Date: Thu, 25 Nov 1999 10:39:23 -0800 (PST) From: "Rodney W. Grimes" <rgrimes@gndrsh.dnsmgr.net> To: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group) Cc: ahl@austclear.com.au (Tony Landells), ipfw@freebsd.org, arch@freebsd.org Subject: Re: new IPFW Message-ID: <199911251839.KAA49143@gndrsh.dnsmgr.net> In-Reply-To: <199911251534.HAA67071@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Nov 25, 1999 07:33:13 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> In message <199911242148.IAA25984@tungsten.austclear.com.au>, Tony Landells wri
> tes:
> > I'd be much happier with something in ipfw that just marked the next line
> > number to be used, preferably in a way that I could get it to move to the
> > next "grouping"--like "set the next rule number to the next multiple of
> > 1000".
>
> This is what I use in one of my dialup scripts at home:
...
And here is another one thats designed to simply handling client/server
type tcp and udp protocols it uses fixed rule bases and the port # as
an offset. Makes for grepping specific types of accept log data from
the ipfw.log files easier [Tab formats probably destroyed by cut-n-paste]:
This is just a snippet of the whole file, but I think one can get the
idea of what we did here. Note also this is a very open rule set in
the calls to clnsrv, we mainly just monitor for suspecious activity.
The contents of rc.firewall.conf is up to the reader to figure out...
#!/bin/sh
# GLOBALS to control things, like testing. Setting fire="echo"
# is real nice for debugging.
fire="/sbin/ipfw"
fadd="${fire} add"
# clnsrv(action, proto, sport, dport, clients, servers)
clnsrv() {
action=$1; shift
proto=$1; shift
sport=$1; shift
dport=$1; shift
clients=$1; shift
servers=$1; shift
if [ X"${proto}" = X"tcp" ]; then
setup="setup"
base=10000
else
setup=""
base=40000
fi
if [ X"${dport}" = X"" ]; then
ruleoffset=${sport}
else
ruleoffset=${dport}
fi
if [ ${ruleoffset} -gt 1899 ]; then
ruleoffset=1900
fi
rule=`expr ${base} + \( ${ruleoffset} \* 10 \)`
for cln in ${clients} ; do
for srv in ${servers} ; do
from ${cln} ${sport} to ${srv} ${dport} ${setup}
done
done
rule=`expr ${rule} + 9`
${fadd} ${rule} ${CLASS} log ${proto} from any ${sport} to any ${dport}
}
# Pull in the address variables from the conf file or error out if
# there is not one (keeps one from shooting your feet off!)
if [ -f /etc/rc.firewall.conf ]; then
. /etc/rc.firewall.conf
else
echo "$0 - no rc.firewall.conf file!!! Not loading!!!"
exit 1
fi
... [basic stuff for lo0, rfc1918, and some other not so public data] ...
################################################################################
# TCP/*
#
${fadd} 10000 allow tcp from any to any established
clnsrv "allow " tcp 20 "" "${tcp_ftpdata_c}" "${tcp_ftpdata_s}"
clnsrv "allow " tcp "" 21 "${tcp_ftp_c}" "${tcp_ftp_s}"
clnsrv "allow " tcp "" 22 "${tcp_ssh_c}" "${tcp_ssh_s}"
clnsrv "allow " tcp "" 23 "${tcp_telnet_c}" "${tcp_telnet_s}"
clnsrv "allow " tcp "" 25 "${tcp_smtp_c}" "${tcp_smtp_s}"
clnsrv "allow " tcp "" 43 "${tcp_nicname_c}" "${tcp_nicname_s}"
clnsrv "allow " tcp "" 53 "${tcp_domain_c}" "${tcp_domain_s}"
clnsrv "allow " tcp "" 79 "${tcp_finger_c}" "${tcp_finger_s}"
clnsrv "allow " tcp "" 80 "${tcp_http_c}" "${tcp_http_s}"
clnsrv "allow " tcp "" 110 "${tcp_pop3_c}" "${tcp_pop3_s}"
clnsrv "allow " tcp "" 111 "${tcp_sunrpc_c}" "${tcp_sunrpc_s}"
clnsrv "allow " tcp "" 113 "${tcp_auth_c}" "${tcp_auth_s}"
clnsrv "allow " tcp "" 119 "${tcp_nntp_c}" "${tcp_nntp_s}"
clnsrv "allow " tcp "" 123 "${tcp_ntp_c}" "${tcp_ntp_s}"
clnsrv "allow " tcp "" 137 "${tcp_netbios_ns_c}" "${tcp_netbios_ns_s}"
clnsrv "allow " tcp "" 138 "${tcp_netbios_dgm_c}" "${tcp_netbios_dgm_s}"
clnsrv "allow " tcp "" 139 "${tcp_netbios_ssn_c}" "${tcp_netbios_ssn_s}"
clnsrv "allow " tcp "" 179 "${tcp_bgp_c}" "${tcp_bgp_s}"
clnsrv "allow " tcp "" 443 "${tcp_https_c}" "${tcp_https_s}"
clnsrv "allow " tcp "" 515 "${tcp_printer_c}" "${tcp_printer_s}"
clnsrv "allow " tcp "" 5190 "${tcp_aol_c}" "${tcp_aol_s}"
# XXX For now log all other TCP setups
${fadd} 29999 allow log tcp from any to any setup
################################################################################
# UDP/*
#
clnsrv "allow " udp "" 53 "${udp_domain_c}" "${udp_domain_s}"
clnsrv "allow " udp 53 "" "${udp_domain_s}" "${udp_domain_c}"
clnsrv "allow " udp "" 123 "${udp_ntp_c}" "${udp_ntp_s}"
clnsrv "allow " udp "" 137 "${udp_netbios_ns_c}" "${udp_netbios_ns_s}"
clnsrv "allow " udp "" 138 "${udp_netbios_dgm_c}" "${udp_netbios_dgm_s}"
clnsrv "allow log" udp "" 139 "${udp_netbios_ssn_c}" "${udp_netbios_ssn_s}"
clnsrv "allow " udp "" 161 "${udp_snmp_c}" "${udp_snmp_s}"
clnsrv "allow " udp 161 "" "${udp_snmp_s}" "${udp_snmp_c}"
clnsrv "allow " udp "" 162 "${udp_snmptrap_c}" "${udp_snmptrap_s}"
clnsrv "allow " udp 162 "" "${udp_snmptrap_s}" "${udp_snmptrap_c}"
clnsrv "allow " udp "" 512 "${udp_biff_c}" "${udp_biff_s}"
clnsrv "allow " udp "" 513 "${udp_who_c}" "${udp_who_s}"
clnsrv "allow " udp "" 514 "${udp_syslog_c}" "${udp_syslog_s}"
clnsrv "allow " udp "" 515 "${udp_printer_c}" "${udp_printer_s}"
clnsrv "allow " udp "" 516 "${udp_videotex_c}" "${udp_videotex_s}"
clnsrv "allow " udp "" 517 "${udp_talk_c}" "${udp_talk_s}"
clnsrv "allow " udp "" 518 "${udp_ntalk_c}" "${udp_ntalk_s}"
clnsrv "allow " udp "" 519 "${udp_utime_c}" "${udp_utime_s}"
clnsrv "allow " udp "" 520 "${udp_router_c}" "${udp_router_s}"
clnsrv "allow " udp "" 521 "${udp_ripng_c}" "${udp_ripng_s}"
clnsrv "allow " udp 1645 1645 "${udp_radius_c}" "${udp_radius_s}"
clnsrv "allow " udp 1645 1645 "${udp_radius_s}" "${udp_radius_c}"
clnsrv "allow " udp 1646 1646 "${udp_radacct_c}" "${udp_radacct_s}"
clnsrv "allow " udp 1646 1646 "${udp_radacct_s}" "${udp_radacct_c}"
clnsrv "allow " udp 1812 1812 "${udp_radius_c}" "${udp_radius_s}"
clnsrv "allow " udp 1812 1812 "${udp_radius_s}" "${udp_radius_c}"
clnsrv "allow " udp 1813 1813 "${udp_radacct_c}" "${udp_radacct_s}"
clnsrv "allow " udp 1813 1813 "${udp_radacct_s}" "${udp_radacct_c}"
clnsrv "allow " udp "" 4000 "${udp_4000_c}" "${udp_4000_s}"
clnsrv "allow " udp 4000 "" "${udp_4000_s}" "${udp_4000_c}"
${fadd} 59999 allow log udp from any to any
much much more below here deleted...
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911251839.KAA49143>