Date: Mon, 22 Apr 2002 16:42:21 -0700 From: Ryan Hill <rhill@xypoint.com> To: "'snort-users@lists.sourceforge.net'" <snort-users@lists.sourceforge.net>, "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: OT: ipfilter Suggestions for Snort Use Message-ID: <38985D9205A0D411A10500508B10DE66029974E5@ebert.xypoint.com>
next in thread | raw e-mail | index | archive | help
All, I am attempting to create and optimize my first ipfilter rule set under FreeBSD 4.5-STABLE and would appreciate any and all feedback regarding the rule set I've come up with thus far. I'm specifically interested in reviewing the rule flow and correctness for errors as well as suggestions anyone might have for tightening and optimizing the system further, given the service constraints defined in the rule set. Also, can anyone tell me if ipmon and ipstat are included in the compiled ipfilters package? I see references to them in the ipfilter how-to (http://www.obfuscation.org/ipf/ipf-howto.txt), but haven't been able to determine where they're located (caveat, I haven't compiled for ipfilter yet, I'd like to get the rule set finalized before venturing down this path). #!/sbin/ipf -f - # # Ipfilter v3.3+ Ruleset v .1 # Created by rhill # Last Modified: 04/22/02 4:19 PM PDT # # -------------------------------------------- # Block all traffic by default. (Most Secure) # -------------------------------------------- # Snort sensor interfaces, send nothing inbound or outbound. block out quick on de0 all group 100 block out quick on de1 all group 100 block out quick on de2 all group 100 block out quick on de3 all group 100 block out quick on de4 all group 100 block out quick on de5 all group 100 block out quick on de6 all group 100 block out quick on de7 all group 100 # Management interface, filter inbound/outbound traffic. block in log auth.alert on xl0 all head 200 block in log auth.alert proto tcp all flags S/SA head 201 group 200 block in log auth.alert proto udp all head 202 group 200 block in log auth.alert proto icmp all head 203 group 200 block out log auth.alert on xl0 all head 250 # Allow inbound web and SSL access pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 80 flags S keep state group 201 pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 443 flags S keep state group 201 # Allow inbound ssh pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 22 flags S keep state group 201 # Allow outgoing FTP from any internal host to any external FTP server. pass in quick on xl0 proto tcp from any to any port = ftp keep state group 201 pass in quick on xl0 proto tcp from any to any port = ftp-data keep state group 201 pass in quick on xl0 proto tcp from any port = ftp-data to any port > 1023 keep state group 201 # Allow inbound syslog from authorized devices pass in quick on xl0 proto udp from b.c.d.e/32 port = 514 to any keep state group 202 pass in quick on xl0 proto udp from c.d.e.f/32 port = 514 to any keep state group 202 pass in quick on xl0 proto udp from d.e.f.g/32 port = 514 to any keep state group 202 # Allow DNS queries pass in quick on xl0 proto udp from any to any port = 53 keep state group 202 # Allow NTP from any internal host to any external NTP server. pass in quick on xl0 proto udp from any to any port = ntp keep state group 202 # Allow certain inbound pings from trusted network, echo replies from # anywhere and traceroutes. pass in quick on xl0 proto icmp from a.b.c.d/16 to any icmp-type 8 keep state group 203 pass in quick on xl0 proto icmp from any to any icmp-type 0 keep state group 203 pass in quick on xl0 proto icmp from any to any icmp-type 11 keep state group 203 pass out quick on xl0 proto udp from any to any port 33434><33690 keep state group 202 # Filter localhost traffic. # packets going in/out of network interfaces that aren't on the loopback # interface should *NOT* exist. block in log auth.alert quick from 127.0.0.0/8 to any group 100 block in log auth.alert quick from any to 127.0.0.0/8 group 100 block in log auth.alert quick from 127.0.0.0/8 to any group 200 block in log auth.alert quick from any to 127.0.0.0/8 group 200 # And of course, make sure the loopback allows packets to traverse it. pass in quick on lo0 all pass out quick on lo0 all # EOF Thanks in advance, Ryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38985D9205A0D411A10500508B10DE66029974E5>