Date: Tue, 24 Feb 2004 13:33:21 +0200 From: "Pons" <pons@gmx.li> To: <freebsd-security@freebsd.org> Subject: improve ipfw rules Message-ID: <002701c3faca$02f64e60$0503050a@sdc.com.jo> References: <200402200931.i1K9V9HV010992@caligula.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
I have configured a FreeBSD 5.1 rel box 2 NIC's (Ext.ip/Int.ip)
with ipfw/natd/squid the setup is working
/etc/rc.conf
--------------------//-----------------------
gateway_enable="YES"
inetd_enable="YES"
linux_enable="YES"
moused_enable="YES"
usbd_enable="YES"
natd_enable="YES"
natd_interface="rl1"
natd_flags="-s -u -m"
firewall_enable="YES"
firewall_logging_enable="YES"
firewall_quiet="NO"
#firewall_type="open"
firewall_script="/etc/rc.ipfw"
#firewall_type="/etc/ipfw.rules"
snmpd_enable="YES"
tcp_extensions="NO"
tcp_drop_synfin="YES"
tcp_keepalive="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
sshd_enable="YES"
update_motd="NO"
My Kernel conf
---------------------------------//-------------------
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPDIVERT #divert sockets
options IPFIREWALL_VERBOSE_LIMIT=100
#options IPFIREWALL_DEFAULT_TO_ACCEPT
options RANDOM_IP_ID
options DUMMYNET
options IPFIREWALL_FORWARD
options TCP_DROP_SYNFIN
options IPSTEALTH
#options "ICMP_BANDLIM"
My Rule Set
/etc/rc.ipfw
--------------------//----------------------
# This file is a modified version of /etc/rc.firewall.
#
# Maintained by: D. O'Connor
# Modified: 7/18/2000.
#
# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
# Firewall program
fwcmd="/sbin/ipfw"
# Outside interface network and netmask and ip
oif="rl1"
onet="f.g.h.0"
omask="255.255.255.240"
oip="f.g.h.k"
# Inside interface network and netmask and ip
iif="rl0"
inet="a.b.0.0"
imask="255.255.0.0"
iip="1.2.3.4"
# My ISP's DNS servers
dns1="X.Y.W.Z"
dns2="A.B.C.D"
# Flush previous rules
${fwcmd} -f flush
# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
# If you're using 'options BRIDGE', uncomment the following line to pass ARP
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
#Freebsd Install anleitungen http://freebsd.mountpoint.net
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
### TCP RULES
# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup
#${fwcmd} add deny tcp from any to any 80 setup
#${fwcmd} add pass tcp from any to any 80 setup
# HTTP - Deny access to our web server
#${fwcmd} add deny tcp from any to any 80 setup
# SMTP - Allow access to sendmail for incoming e-mail
${fwcmd} add pass tcp from any to any 25 setup
# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup
# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup
# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
### UDP RULES
# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any
# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif}
# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass log udp from any to any 514 via ${iif}
# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif}
# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
### ICMP RULES
# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif}
# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
# Allow Destination Unreachable, Source Quench, Time
# Exceeded, and Bad Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}
# Deny the rest of them
${fwcmd} add deny icmp from any to any
### MISCELLANEOUS REJECT RULES
# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
# Reject&Log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif}
# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif}
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
------------//---------------
/etc/sysctl.conf
# Uncomment this to prevent users from seeing information about processes
that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
1.I want implement more security in my rules.
I want to improve my Security rule sets in rc.ipfw
If any one have any comments about it
2. I am running proxy server squid on the same box which is running IPFW...
I want my client access the HTTP only through the proxy and
and deny access for people who is not using the proxy setting
proxy_ip_X.X.X.X:3128 in the IExplorer
in my firewall i am allowing the following
# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup
How Can I implement this?
3. I'm intrested in blocking kazaa/P2P trafic with IPFW
any help in this issue
4. what should i include in /etc/sysctl.conf against DoS attack , spoof
..etc
5. I want to allow only one specific IP (5.6.7.8) to manage the box by
accessing it via ssh only
Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002701c3faca$02f64e60$0503050a>