pavement

Firewall, Configuring

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
 +
Sample firewall script - this sets up a firewall on a "bastion" server that both runs publically accessible services and acts as a NAT-enabled firewall for a protected network running behind it.
 +
 +
#Quietly flush out rules
 +
/sbin/ipfw -q -f flush
 +
 +
#Set command prefix (add "-q" option after development to turn on quiet mode)
 +
cmd="/sbin/ipfw add"
 +
 +
# set outside and inside network interfaces
 +
oif="xl0"
 +
iif="ed0"
 +
 +
# set private IP of this server and the netmask of the whole LAN side
 +
server="192.168.0.1"
 +
inside="192.168.0.0/24"
 +
 +
######Localhost stuff
 +
 +
#allow the computer to talk to itself
 +
$cmd 00080 allow ip from any to any via lo0
 +
 +
#don't let anything from the "outside" talk to localhost
 +
$cmd 00081 deny ip from any to 127.0.0.0/8
 +
 +
#don't let the computer talk other computers as localhost
 +
$cmd 00082 deny log ip from 127.0.0.0/8 to any
 +
 +
#######
 +
 +
####### DHCP stuff
 +
 +
# you need this to be able to renew your DHCP lease from your ISP
 +
$cmd 00083 allow udp from any 67 to any 68 in recv rl0
 +
 +
#####
 +
 +
######### deny-and-log bogus packets by tcpflags
 +
 +
# XMAS tree
 +
        $cmd 00084 deny log tcp from any to any in tcpflags fin,psh,urg recv $oif
 +
# NULL scan (no flag set at all)
 +
        $cmd 00085 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif
 +
# SYN flood (SYN,FIN)
 +
        $cmd 00086 deny log tcp from any to any in tcpflags syn,fin recv $oif
 +
# Stealth FIN scan (FIN,RST)
 +
        $cmd 00087 deny log tcp from any to any in tcpflags fin,rst recv $oif
 +
# forced packet routing
 +
        $cmd 00089 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif
 +
#######
 +
 +
 +
 +
######### Things served via this machine directly
 +
######### Any services on this machine should be placed here,
 +
######### before the NAT Divert rule
 +
 +
#HTTP
 +
        $cmd 00500 allow tcp from any to any 80 in via $oif
 +
#SSH
 +
        $cmd 00510 allow tcp from any to any 22 in via $oif
 +
#FTP
 +
        $cmd 00570 allow ip from any to any 20 in via $oif
 +
        $cmd 00571 allow ip from any to any 21 in via $oif
 +
        $cmd 00572 allow tcp from any 21 to any out via $oif
 +
####
 +
 +
 +
#####NATD stuff
 +
 +
#natd Divert rule
 +
        $cmd 01000 divert natd all from any to any via $oif
 +
 +
######
 +
 +
 +
####All connections originating from my network are allowed
 +
 +
# check to see if a dynamic rule has been created that matches this packet
 +
        $cmd 01100 check-state
 +
# let everything on your internal network talk to the firewall
 +
        $cmd 01101 allow all from any to any via $iif keep-state
 +
# setup a dynamic rule for any connections being started from inside
 +
        $cmd 01102 allow all from any to any out via $oif keep-state
 +
# deny ACK packets that did not match the dynamic rule table - do not log, too many false positives
 +
        $cmd 01103 deny tcp from any to any established in via $oif
 +
#deny fragments as bogus packets
 +
        $cmd 01104 deny log all from any to any frag in via $oif
 +
#####
 +
 +
 +
####### ICMP stuff
 +
 +
#allow path-mtu in both directions
 +
$cmd 01200 allow icmp from any to any icmptypes 3
 +
 +
#allow source quench in and out
 +
$cmd 01201 allow icmp from any to any icmptypes 4
 +
 +
#allow me to run traceroute
 +
$cmd 01204 allow icmp from any to any icmptypes 11 in
 +
 +
#allow me to ping out and receive response back
 +
$cmd 01202 allow icmp from any to any icmptypes 8 out
 +
$cmd 01203 allow icmp from any to any icmptypes 0 in
 +
 +
########
 +
 +
 +
 +
##### This section is for exposing services to the internet from the LAN
 +
#####  It is placed AFTER the NATD Divert rule, so these services can be
 +
#####  diverted in /etc/natd.conf
 +
 +
#VNC
 +
        $cmd 01550 allow tcp from any to any 5900 in
 +
#KAZAA
 +
        $cmd 01580 allow ip from any to $inside 1214 in via $oif
 +
#SOULSEEK
 +
        $cmd 01590 allow ip from any to $inside 2234 in via $oif
 +
        $cmd 01591 allow ip from any to $inside 5534 in via $oif
 +
#EMULE
 +
        $cmd 01600 allow tcp from any to $inside 4662 in via $oif
 +
        $cmd 01601 allow udp from any to $inside 4672 in via $oif
 +
#BITTORRENT
 +
        $cmd 01610 allow ip from any to $inside 30000-40000 in via $oif
 +
 +
####
 +
 +
######## SOME THINGS ARE TOO NOISY TO LIVE
 +
######## In this section we deny things that would be denied anyway, but that we just
 +
######## don't want logged.  Be careful with this - in general, you probably want to
 +
######## avoid putting anything in here that doesn't specify a known source address that
 +
######## is relatively trustworthy.  You also want to be very careful about who knows
 +
######## what this section of your firewall configs looks like, because they can then
 +
######## use the info to craft probes and attacks they know you won't see or log.
 +
 +
# Don't bother logging IGMP crap from the ISP
 +
$cmd 9004 deny igmp from 172.16.210.1 to any in via $oif
 +
 +
# Don't bother logging DNS garbage inbound from the ISP's DNS boxes
 +
$cmd 9006 deny udp from 4.31.99.0/24\{100-103\} 53 to any dst-port 50000-65535 in via rl0
 +
 +
#####
 +
 +
######## Stealth scans of closed ports
 +
########  this section is to deny and log stealth scans that we can't really deny
 +
########  on open ports because doing so would disrupt legitimate services.
 +
 +
# ACK scan (ACK,RST)
 +
        $cmd 60000 deny log tcp from any to any in tcpflags ack,rst recv $oif
 +
 +
#####
 +
 +
#############
 +
############# DEFAULT RULE - deny it, and log it, 'cause we're secure like that.
 +
#############
 +
#
 +
$cmd 65000 deny log all from any to any
 +
 +
 +
 +
 
helpful links:
 
helpful links:
  

Revision as of 14:43, 13 November 2004

Sample firewall script - this sets up a firewall on a "bastion" server that both runs publically accessible services and acts as a NAT-enabled firewall for a protected network running behind it.

#Quietly flush out rules
/sbin/ipfw -q -f flush

#Set command prefix (add "-q" option after development to turn on quiet mode)
cmd="/sbin/ipfw add"

# set outside and inside network interfaces
oif="xl0"
iif="ed0"

# set private IP of this server and the netmask of the whole LAN side
server="192.168.0.1"
inside="192.168.0.0/24"

######Localhost stuff

#allow the computer to talk to itself
$cmd 00080 allow ip from any to any via lo0

#don't let anything from the "outside" talk to localhost
$cmd 00081 deny ip from any to 127.0.0.0/8

#don't let the computer talk other computers as localhost
$cmd 00082 deny log ip from 127.0.0.0/8 to any

#######

####### DHCP stuff

# you need this to be able to renew your DHCP lease from your ISP
$cmd 00083 allow udp from any 67 to any 68 in recv rl0

#####

######### deny-and-log bogus packets by tcpflags

# XMAS tree
        $cmd 00084 deny log tcp from any to any in tcpflags fin,psh,urg recv $oif
# NULL scan (no flag set at all)
        $cmd 00085 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif
# SYN flood (SYN,FIN)
        $cmd 00086 deny log tcp from any to any in tcpflags syn,fin recv $oif
# Stealth FIN scan (FIN,RST)
        $cmd 00087 deny log tcp from any to any in tcpflags fin,rst recv $oif
# forced packet routing
        $cmd 00089 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif
#######



######### Things served via this machine directly 
######### Any services on this machine should be placed here,
######### before the NAT Divert rule

#HTTP
        $cmd 00500 allow tcp from any to any 80 in via $oif
#SSH
        $cmd 00510 allow tcp from any to any 22 in via $oif
#FTP
        $cmd 00570 allow ip from any to any 20 in via $oif
        $cmd 00571 allow ip from any to any 21 in via $oif
        $cmd 00572 allow tcp from any 21 to any out via $oif
####


#####NATD stuff

#natd Divert rule
        $cmd 01000 divert natd all from any to any via $oif

######


####All connections originating from my network are allowed

# check to see if a dynamic rule has been created that matches this packet
        $cmd 01100 check-state
# let everything on your internal network talk to the firewall
        $cmd 01101 allow all from any to any via $iif keep-state 
# setup a dynamic rule for any connections being started from inside
        $cmd 01102 allow all from any to any out via $oif keep-state 
# deny ACK packets that did not match the dynamic rule table - do not log, too many false positives
        $cmd 01103 deny tcp from any to any established in via $oif 
#deny fragments as bogus packets
        $cmd 01104 deny log all from any to any frag in via $oif 
#####


####### ICMP stuff

#allow path-mtu in both directions
$cmd 01200 allow icmp from any to any icmptypes 3

#allow source quench in and out
$cmd 01201 allow icmp from any to any icmptypes 4

#allow me to run traceroute
$cmd 01204 allow icmp from any to any icmptypes 11 in

#allow me to ping out and receive response back
$cmd 01202 allow icmp from any to any icmptypes 8 out
$cmd 01203 allow icmp from any to any icmptypes 0 in

########



##### This section is for exposing services to the internet from the LAN
#####  It is placed AFTER the NATD Divert rule, so these services can be
#####  diverted in /etc/natd.conf

#VNC
        $cmd 01550 allow tcp from any to any 5900 in
#KAZAA
        $cmd 01580 allow ip from any to $inside 1214 in via $oif
#SOULSEEK
        $cmd 01590 allow ip from any to $inside 2234 in via $oif
        $cmd 01591 allow ip from any to $inside 5534 in via $oif
#EMULE
        $cmd 01600 allow tcp from any to $inside 4662 in via $oif
        $cmd 01601 allow udp from any to $inside 4672 in via $oif
#BITTORRENT
        $cmd 01610 allow ip from any to $inside 30000-40000 in via $oif

####

######## SOME THINGS ARE TOO NOISY TO LIVE
######## In this section we deny things that would be denied anyway, but that we just
######## don't want logged.  Be careful with this - in general, you probably want to 
######## avoid putting anything in here that doesn't specify a known source address that
######## is relatively trustworthy.  You also want to be very careful about who knows
######## what this section of your firewall configs looks like, because they can then
######## use the info to craft probes and attacks they know you won't see or log.

# Don't bother logging IGMP crap from the ISP
$cmd 9004 deny igmp from 172.16.210.1 to any in via $oif

# Don't bother logging DNS garbage inbound from the ISP's DNS boxes
$cmd 9006 deny udp from 4.31.99.0/24\{100-103\} 53 to any dst-port 50000-65535 in via rl0

#####

######## Stealth scans of closed ports
########  this section is to deny and log stealth scans that we can't really deny 
########  on open ports because doing so would disrupt legitimate services.

# ACK scan (ACK,RST)
        $cmd 60000 deny log tcp from any to any in tcpflags ack,rst recv $oif

#####

#############
############# DEFAULT RULE - deny it, and log it, 'cause we're secure like that.
#############
#
$cmd 65000 deny log all from any to any



helpful links:

http://www.freebsddiary.org/ipfw.php

http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html

http://blogs.geekdojo.net/andy/articles/1807.aspx VERY VERY helpful

http://www.acme.com/firewall.html more with the SUPER helpfulness


http://www.daniweb.com/tutorials/2949.html for getting dhcpd running

Personal tools