From owner-freebsd-doc Thu Feb 20 1: 7: 0 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5150B37B412 for ; Thu, 20 Feb 2003 01:06:52 -0800 (PST) Received: from perrin.int.nxad.com (internal.ext.nxad.com [69.1.70.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2415143F75 for ; Thu, 20 Feb 2003 01:06:51 -0800 (PST) (envelope-from sean@perrin.int.nxad.com) Received: by perrin.int.nxad.com (Postfix, from userid 1001) id 45A0121063; Sun, 16 Feb 2003 23:48:11 -0800 (PST) Date: Sun, 16 Feb 2003 23:48:11 -0800 From: Sean Chittenden To: freebsd-doc@FreeBSD.org, marcs@draenor.org Subject: Update to Dialup firewalling with FreeBSD... Message-ID: <20030217074811.GN27077@perrin.int.nxad.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fKov5AqTsvseSZ0Z" Content-Disposition: inline User-Agent: Mutt/1.4i X-PGP-Key: finger seanc@FreeBSD.org X-PGP-Fingerprint: 3849 3760 1AFE 7B17 11A0 83A6 DD99 E31F BC84 B341 X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --fKov5AqTsvseSZ0Z Content-Type: multipart/mixed; boundary="FUFe+yI/t+r3nyH4" Content-Disposition: inline --FUFe+yI/t+r3nyH4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This is a pretty simple update that makes the firewall rules used for dialup machines significantly more secure. If there are no objections, I'd like to commit this in a week. -sc http://people.freebsd.org/~seanc/#dialup_firewall_rules_update --=20 Sean Chittenden --FUFe+yI/t+r3nyH4 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch Content-Transfer-Encoding: quoted-printable Index: article.sgml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/doc/en_US.ISO8859-1/articles/dialup-firewall/article.s= gml,v retrieving revision 1.26 diff -u -r1.26 article.sgml --- article.sgml 2 Feb 2003 01:36:40 -0000 1.26 +++ article.sgml 17 Feb 2003 07:25:45 -0000 @@ -64,6 +64,17 @@ =20 + options IPFW2 + + + Enables the new version of IPFW. + Only do this if you're running FreeBSD 4.X, + this is the default in newer versions of + FreeBSD. + + + + options IPFIREWALL_VERBOSE =20 @@ -152,7 +163,7 @@ ppp_nat=3D"YES" ppp_profile=3D"profile" =20 - If so, you will need to specifically disable=20 + If so, you will need to specifically disable ppp_nat by making sure you have ppp_nat=3D"NO" in /etc/rc.conf. You will also need to remove any nat enable yes or @@ -161,15 +172,15 @@ =20 - The ruleset for the firewall + The rule set for the firewall =20 We are nearly done now. All that remains now is to define the firewall rules and then we can reboot and the firewall should be up and running. I realize that everyone will want - something slightly different when it comes to their rulebase. - What I have tried to do is write a rulebase that suits most dialup + something slightly different when it comes to their rule base. + What I have tried to do is write a rule base that suits most dialup users. You can obviously modify it to your needs by using the - following rules as the foundation for your own rulebase. First, + following rules as the foundation for your own rule base. First, let's start with the basics of closed firewalling. What you want to do is deny everything by default and then only open up for the things you really need. Rules should be in the order of @@ -187,13 +198,7 @@ Now, let's look at a sample firewall file, that is commented nicely. =20 - # Firewall rules -# Written by Marc Silver (marcs@draenor.org) -# http://draenor.org/ipfw -# Freely distributable - - -# Define the firewall command (as in /etc/rc.firewall) for easy + # Define the firewall command (as in /etc/rc.firewall)= for easy # reference. Helps to make it easier to read. fwcmd=3D"/sbin/ipfw" =20 @@ -203,41 +208,35 @@ # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 =20 -# Allow all data from my network card and localhost. Make sure you -# change your network card (mine was fxp0) before you reboot. :) -$fwcmd add allow ip from any to any via lo0 -$fwcmd add allow ip from any to any via fxp0 - -# Allow all connections that I initiate. -$fwcmd add allow tcp from any to any out xmit tun0 setup +# Allow all connections that have dynamic rules built for them, +# but deny established connections that don't have a dynamic rule. +# See ipfw(8) for details. +$fwcmd add check-state +$fwcmd add deny tcp from any to any established + +# Allow all localhost connections +$fwcmd add allow tcp from me to any out via lo0 setup keep-state +$fwcmd add deny tcp from me to any out via lo0 +$fwcmd add allow ip from me to any out via lo0 keep-state + +# Allow all connections from my network card that I initiate +$fwcmd add allow tcp from me to any out xmit any setup keep-state +$fwcmd add deny tcp from me to any +$fwcmd add allow ip from me to any out xmit any keep-state =20 -# Once connections are made, allow them to stay open. -$fwcmd add allow tcp from any to any via tun0 established - -# Everyone on the internet is allowed to connect to the following +# Everyone on the Internet is allowed to connect to the following # services on the machine. This example specifically allows connections -# to ssh and apache. -$fwcmd add allow tcp from any to any 80 setup -$fwcmd add allow tcp from any to any 22 setup +# to sshd and a webserver. +$fwcmd add allow tcp from any to me dst-port 22,80 in recv any setup keep-= state =20 # This sends a RESET to all ident packets. -$fwcmd add reset log tcp from any to any 113 in recv tun0 - -# Allow outgoing DNS queries ONLY to the specified servers. -$fwcmd add allow udp from any to x.x.x.x 53 out= xmit tun0 - -# Allow them back in with the answers... :) -$fwcmd add allow udp from x.x.x.x 53 to any in = recv tun0 - -# Allow ICMP (for ping and traceroute to work). You may wish to -# disallow this, but I feel it suits my needs to keep them in. -$fwcmd add allow icmp from any to any +$fwcmd add reset log tcp from any to me 113 in recv any =20 # Deny all the rest. $fwcmd add deny log ip from any to any =20 You now have a fully functional firewall that will allow on - connections to ports 80 and 22 and will log any other connection + connections to ports 22 and 80 and will log any other connection attempts. Now, you should be able to safely reboot and your firewall should come up fine. If you find this incorrect in anyway or experie= nce any problems, or have any suggestions to improve this page, please @@ -254,7 +253,7 @@ you could be using the built in &man.ppp.8; filters? -=09 + I will have to be honest and say there is no definitive reason why I use ipfw and @@ -323,7 +322,7 @@ =20 This tutorial assumes that you are running - userland-ppp, therefore the supplied ruleset + userland-ppp, therefore the supplied rule set operates on the tun0 interface, which corresponds to the first connection made with &man.ppp.8; (a.k.a. user-ppp). Additional connections would use @@ -336,7 +335,7 @@ tun0 for ppp0. A quick way to edit the firewall rules to reflect this change is shown below. The - original ruleset is backed up as + original rules et is backed up as fwrules_tun0. =20 &prompt.user; cd /etc/firewall --FUFe+yI/t+r3nyH4-- --fKov5AqTsvseSZ0Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iD8DBQE+UJO73ZnjH7yEs0ERAqtuAKDmCIsnZFVuHP32eKP1QtIAa/CMCgCg5aCI 3YJLOWnkt4Qj+JKxXZ1BIkE= =uWUS -----END PGP SIGNATURE----- --fKov5AqTsvseSZ0Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message