Firewall, Configuring
From FreeBSDwiki
(Difference between revisions)
Line 1: | Line 1: | ||
+ | Sample firewall script - this sets up a firewall on a "bastion" server that both runs publically accessible services and acts as a NAT-enabled firewall for a protected network running behind it. | ||
+ | |||
+ | #Quietly flush out rules | ||
+ | /sbin/ipfw -q -f flush | ||
+ | |||
+ | #Set command prefix (add "-q" option after development to turn on quiet mode) | ||
+ | cmd="/sbin/ipfw add" | ||
+ | |||
+ | # set outside and inside network interfaces | ||
+ | oif="xl0" | ||
+ | iif="ed0" | ||
+ | |||
+ | # set private IP of this server and the netmask of the whole LAN side | ||
+ | server="192.168.0.1" | ||
+ | inside="192.168.0.0/24" | ||
+ | |||
+ | ######Localhost stuff | ||
+ | |||
+ | #allow the computer to talk to itself | ||
+ | $cmd 00080 allow ip from any to any via lo0 | ||
+ | |||
+ | #don't let anything from the "outside" talk to localhost | ||
+ | $cmd 00081 deny ip from any to 127.0.0.0/8 | ||
+ | |||
+ | #don't let the computer talk other computers as localhost | ||
+ | $cmd 00082 deny log ip from 127.0.0.0/8 to any | ||
+ | |||
+ | ####### | ||
+ | |||
+ | ####### DHCP stuff | ||
+ | |||
+ | # you need this to be able to renew your DHCP lease from your ISP | ||
+ | $cmd 00083 allow udp from any 67 to any 68 in recv rl0 | ||
+ | |||
+ | ##### | ||
+ | |||
+ | ######### deny-and-log bogus packets by tcpflags | ||
+ | |||
+ | # XMAS tree | ||
+ | $cmd 00084 deny log tcp from any to any in tcpflags fin,psh,urg recv $oif | ||
+ | # NULL scan (no flag set at all) | ||
+ | $cmd 00085 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif | ||
+ | # SYN flood (SYN,FIN) | ||
+ | $cmd 00086 deny log tcp from any to any in tcpflags syn,fin recv $oif | ||
+ | # Stealth FIN scan (FIN,RST) | ||
+ | $cmd 00087 deny log tcp from any to any in tcpflags fin,rst recv $oif | ||
+ | # forced packet routing | ||
+ | $cmd 00089 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif | ||
+ | ####### | ||
+ | |||
+ | |||
+ | |||
+ | ######### Things served via this machine directly | ||
+ | ######### Any services on this machine should be placed here, | ||
+ | ######### before the NAT Divert rule | ||
+ | |||
+ | #HTTP | ||
+ | $cmd 00500 allow tcp from any to any 80 in via $oif | ||
+ | #SSH | ||
+ | $cmd 00510 allow tcp from any to any 22 in via $oif | ||
+ | #FTP | ||
+ | $cmd 00570 allow ip from any to any 20 in via $oif | ||
+ | $cmd 00571 allow ip from any to any 21 in via $oif | ||
+ | $cmd 00572 allow tcp from any 21 to any out via $oif | ||
+ | #### | ||
+ | |||
+ | |||
+ | #####NATD stuff | ||
+ | |||
+ | #natd Divert rule | ||
+ | $cmd 01000 divert natd all from any to any via $oif | ||
+ | |||
+ | ###### | ||
+ | |||
+ | |||
+ | ####All connections originating from my network are allowed | ||
+ | |||
+ | # check to see if a dynamic rule has been created that matches this packet | ||
+ | $cmd 01100 check-state | ||
+ | # let everything on your internal network talk to the firewall | ||
+ | $cmd 01101 allow all from any to any via $iif keep-state | ||
+ | # setup a dynamic rule for any connections being started from inside | ||
+ | $cmd 01102 allow all from any to any out via $oif keep-state | ||
+ | # deny ACK packets that did not match the dynamic rule table - do not log, too many false positives | ||
+ | $cmd 01103 deny tcp from any to any established in via $oif | ||
+ | #deny fragments as bogus packets | ||
+ | $cmd 01104 deny log all from any to any frag in via $oif | ||
+ | ##### | ||
+ | |||
+ | |||
+ | ####### ICMP stuff | ||
+ | |||
+ | #allow path-mtu in both directions | ||
+ | $cmd 01200 allow icmp from any to any icmptypes 3 | ||
+ | |||
+ | #allow source quench in and out | ||
+ | $cmd 01201 allow icmp from any to any icmptypes 4 | ||
+ | |||
+ | #allow me to run traceroute | ||
+ | $cmd 01204 allow icmp from any to any icmptypes 11 in | ||
+ | |||
+ | #allow me to ping out and receive response back | ||
+ | $cmd 01202 allow icmp from any to any icmptypes 8 out | ||
+ | $cmd 01203 allow icmp from any to any icmptypes 0 in | ||
+ | |||
+ | ######## | ||
+ | |||
+ | |||
+ | |||
+ | ##### This section is for exposing services to the internet from the LAN | ||
+ | ##### It is placed AFTER the NATD Divert rule, so these services can be | ||
+ | ##### diverted in /etc/natd.conf | ||
+ | |||
+ | #VNC | ||
+ | $cmd 01550 allow tcp from any to any 5900 in | ||
+ | #KAZAA | ||
+ | $cmd 01580 allow ip from any to $inside 1214 in via $oif | ||
+ | #SOULSEEK | ||
+ | $cmd 01590 allow ip from any to $inside 2234 in via $oif | ||
+ | $cmd 01591 allow ip from any to $inside 5534 in via $oif | ||
+ | #EMULE | ||
+ | $cmd 01600 allow tcp from any to $inside 4662 in via $oif | ||
+ | $cmd 01601 allow udp from any to $inside 4672 in via $oif | ||
+ | #BITTORRENT | ||
+ | $cmd 01610 allow ip from any to $inside 30000-40000 in via $oif | ||
+ | |||
+ | #### | ||
+ | |||
+ | ######## SOME THINGS ARE TOO NOISY TO LIVE | ||
+ | ######## In this section we deny things that would be denied anyway, but that we just | ||
+ | ######## don't want logged. Be careful with this - in general, you probably want to | ||
+ | ######## avoid putting anything in here that doesn't specify a known source address that | ||
+ | ######## is relatively trustworthy. You also want to be very careful about who knows | ||
+ | ######## what this section of your firewall configs looks like, because they can then | ||
+ | ######## use the info to craft probes and attacks they know you won't see or log. | ||
+ | |||
+ | # Don't bother logging IGMP crap from the ISP | ||
+ | $cmd 9004 deny igmp from 172.16.210.1 to any in via $oif | ||
+ | |||
+ | # Don't bother logging DNS garbage inbound from the ISP's DNS boxes | ||
+ | $cmd 9006 deny udp from 4.31.99.0/24\{100-103\} 53 to any dst-port 50000-65535 in via rl0 | ||
+ | |||
+ | ##### | ||
+ | |||
+ | ######## Stealth scans of closed ports | ||
+ | ######## this section is to deny and log stealth scans that we can't really deny | ||
+ | ######## on open ports because doing so would disrupt legitimate services. | ||
+ | |||
+ | # ACK scan (ACK,RST) | ||
+ | $cmd 60000 deny log tcp from any to any in tcpflags ack,rst recv $oif | ||
+ | |||
+ | ##### | ||
+ | |||
+ | ############# | ||
+ | ############# DEFAULT RULE - deny it, and log it, 'cause we're secure like that. | ||
+ | ############# | ||
+ | # | ||
+ | $cmd 65000 deny log all from any to any | ||
+ | |||
+ | |||
+ | |||
+ | |||
helpful links: | helpful links: | ||
Revision as of 14:43, 13 November 2004
Sample firewall script - this sets up a firewall on a "bastion" server that both runs publically accessible services and acts as a NAT-enabled firewall for a protected network running behind it.
#Quietly flush out rules /sbin/ipfw -q -f flush #Set command prefix (add "-q" option after development to turn on quiet mode) cmd="/sbin/ipfw add" # set outside and inside network interfaces oif="xl0" iif="ed0" # set private IP of this server and the netmask of the whole LAN side server="192.168.0.1" inside="192.168.0.0/24" ######Localhost stuff #allow the computer to talk to itself $cmd 00080 allow ip from any to any via lo0 #don't let anything from the "outside" talk to localhost $cmd 00081 deny ip from any to 127.0.0.0/8 #don't let the computer talk other computers as localhost $cmd 00082 deny log ip from 127.0.0.0/8 to any ####### ####### DHCP stuff # you need this to be able to renew your DHCP lease from your ISP $cmd 00083 allow udp from any 67 to any 68 in recv rl0 ##### ######### deny-and-log bogus packets by tcpflags # XMAS tree $cmd 00084 deny log tcp from any to any in tcpflags fin,psh,urg recv $oif # NULL scan (no flag set at all) $cmd 00085 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif # SYN flood (SYN,FIN) $cmd 00086 deny log tcp from any to any in tcpflags syn,fin recv $oif # Stealth FIN scan (FIN,RST) $cmd 00087 deny log tcp from any to any in tcpflags fin,rst recv $oif # forced packet routing $cmd 00089 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif ####### ######### Things served via this machine directly ######### Any services on this machine should be placed here, ######### before the NAT Divert rule #HTTP $cmd 00500 allow tcp from any to any 80 in via $oif #SSH $cmd 00510 allow tcp from any to any 22 in via $oif #FTP $cmd 00570 allow ip from any to any 20 in via $oif $cmd 00571 allow ip from any to any 21 in via $oif $cmd 00572 allow tcp from any 21 to any out via $oif #### #####NATD stuff #natd Divert rule $cmd 01000 divert natd all from any to any via $oif ###### ####All connections originating from my network are allowed # check to see if a dynamic rule has been created that matches this packet $cmd 01100 check-state # let everything on your internal network talk to the firewall $cmd 01101 allow all from any to any via $iif keep-state # setup a dynamic rule for any connections being started from inside $cmd 01102 allow all from any to any out via $oif keep-state # deny ACK packets that did not match the dynamic rule table - do not log, too many false positives $cmd 01103 deny tcp from any to any established in via $oif #deny fragments as bogus packets $cmd 01104 deny log all from any to any frag in via $oif ##### ####### ICMP stuff #allow path-mtu in both directions $cmd 01200 allow icmp from any to any icmptypes 3 #allow source quench in and out $cmd 01201 allow icmp from any to any icmptypes 4 #allow me to run traceroute $cmd 01204 allow icmp from any to any icmptypes 11 in #allow me to ping out and receive response back $cmd 01202 allow icmp from any to any icmptypes 8 out $cmd 01203 allow icmp from any to any icmptypes 0 in ######## ##### This section is for exposing services to the internet from the LAN ##### It is placed AFTER the NATD Divert rule, so these services can be ##### diverted in /etc/natd.conf #VNC $cmd 01550 allow tcp from any to any 5900 in #KAZAA $cmd 01580 allow ip from any to $inside 1214 in via $oif #SOULSEEK $cmd 01590 allow ip from any to $inside 2234 in via $oif $cmd 01591 allow ip from any to $inside 5534 in via $oif #EMULE $cmd 01600 allow tcp from any to $inside 4662 in via $oif $cmd 01601 allow udp from any to $inside 4672 in via $oif #BITTORRENT $cmd 01610 allow ip from any to $inside 30000-40000 in via $oif #### ######## SOME THINGS ARE TOO NOISY TO LIVE ######## In this section we deny things that would be denied anyway, but that we just ######## don't want logged. Be careful with this - in general, you probably want to ######## avoid putting anything in here that doesn't specify a known source address that ######## is relatively trustworthy. You also want to be very careful about who knows ######## what this section of your firewall configs looks like, because they can then ######## use the info to craft probes and attacks they know you won't see or log. # Don't bother logging IGMP crap from the ISP $cmd 9004 deny igmp from 172.16.210.1 to any in via $oif # Don't bother logging DNS garbage inbound from the ISP's DNS boxes $cmd 9006 deny udp from 4.31.99.0/24\{100-103\} 53 to any dst-port 50000-65535 in via rl0 ##### ######## Stealth scans of closed ports ######## this section is to deny and log stealth scans that we can't really deny ######## on open ports because doing so would disrupt legitimate services. # ACK scan (ACK,RST) $cmd 60000 deny log tcp from any to any in tcpflags ack,rst recv $oif ##### ############# ############# DEFAULT RULE - deny it, and log it, 'cause we're secure like that. ############# # $cmd 65000 deny log all from any to any
helpful links:
http://www.freebsddiary.org/ipfw.php
http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html
http://blogs.geekdojo.net/andy/articles/1807.aspx VERY VERY helpful
http://www.acme.com/firewall.html more with the SUPER helpfulness
http://www.daniweb.com/tutorials/2949.html for getting dhcpd running