen. This
# message also gets posted to /var/log/messages &
/var/log/security.log.
# The following statements enable this function.

net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1



# To increases the size of your TCP window to allow for more
efficient
# transfers, particularly bulk transfers such as FTP. The maximum
value
# suggested is 32768 bytes. Change from 16384. In release 4.5 the
defaults
# for these values changed upwards to what they are below.

net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=65536











-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond
Militante
Sent: Friday, January 31, 2003 3:37 PM
To: JoeB; freebsd-questions@freebsd.org
Subject: Re: please comment on my nat/ipfw rules (resent)

hi

you've sold me :)
do you have any good online tutorials to recommend for setting up a
gateway/firewall/natd machine using ipfilter/ipnat?

thanks
redmond

> 1. Your firewall rules are not working at all, except for the natd
> redirect option. This is caused by the kernel compile time option
> IPFIREWALL_DEFAULT_TO_ACCEPT.    This option tell your firewall
that
> any packet that does not match a rule is allowed to pass on
through
> the firewall. Comment out that option in your kernel options
source
> and recompile your kernel to take the default of default-to-deny
and
> your current rules set will stop functioning.
>
> 2. You are using the simplest of the rule types 'state-less'.
Using
> this type of rules you have to not only have a rule to allow the
> packet out you also have to have a rule to allow the packet in.
See
> rules 220 & 230 of your posted rule set to see how it should be
> done.
>
> 3.  There are 3 classes of rules, each class has separate packet
> interrogation abilities. Each proceeding class has greater packet
> interrogation abilities than the previous one. These are
stateless,
> simple stateful, and advanced stateful. The advanced stateful rule
> class is the only class having technically advanced interrogation
> abilities capable of defending against the flood of different
attack
> methods currently employed by perpetrators. Stateless and Simple
> Stateful IPFW firewall rules are inadequate to protect the users
> system in today's internet environment and leaves the user
> unknowingly believing they are protected when in reality they are
> not.
>
>
> 4. The advanced stateful rule option keep-state works as
documented
> only when used in a rule set that does not use the divert rule.
> Simply stated the IPFW advanced stateful rule option keep-state
does
> not function correctly when used in a IPFW firewall that also is
> using the IPFW built in NATD function. For the most complete
> keep-state protection the other FIREWALL solution (IPFILTER) that
> comes with FBSD should be used. Just checkout the IPFW list
archives
> and you will see this subject discussed in detail with out any
> solution forthcoming.
>
>
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond
> Militante
> Sent: Friday, January 31, 2003 8:18 AM
> To: freebsd-questions@freebsd.org
> Subject: please comment on my nat/ipfw rules (resent)
>
>
> hi all
>
>  i have my test machine set up as a gateway box, with ipfw/natd
> configured on it, set up to filter/redirect packets bound for a
> client on my internal network.
>
>  external ip of my internal client is aliased to the outside nic
of
> the gateway box
>
>
>  gateway machine's kernel has been recompiled with:
>
>  options IPFIREWALL
>  options IPDIVERT
>  options IPFIREWALL_DEFAULT_TO_ACCEPT
>  options IPFIREWALL_VERBOSE
>
>
>
>  gateway's /etc/rc.conf looks like
>
>  defaultrouter="129.x.x.1"
>  hostname="hostname.com"
>  ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0"
>  #aliasing internal client's ip to the outside nic of gateway box
>  ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0"
>  #inside nic of gateway box
>  ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0"
>  gateway_enable="YES"
>  firewall_enable="YES"
>  #firewall_script="/etc/rc.firewall"
>  firewall_type="/etc/ipfw.rules"
>  natd_enable="YES"
>  #natd interface is outside nic
>  natd_interface="xl0"
>  #natd flags redirect any traffic bound for ip of www3 to internal
> ip of www3
>  natd_flags="-redirect_address 10.0.0.2 129.x.x.20"
>  kern_securelevel_enable="NO"
>  .........
>
>
>
>  internal client's /etc/rc.conf looks like
>
>  second machine's /etc/rc.conf:
>
>  defaultrouter="10.0.0.1"
>  ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0"
>  ................
>
>
>  looks like this setup is working. the internal client is a basic
> webserver/ftp server. i am able to ftp to it, ssh to it, view
> webpages that it serves up, etc. with it hooked up to the internal
> nic of the gateway box.
>
>  i am now trying to come up with a good set of firewall rules on
the
> gateway box to filter out all unnecessary traffic to my internal
> network. the following is my /etc/ipfw.rules on the gateway box.
>
>  -----------------------------snip------------------------------
>
>  # firewall_type="/etc/ipfw.rules"
>  # enquirer ipfw.rules
>
>  # NAT
>  add 00100 divert 8668 ip from any to any via xl0
>
>  # loopback
>  add 00210 allow ip from any to any via lo0
>  add 00220 deny ip from any to 127.0.0.0/8
>  add 00230 deny ip from 127.0.0.0/8 to any
>
>  #allow tcp in for nfs shares
>  #add 00301 allow tcp from 129.x.x.x to any in via xl0
>  #add 00302 allow tcp from 129.x.x.x to any in via xl0
>
>  #allow tcp in for ftp,ssh, smtp, httpd
>  add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0
>
>  #deny rest of incoming tcp
>  add 00309 deny log tcp from any to any in established
>
>  #from man 8 ipfw: allow only outbound tcp connections i've
created
>  add 00310 allow tcp from any to any out via xl0
>
>
>  #allow udp in for gateway for DNS
>  add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0
>
>  #allow udp in for nfs shares
>  #add 00401 allow udp from 129.x.x.x to any in recv xl0
>  #add 00402 allow udp from 129.x.x.x to any in recv xl0
>
>  #allow all udp out from machine
>  add 00404 allow udp from any to any out via xl0
>
>  #allow some icmp types (codes not supported)
>  ##########allow path-mtu in both directions
>  add 00500 allow icmp from any to any icmptypes 3
>  ##########allow source quench in and out
>  add 00501 allow icmp from any to any icmptypes 4
>  ##########allow me to ping out and receive response back
>  add 00502 allow icmp from any to any icmptypes 8 out
>  add 00503 allow icmp from any to any icmptypes 0 in
>  ##########allow me to run traceroute
>  add 00504 allow icmp from any to any icmptypes 11 in
>  add 00600 deny log ip from any to any
>
>  #--- end ipfw.rules ---#
>
>  -----------------------------snip------------------------------
>
>
>  any comments on how i could improve this set of ipfw rules to
> better secure my internal client would be appreciated. thanks
again
>
>  redmond
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEAHDFAA.barbish>