Date: Mon, 3 Feb 2003 17:32:56 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: freebsd-questions@freebsd.org Subject: ipf/ipnat setup Message-ID: <20030203233255.GA2517@darkpossum>
next in thread | raw e-mail | index | archive | help
--W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi all setting up ipf/ipnat on a gateway box to protect a single workstation was p= rett painless. i'm now trying to protect two servers - a web/ftp server an= d a mysql server - through an ipf/ipnat gateway box, and am running into so= me problems most of my setup i've gleaned from JoeB and people on this list, as well as= tutorials on schlacter.net and obfuscation.org/ipf the problems i'm having right now - i can't seem to get passive ftp working= on the webserver through the gateway. active works fine, i've commented m= y ipf.rules and ipnat.rules where i *thought* i was allowing passive ftp co= nnections, but was unsuccessful (connection times out or connects, but does= n't give directory listing), webmin on the webserver and db server doesn't = work through the nat, despite the fact i have port 10000 open. also - i ca= n't seem to successfully connect the webserver and db server to the gateway= at the same time - when a second machine is hooked up, it hangs when tryin= g to mount nfs shares and when initiating sendmail. i can't get a successf= ul mysql connection through the gateway, but that may be more a mysql permi= ssions/coding problem than an ipf problem. regardless, i'm stumped. =20 if anyone sees anything glaringly wrong - i probably messed up in several p= laces - i'd really appreciate it if you could help me out gateway: 129.0.0.1 bound to outside nic, 192.168.1.1 to inner nic webserver 192.168.1.50, gateway is inner nic on gateway box db server 192.168.1.51, gateway is inner nic on gateway box ip's of db and webserver are aliased to xl0 on gateway box /etc/rc.conf ------------- hostname=3D"gateway.ipfipnat.com" ifconfig_lo0=3D"inet 127.0.0.1" ifconfig_xl0=3D"inet 129.x.x.35 netmask 255.255.255.0" network_interfaces=3D"xl0 xl1 lo0" #aliasing webserver's ip to the outside nic of gateway box ifconfig_xl0_alias0=3D"inet 129.x.x.6 netmask 255.0.0.0" #aliasing db server's ip to the outside nic of gateway box ifconfig_xl0_alias1=3D"inet 129.x.x.5 netmask 255.0.0.0" #inside nic of gateway box ifconfig_xl1=3D"inet 192.168.1.1 netmask 255.0.0.0" ipfilter_enable=3D"YES" ipfilter_flags=3D"" ipfilter_rules=3D"/etc/ipf.rules" ipmon_enable=3D"YES" ipmon_flags=3D"-Dsvn" ipnat_enable=3D"YES" ipnat_rules=3D"/etc/ipnat.rules" icmp_drop_redirect=3D"YES" gateway_enable=3D"YES" -------------- /etc/ipf.rules -------------- #################################################################=20 # Outside Interface =20 #################################################################=20 =20 #----------------------------------------------------------------=20 # Allow out all TCP, UDP, and ICMP traffic & keep state on it=20 # so that it's allowed back in.=20 #=20 # If you wanted to do egress filtering...here's where you'd do it.=20 # You'd change the lines below so that rather than allowing out any=20 # arbitrary TCP connection, it would only allow out mail, pop3, and http=20 # connections (for example). So, the first line, below, would be =20 # replaced with:=20 # pass out quick on xl0 proto tcp from any to any port =3D 25 keep state= =20 # pass out quick on xl0 proto tcp from any to any port =3D 110 keep state= =20 # pass out quick on xl0 proto tcp from any to any port =3D 80 keep state= =20 # ...and then do the same for the remaining lines so that you allow=20 # only specified protocols/ports 'out' of your network=20 #----------------------------------------------------------------=20 pass out quick on xl0 proto tcp from any to any keep state=20 pass out quick on xl0 proto udp from any to any keep state=20 pass out quick on xl0 proto icmp from any to any keep state=20 block out quick on xl0 all=20 =20 #-----------------------------------------------------------------------=20 # Block all inbound traffic from non-routable or reserved address spaces=20 #-----------------------------------------------------------------------=20 block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP= =20 block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP=20 block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP=20 block in log quick on xl0 from 127.0.0.0/8 to any #loopback=20 block in log quick on xl0 from 0.0.0.0/8 to any #loopback=20 block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config=20 block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's=20 block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster intercon= nect=20 block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast=20 =20 #----------------------------------------------------------------=20 # Allow bootp traffic in from your ISP's DHCP server only. =20 #----------------------------------------------------------------=20 pass in quick on xl0 proto udp from 129.105.49.1/32 to any port =3D 53 keep= state=20 pass in quick on xl0 proto udp from 129.105.49.10/32 to any port =3D 68 kee= p state=20 #----------------------------------------------------------------=20 # If you wanted to set up a web server or mail server on your box=20 # (which is outside the scope of this howto), or allow another system=20 # on the Internet to externally SSH into your firewall, you'd want to =20 # uncomment the following lines and modify as appropriate. If you =20 # have other services running that you need to allow external access=20 # to, just add more lines using these as examples.=20 #=20 # If the services are on a box on your internal network (rather than=20 # the firewall itself), you'll have to add both the filter listed below,=20 # plus a redirect rule in your /etc/ipnat.rules file.=20 #----------------------------------------------------------------=20 #the following allows httpd traffic, smtp, sendmail, ftp and webmin traffic pass in quick on xl0 proto tcp from any to 192.168.1.50/8 port =3D 80 flags= S keep state keep frags=20 pass in quick on xl0 proto tcp from any to any port =3D 25 flags S keep st= ate keep frags=20 pass in quick on xl0 proto tcp from any to any port =3D 22 flags S keep st= ate keep frags #allow for active ftp connections pass in quick on xl0 proto tcp from any to 192.168.1.50/8 port =3D 21 flag= s S keep state keep frags pass in quick on xl0 proto tcp from any to any port =3D 443 flags S keep s= tate pass in quick on xl0 proto tcp from any to port =3D 3306 flags S keep state pass in quick on xl0 proto tcp from any to any port =3D 10000 flags S keep= state keep frags #allow for passive ftp connections pass in quick on xl0 proto tcp from any to any port > 1023 flags S keep st= ate #allowing all tcp/udp packets for nfs servers to mount volumes, i know this= isn't the most secure... pass in quick on xl0 proto tcp from 129.x.x.23/24 to any keep state pass in quick on xl0 proto udp from 129.x.x.23/24 to any keep state pass in quick on xl0 proto tcp from 129.x.x.32/24 to any keep state pass in quick on xl0 proto udp from 129.x.x.32/24 to any keep state #----------------------------------------------------------------=20 # Block and log all remaining traffic coming into the firewall=20 # - Block TCP with a RST (to make it appear as if the service =20 # isn't listening)=20 # - Block UDP with an ICMP Port Unreachable (to make it appear =20 # as if the service isn't listening)=20 # - Block all remaining traffic the good 'ol fashioned way=20 #----------X.X.X.X------------------------------------------------------=20 block return-rst in log quick on xl0 proto tcp from any to any=20 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any = to any=20 block in log quick on xl0 all =20 =20 ################################################################# =20 # Inside Interface =20 ################################################################# =20 =20 #---------------------------------------------------------------- =20 # Allow out all TCP, UDP, and ICMP traffic & keep state =20 #---------------------------------------------------------------- =20 pass out quick on xl1 proto tcp from any to any keep state =20 pass out quick on xl1 proto udp from any to any keep state =20 pass out quick on xl1 proto icmp from any to any keep state =20 block out quick on xl1 all =20 =20 #----------------------------------------------------------------=20 # Allow in all TCP, UDP, and ICMP traffic & keep state =20 #---------------------------------------------------------------- =20 pass in quick on xl1 proto tcp from any to any keep state =20 pass in quick on xl1 proto udp from any to any keep state =20 pass in quick on xl1 proto icmp from any to any keep state =20 block in quick on xl1 all =20 =20 ################################################################# =20 # Loopback Interface =20 ################################################################# =20 =20 #---------------------------------------------------------------- =20 # Allow everything to/from your loopback interface so you =20 # can ping yourself (e.g. ping localhost) =20 #---------------------------------------------------------------- =20 pass in quick on lo0 all =20 pass out quick on lo0 all=20 ----------------- /etc/ipnat.rules ----------------- map xl0 192.168.1.0/24 -> 0/32 #i commented this line out - supposedly it would give me passive ftp support #map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp #--------------------------------------------------------------------=20 # If you have a system on your internal network that needs to be =20 # 'reachable' by external systems on the internet, you'll nexl a rule=20 # similar to the one below. This one takes all inbound http traffic=20 # (TCP port 80) that hits the firewall's external interface (xl0) and =20 # rxlirects it to port 80 on the 192.168.1.50 system on the internal networ= k.=20 # Simply uncomment the rule, change the IP address and port number so that= =20 # it does what you nexl. Remember that you have to enable the corresponding= =20 # inbound filter in your /etc/ipf.rules file, too.=20 #--------------------------------------------------------------------=20 #ftp for webserver rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.50 port 21 tcp #mail rdr xl0 0.0.0.0/0 port 25 -> any port 25 tcp #http for webserver rdr xl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp #trying to get webmin support here, failing miserably rdr xl0 0.0.0.0/0 port 10000 -> any port 10000 tcp #trying to get passive ftp support here, failing miserably rdr xl0 0.0.0.0/0 port > 1023 -> 192.168.1.50 port > 1023 tcp #trying to get mysql support here, failing miserably rdr xl0 0.0.0.0/0 port 3306 -> any port 3306 tcp #allow connection for nfs mounts rdr xl0 129.x.x.23/24 -> any tcp rdr xl0 129.x.x.23/24 -> any udp rdr xl0 129.x.x.32/24 -> any tcp rdr xl0 129.x.x.32/24 -> any udp kernel compiled with ----------------- options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK # The following options add sysctl variables for controlling how certain # TCP packets are handled by the kernel. # options ICMP_BANDLIM # Enables icmp error response bandw= idth # limiting. This will help protect = from # D.O.S. packet attacks. options RANDOM_IP_ID # Randomizes the packet sequence numb= er #options TCP_DROP_SYNFIN # Adds support for ignoring TCP pack= ets # with SYN+FIN. This prevents nmap fr= om # identifying the TCP/IP stack, but # breaks support for RFC1644 extensio= ns # & is not recommended for web servers # behind the firewall. # not supported in 4.4 and newer #options TCP_RESTRICT_RST # Adds support for blocking emission = of # TCP RST packets. Useful in limiting # SYN floods & port scaning. Replaced= by # the sysctl knob blackhole. i'm also using JoeB's sysctl.conf -------------------------------- ####################################################################=20 #=20 #=20 # The sysctl.conf file contains MIB's to change the default setting=20 #of=20 # internal options of the kernel at boot up time. Mib's which=20 #control=20 # how packets are handled get control before the packet is handed=20 #off=20 # to the firewall (IPFW or IPFILTER). Some of these MIB's may seem=20 # like they are doing the say thing, but because there is no FBSD=20 # provided documentation on the order these MIB's get control, they=20 # all get enabled here and we let the kernel do it's thing.=20 #=20 # NOTE: Some of these MIB's can also be set in rc.conf and or the=20 #kernel=20 # source. This will not hurt anything.=20 #=20 # This sysctl.conf created 3/22/2002 by Joe Barbish.=20 ####################################################################=20 =20 =20 # To defend against SYN attacks more commonly known as SYNFLOOD=20 #attacks,=20 # the two queues which are targeted by this type of attack should=20 #have it's=20 # size increased so that the queues can withstand an attack of low=20 #to moderate=20 # intensity with little to no effect on the stability or=20 #availability of the=20 =20 # server. FBSD maintains separate queues for inbound socket=20 #connection=20 # requests. One queue is for half-open sockets (SYN received,=20 #SYN|ACK sent),=20 # the other queue for fully-open sockets awaiting an accept() call=20 #from the=20 # application. The following statement increases the queue size from=20 #128.=20 =20 kern.ipc.somaxconn=3D1024=20 =20 # Redirect attacks is the purposeful mass issuing of redirects.=20 # In a normal network, redirects to the end stations should not be=20 #required.=20 # To defend against this type of attack both the sending and=20 #accepting of=20 # should be disabled". In the following statements, the first 1=20 #enables the=20 # special kernel MIB to drop these attacks, the second turns off the=20 #logging=20 # of attacks because there in no limit and this could fill up your=20 #logs=20 # consuming your whole hard drive and the last statements changes=20 #the=20 # the FBSD default from yes to no.=20 =20 net.inet.icmp.drop_redirect=3D1=20 net.inet.icmp.log_redirect=3D0=20 net.inet.ip.redirect=3D0=20 # Source routing is another way for an attacker to try to reach non=20 #routable=20 # addresses behind your box. It can also be used to probe for=20 #information=20 # about your internal networks. These functions come enabled as part=20 #of the=20 # standard FBSD core system. The following will disable them.=20 =20 net.inet.ip.sourceroute=3D0=20 net.inet.ip.accept_sourceroute=3D0=20 =20 =20 # By allowing aged ARP entries to remain cached or lying around=20 #allows for=20 # the possibility of a hacker to create a resource exhaustion or=20 # performance degradation by filling the IP route cache with bogus=20 # ARP entries. This in turn can be used as Denial of Service attack.=20 # To prevent this sort of problem the following statement shortens=20 #the=20 # amount of time an ARP will be cached from 1200.=20 =20 net.link.ether.inet.max_age=3D600=20 =20 =20 =20 # To protect your box from the well publicized SMURF attack. This=20 #attack=20 # works by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast=20 #address=20 # from a spoofed address. If the host is a firewall (router), it=20 #should=20 # not propagate directed broadcasts.=20 # The following statement sets the default to no broadcasts.=20 =20 net.inet.icmp.bmcastecho=3D0=20 =20 =20 # To change the system behavior when connection requests are=20 #received=20 # on TCP or UDP ports where there is no socket listening. The normal=20 #behavior,=20 # when a TCP SYN segment is received on a port where there is no=20 #socket=20 # accepting connections, is for the system to return a RST segment,=20 #and drop=20 # the connection. The connecting system will see this as a=20 # "Connection reset by peer".=20 #=20 # By turning the TCP black hole MIB on to a numeric value of one,=20 #the=20 # incoming SYN segment is merely dropped, and no RST is sent, making=20 #the=20 # system appear as a blackhole.=20 #=20 # By setting the MIB value to two, any segment arriving on a closed=20 #port is=20 # dropped without returning a RST.=20 # This provides some degree of protection against stealth port=20 #scans.=20 # The following enables this MIB.=20 =20 net.inet.tcp.blackhole=3D2=20 net.inet.udp.blackhole=3D1=20 =20 =20 =20 =20 # The log_in_vain MIB will provide you with logging of attempted=20 #connections=20 # to your box on any port which does not have a server running on=20 #it.=20 # For example, if you do not have DNS server on your computer and=20 #someone=20 # would try to access your computer through DNS port 53, you would=20 #see a=20 # message such as: Connection attempt to UDP yourIP:53 from=20 #otherIP:X=20 # (where X is some high port #) displayed on the root console=20 #screen. This=20 # message also gets posted to /var/log/messages &=20 #/var/log/security.=20 # The following statements enable this function.=20 net.inet.tcp.log_in_vain=3D1=20 net.inet.udp.log_in_vain=3D1=20 =20 =20 =20 # To increases the size of your TCP window to allow for more=20 #efficient=20 # transfers, particularly bulk transfers such as FTP. The maximum=20 #value=20 # suggested is 32768 bytes. Change from 16384. In release 4.5 the=20 #defaults=20 # for these values changed upwards to what they are below.=20 =20 net.inet.tcp.sendspace=3D32768=20 net.inet.tcp.recvspace=3D65536 sorry so long, thanks again redmond --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+PvwnFNjun16SvHYRAtVzAJ9h/L5WDwvdNVrMETMHxCiFTO5/mgCeMngs Tiswyh5rZvGy1R1db3A2AAc= =+ut9 -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030203233255.GA2517>