Date: Fri, 31 Jan 2003 17:04:43 -0500 From: "JoeB" <barbish@a1poweruser.com> To: "Redmond Militante" <r-militante@northwestern.edu>, <freebsd-questions@freebsd.org> Subject: RE: please comment on my nat/ipfw rules (resent) Message-ID: <MIEPLLIBMLEEABPDBIEGKEAHDFAA.barbish@a1poweruser.com> In-Reply-To: <20030131203711.GI29383@darkpossum>
next in thread | previous in thread | raw e-mail | index | archive | help
Here is my IPFILTER environment config. I have also included some other hard to find kernel internal knobs to add tighter packet security. http://www.obfuscation.org/ipf/ http://www.obfuscation.org/ipf/ipf-howto.html /etc/rc.conf # Activate IPFILTER IPNAT function auto start at boot time ipfilter_enable="YES" # Start ipfilter firewall ipfilter_flags="" # turn off flags ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipmon_enable="YES" # Start ip monitor log ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq fields # n = map ip & port to names # Extra kernel tcp/ip stack packet security options log_in_vain="YES" # NO is default. YES enables logging of # connection attempts to ports that have no # listening socket on them. Puts msg on console icmp_drop_redirect="YES" # YES will cause the kernel to ignore # ICMP REDIRECT packets. icmp_log_redirect="YES" # YES will cause the kernel to log ignored # ICMP REDIRECT packets. #tcp_drop_synfin="YES" # YES will cause the kernel to ignore TCP # frames that have both the SYN and FIN flags # set. Only available if the kernel was built # with the TCP_DROP_SYNFIN option. # change to NO if webserver behind firewall. tcp_restrict_rst="YES" # YES will cause the kernel to refrain from # emitting TCP RST frames in response to # invalid TCP packets (e.g., frames destined # for closed ports). This option is only # available if the kernel was built with the # TCP_RESTRICT_RST option. syslogd_flags="-ss" # Don't use network sockets so portscan # will not find (security tip) portmap_enable="NO" # Don't allow nfs portmapper (security tip) /etc/ipnat.rules # Provide NAT services for LAN users. # NAT my private LAN ip address to what every my dynamic ISP address is. map rl0 10.0.10.0/29 -> 0/32 # Provide NAT services for user ppp Dial in tun0 connections. map rl0 10.0.0.0/29 -> 0/32 # Provide special NAT services for Active FTP from LAN users. map rl0 0/0 -> 0/32 proxy port 21 ftp/tcp /etc/ipf.rules # usage notes: # 1. rule line numbers in rule file are not used in # ipfstat -ion listing of active rules # 2. keep state is applied on private ip address before being # handed off to nat function. # 3. /etc/rc.conf file has ipfilter options to tell ipfmon what # info to log. -a rule with log option + nat convert + keep state ################################################################# # # Generic for all interfaces # ################################################################# @010 block in log quick all with opt lsrr @011 block in log quick all with opt ssrr @012 block in log quick all with ipopts @013 block in log quick all with short @014 block in log quick all with frag ################################################################# # Outside Interface to Public internet (Outbound Section) # Interrogate packets originating from behind the firewall, private net. # destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. @100 pass out quick on rl0 proto tcp from any to 24.50.201.66 port = 53 flags S keep state @101 pass out quick on rl0 proto udp from any to 24.50.201.66 port = 53 keep state @102 pass out quick on rl0 proto tcp from any to 24.50.201.67 port = 53 flags S keep state @103 pass out quick on rl0 proto udp from any to 24.50.201.67 port = 53 keep state @104 pass out quick on rl0 proto tcp from any to 24.50.201.69 port = 53 flags S keep state @105 pass out quick on rl0 proto udp from any to 24.50.201.69 port = 53 keep state # Allow out access to my ISP's DHCP server. @106 pass out quick on rl0 proto udp from any to 24.50.201.66 port = 67 keep state # Allow out non-secure standard www function @110 pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL @115 pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function @130 pass out quick on rl0 proto tcp from any to any port = 110 flags S keep state @131 pass out quick on rl0 proto tcp from any to any port = 25 flags S keep state # Allow out Time @140 pass out quick on rl0 proto tcp from any to any port = 37 keep state # Allow out nntp news #@150 pass out quick on rl0 proto tcp from any to any port = 119 @150 pass out quick on rl0 proto tcp from any to any port = 119 flags S keep state # Allow out passive FTP for LAN PC FTP to public Internet @160 pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state @161 pass out quick on rl0 proto tcp from any to any port > 1023 flags S keep state # Allow out ping to public Internet @170 pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state # Allow out whois for LAN PC to public Internet @172 pass out quick on rl0 proto tcp from any to any port = 43 flags S keep state # Allow out traceroute to public Internet pass out quick on rl0 proto udp from any to any port 33434 > < 33690 keep state # block ports that show on log and are ok to stop logging # Deny tcp port 81 - hosts2 name server. winme is doing this. @190 block out quick on rl0 proto tcp from any to any port = 81 # Deny Everything else trying to get out. @199 block out log quick on rl0 all ################################################################# # Outside Interface to Public internet (Inbound Section) # Interrogate packets originating from behind the firewall, private net. # destine for the public internet. ################################################################# # Allow traffic in from ISP's DHCP server. @300 pass in quick on rl0 proto udp from 24.50.201.66 to any port = 68 keep state # Deny all Adelphia broadcast stuff so it does not show in log as default block @310 block in quick on rl0 proto udp from any to 255.255.255.255 @311 block in quick on rl0 proto tcp/udp from 0.0.0.0 to any @312 block in quick on rl0 proto igmp from any to any # Allow in non-secure standard www function @320 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port = 80 flags S keep state # Allow in Telnet @330 pass in quick on rl0 proto tcp from 63.70.155.0/24 to any port = 23 flags S keep state # Allow in ping from public Internet @340 pass in quick on rl0 proto icmp from 63.70.155.0/24 to any icmp-type 8 keep state # Deny ping so it does not show in log @350 block in quick on rl0 proto icmp all # Deny ident so it does not show in log @351 block in quick on rl0 proto tcp from any to any port = 113 # Block and log all remaining traffic coming into the firewall @399 block in log quick on rl0 all ################################################################# # Inside Interface local Lan Nic ################################################################# #---------------------------------------------------------------- # Allow out all TCP, UDP, and ICMP traffic #---------------------------------------------------------------- @500 pass out quick on xl0 proto tcp from any to any @501 pass out quick on xl0 proto udp from any to any @502 pass out quick on xl0 proto icmp from any to any @503 block out log quick on xl0 all #---------------------------------------------------------------- # Allow in all TCP, UDP, and ICMP traffic #---------------------------------------------------------------- @520 pass in quick on xl0 proto tcp from any to any @501 pass in quick on xl0 proto udp from any to any @502 pass in quick on xl0 proto icmp from any to any @503 block in log quick on xl0 all ################################################################# # Loopback Interface ################################################################# #---------------------------------------------------------------- # Allow everything to/from your loopback interface so you # can ping yourself (e.g. ping localhost) #---------------------------------------------------------------- @700 pass in quick on lo0 all @701 pass out quick on lo0 all kernel source compile options options IPFILTER # Adds filtering code into kernel options IPFILTER_LOG # enable logging options IPFILTER_DEFAULT_BLOCK #block all packets by default # # The following options add sysctl variables for controlling how certain # TCP packets are handled by the kernel. # options ICMP_BANDLIM # Enables icmp error response bandwidth # limiting. This will help protect from # D.O.S. packet attacks. options RANDOM_IP_ID # Randomizes the packet sequence number #options TCP_DROP_SYNFIN # Adds support for ignoring TCP packets # with SYN+FIN. This prevents nmap from # identifying the TCP/IP stack, but # breaks support for RFC1644 extensions # & is not recommended for web servers # behind the firewall. # not supported in 4.4 and newer #options TCP_RESTRICT_RST # Adds support for blocking emission of # TCP RST packets. Useful in limiting # SYN floods & port scaning. Replaced by # the sysctl knob blackhole. /etc/sysctl.conf #################################################################### # # # The sysctl.conf file contains MIB's to change the default setting of # internal options of the kernel at boot up time. Mib's which control # how packets are handled get control before the packet is handed off # to the firewall (IPFW or IPFILTER). Some of these MIB's may seem # like they are doing the say thing, but because there is no FBSD # provided documentation on the order these MIB's get control, they # all get enabled here and we let the kernel do it's thing. # # NOTE: Some of these MIB's can also be set in rc.conf and or the kernel # source. This will not hurt anything. # # This sysctl.conf created 3/22/2002 by Joe Barbish. # #################################################################### # To defend against SYN attacks more commonly known as SYNFLOOD attacks, # the two queues which are targeted by this type of attack should have it's # size increased so that the queues can withstand an attack of low to moderate # intensity with little to no effect on the stability or availability of the # server. FBSD maintains separate queues for inbound socket connection # requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), # the other queue for fully-open sockets awaiting an accept() call from the # application. The following statement increases the queue size from 128. kern.ipc.somaxconn=1024 # Redirect attacks is the purposeful mass issuing of redirects. # In a normal network, redirects to the end stations should not be required. # To defend against this type of attack both the sending and accepting of # should be disabled". In the following statements, the first 1 enables the # special kernel MIB to drop these attacks, the second turns off the logging # of attacks because there in no limit and this could fill up your logs # consuming your whole hard drive and the last statements changes the # the FBSD default from yes to no. net.inet.icmp.drop_redirect=1 net.inet.icmp.log_redirect=0 net.inet.ip.redirect=0 # Source routing is another way for an attacker to try to reach non routable # addresses behind your box. It can also be used to probe for information # about your internal networks. These functions come enabled as part of the # standard FBSD core system. The following will disable them. net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 # By allowing aged ARP entries to remain cached or lying around allows for # the possibility of a hacker to create a resource exhaustion or # performance degradation by filling the IP route cache with bogus # ARP entries. This in turn can be used as Denial of Service attack. # To prevent this sort of problem the following statement shortens the # amount of time an ARP will be cached from 1200. net.link.ether.inet.max_age=600 # To protect your box from the well publicized SMURF attack. This attack # works by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast address # from a spoofed address. If the host is a firewall (router), it should # not propagate directed broadcasts. # The following statement sets the default to no broadcasts. net.inet.icmp.bmcastecho=0 # To change the system behavior when connection requests are received # on TCP or UDP ports where there is no socket listening. The normal behavior, # when a TCP SYN segment is received on a port where there is no socket # accepting connections, is for the system to return a RST segment, and drop # the connection. The connecting system will see this as a # "Connection reset by peer". # # By turning the TCP black hole MIB on to a numeric value of one, the # incoming SYN segment is merely dropped, and no RST is sent, making the # system appear as a blackhole. # # By setting the MIB value to two, any segment arriving on a closed port is # dropped without returning a RST. # This provides some degree of protection against stealth port scans. # The following enables this MIB. net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 # The log_in_vain MIB will provide you with logging of attempted connections # to your box on any port which does not have a server running on it. # For example, if you do not have DNS server on your computer and someone # would try to access your computer through DNS port 53, you would see a # message such as: Connection attempt to UDP yourIP:53 from otherIP:X # (where X is some high port #) displayed on the root console screen. This # message also gets posted to /var/log/messages & /var/log/security.log. # The following statements enable this function. net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 # To increases the size of your TCP window to allow for more efficient # transfers, particularly bulk transfers such as FTP. The maximum value # suggested is 32768 bytes. Change from 16384. In release 4.5 the defaults # for these values changed upwards to what they are below. net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=65536 -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond Militante Sent: Friday, January 31, 2003 3:37 PM To: JoeB; freebsd-questions@freebsd.org Subject: Re: please comment on my nat/ipfw rules (resent) hi you've sold me :) do you have any good online tutorials to recommend for setting up a gateway/firewall/natd machine using ipfilter/ipnat? thanks redmond > 1. Your firewall rules are not working at all, except for the natd > redirect option. This is caused by the kernel compile time option > IPFIREWALL_DEFAULT_TO_ACCEPT. This option tell your firewall that > any packet that does not match a rule is allowed to pass on through > the firewall. Comment out that option in your kernel options source > and recompile your kernel to take the default of default-to-deny and > your current rules set will stop functioning. > > 2. You are using the simplest of the rule types 'state-less'. Using > this type of rules you have to not only have a rule to allow the > packet out you also have to have a rule to allow the packet in. See > rules 220 & 230 of your posted rule set to see how it should be > done. > > 3. There are 3 classes of rules, each class has separate packet > interrogation abilities. Each proceeding class has greater packet > interrogation abilities than the previous one. These are stateless, > simple stateful, and advanced stateful. The advanced stateful rule > class is the only class having technically advanced interrogation > abilities capable of defending against the flood of different attack > methods currently employed by perpetrators. Stateless and Simple > Stateful IPFW firewall rules are inadequate to protect the users > system in today's internet environment and leaves the user > unknowingly believing they are protected when in reality they are > not. > > > 4. The advanced stateful rule option keep-state works as documented > only when used in a rule set that does not use the divert rule. > Simply stated the IPFW advanced stateful rule option keep-state does > not function correctly when used in a IPFW firewall that also is > using the IPFW built in NATD function. For the most complete > keep-state protection the other FIREWALL solution (IPFILTER) that > comes with FBSD should be used. Just checkout the IPFW list archives > and you will see this subject discussed in detail with out any > solution forthcoming. > > > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond > Militante > Sent: Friday, January 31, 2003 8:18 AM > To: freebsd-questions@freebsd.org > Subject: please comment on my nat/ipfw rules (resent) > > > hi all > > i have my test machine set up as a gateway box, with ipfw/natd > configured on it, set up to filter/redirect packets bound for a > client on my internal network. > > external ip of my internal client is aliased to the outside nic of > the gateway box > > > gateway machine's kernel has been recompiled with: > > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_VERBOSE > > > > gateway's /etc/rc.conf looks like > > defaultrouter="129.x.x.1" > hostname="hostname.com" > ifconfig_xl0="inet 129.x.x.1 netmask 255.255.255.0" > #aliasing internal client's ip to the outside nic of gateway box > ifconfig_xl0_alias0="inet 129.x.1.20 netmask 255.0.0.0" > #inside nic of gateway box > ifconfig_xl1="inet 10.0.0.1 netmask 255.0.0.0" > gateway_enable="YES" > firewall_enable="YES" > #firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > natd_enable="YES" > #natd interface is outside nic > natd_interface="xl0" > #natd flags redirect any traffic bound for ip of www3 to internal > ip of www3 > natd_flags="-redirect_address 10.0.0.2 129.x.x.20" > kern_securelevel_enable="NO" > ......... > > > > internal client's /etc/rc.conf looks like > > second machine's /etc/rc.conf: > > defaultrouter="10.0.0.1" > ifconfig_xl0="inet 10.0.0.2 netmask 255.0.0.0" > ................ > > > looks like this setup is working. the internal client is a basic > webserver/ftp server. i am able to ftp to it, ssh to it, view > webpages that it serves up, etc. with it hooked up to the internal > nic of the gateway box. > > i am now trying to come up with a good set of firewall rules on the > gateway box to filter out all unnecessary traffic to my internal > network. the following is my /etc/ipfw.rules on the gateway box. > > -----------------------------snip------------------------------ > > # firewall_type="/etc/ipfw.rules" > # enquirer ipfw.rules > > # NAT > add 00100 divert 8668 ip from any to any via xl0 > > # loopback > add 00210 allow ip from any to any via lo0 > add 00220 deny ip from any to 127.0.0.0/8 > add 00230 deny ip from 127.0.0.0/8 to any > > #allow tcp in for nfs shares > #add 00301 allow tcp from 129.x.x.x to any in via xl0 > #add 00302 allow tcp from 129.x.x.x to any in via xl0 > > #allow tcp in for ftp,ssh, smtp, httpd > add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0 > > #deny rest of incoming tcp > add 00309 deny log tcp from any to any in established > > #from man 8 ipfw: allow only outbound tcp connections i've created > add 00310 allow tcp from any to any out via xl0 > > > #allow udp in for gateway for DNS > add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 > > #allow udp in for nfs shares > #add 00401 allow udp from 129.x.x.x to any in recv xl0 > #add 00402 allow udp from 129.x.x.x to any in recv xl0 > > #allow all udp out from machine > add 00404 allow udp from any to any out via xl0 > > #allow some icmp types (codes not supported) > ##########allow path-mtu in both directions > add 00500 allow icmp from any to any icmptypes 3 > ##########allow source quench in and out > add 00501 allow icmp from any to any icmptypes 4 > ##########allow me to ping out and receive response back > add 00502 allow icmp from any to any icmptypes 8 out > add 00503 allow icmp from any to any icmptypes 0 in > ##########allow me to run traceroute > add 00504 allow icmp from any to any icmptypes 11 in > add 00600 deny log ip from any to any > > #--- end ipfw.rules ---# > > -----------------------------snip------------------------------ > > > any comments on how i could improve this set of ipfw rules to > better secure my internal client would be appreciated. thanks again > > redmond > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEAHDFAA.barbish>