ipfw question
Reuben A. Popp
gobinau at digitalcelt.net
Wed Jun 16 15:04:40 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Giorgos,
Thanks so much for the quick response on my question :). I more or less took your rules that you posted,
and tacked on a few more. I belive that what I have is correct, and everything seems to be working well,
with a few exceptions. For instance, ftp and ssh still don't seem to make it into the logs, although the mail, web
and web-ssl do with no problems. Again, following this message is my revised ruleset.
Thanks again,
Reuben A. Popp
- ------------------->%------------------------------------------
#!/bin/sh -
#
# Setup system for firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# Flush the existing ruleset
echo "Flushing the existing ruleset, stand by..."
ipfw -f flush
# Setup Loopback
ipfw add pass all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any
# Stop RFC1918 nets on the outside interface
ipfw add deny all from 10.0.0.0/8 to any via em0
ipfw add deny all from 172.16.0.0/12 to any via em0
ipfw add deny all from 192.168.0.0/16 to any via em0
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
ipfw add deny all from 0.0.0.0/8 to any via em0
ipfw add deny all from 169.254.0.0/16 to any via em0
ipfw add deny all from 192.0.2.0/24 to any via em0
ipfw add deny all from 224.0.0.0/4 to any via em0
ipfw add deny all from 240.0.0.0/4 to any via em0
# Pass all ICMP messages through.
# Make sure they're rate-limited by setting `net.inet.icmp.icmplim'
ipfw add allow icmp from any to any
# First of all state checking. This will allow through any packet
# that is marked as "legitimate" by one of the following rules.
ipfw add check-state
ipfw add deny tcp from any to any established
# Allow DNS or NTP sessions that originate from us.
ipfw add allow udp from any to any 53,123 out keep-state
# Add all TCP connections that originate from us
ipfw add allow tcp from any to any out setup keep-state
# Pass and log all incoming ftp-data connections.
ipfw add allow log tcp from any 20 to any in setup keep-state
# Pass and log all incoming connections to: ftp, ssh, mail and www.
ipfw add allow log tcp from any to any 21,22,25,80,443 in setup keep-state
# Allow TCP through if setup succeeded
ipfw add pass tcp from any to any established
# Allow IP fragments to pass through
ipfw add pass all from any to any frag
# Allow setup of any other TCP connection
ipfw add pass tcp from any to any setup
# Reject & Log all setup of incoming connections from the outside
ipfw add deny log tcp from any to any in via em0 setup
- ------%<-------------------------------------------------------
Thanks again,
Reuben A. Popp
Giorgos Keramidas (Giorgos Keramidas <keramida at ceid.upatras.gr>) translated a message on Wednesday 16 June 2004 12:35 am into a binary format and sent it out among the ether in the search of "Reuben A. Popp" <gobinau at digitalcelt.net>. Upon being retranslated into ascii, it was discovered that message read:
> On 2004-06-15 18:31, "Reuben A. Popp" <gobinau at digitalcelt.net> wrote:
> > I was tinkering around trying to get my firewall set the way I wanted
> > it, but seem to be running into an issue. I know that I have logging
> > set in the kernel and in rc.conf, as well as in my ruleset, but for
> > some odd reason, the firewall is not logging connections to the
> > services I wanted watched (ftp, ssh, web, etc).
>
> That's because your ruleset uses the following rule:
>
> # Allow TCP through if setup succeeded
> ipfw add 1200 pass tcp from any to any established
>
> before any of the other rules are reached. This lets every TCP packet
> through without logging and you never get a chance of picking out what
> to log or what to block :)
>
> A simplified version of your ruleset could be this one. Notice that
> I've removed all explicit rule numbers. IPFW does a pretty good job at
> automatically numbering the rules and you don't have too many rules for
> it to work. On the other hand, having hardcoded numbers means that you
> might miss some "reordering" of the rules and waste hours upon hours
> trying to find out why it doesn't work like it's supposed to. Not a
> good possibility... Anyway, here's a ruleset very similar to yours:
>
> #
> # Part 1. Semi-standard stuff copied from rc.firewall.
> #
>
> # Flush the existing ruleset
> echo "Flushing the existing ruleset, stand by..."
> ipfw -f flush
>
> # Only allow lo0 to send packets as 127.0.0.1
> ipfw add pass all from 127.0.0.1/32 to 127.0.0.1/32 via lo0
> ipfw add deny all from any to 127.0.0.0/8
> ipfw add deny ip from 127.0.0.0/8 to any
>
> # Stop RFC1918 nets on the outside interface
> ipfw add deny all from 10.0.0.0/8 to any via em0
> ipfw add deny all from 172.16.0.0/12 to any via em0
> ipfw add deny all from 192.168.0.0/16 to any via em0
>
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface
> ipfw add deny all from 0.0.0.0/8 to any via $em0
> ipfw add deny all from 169.254.0.0/16 to any via $em0
> ipfw add deny all from 192.0.2.0/24 to any via $em0
> ipfw add deny all from 224.0.0.0/4 to any via $em0
> ipfw add deny all from 240.0.0.0/4 to any via $em0
>
> #
> # Part 2. Local rules that allow and log selected TCP services.
> #
>
> # Pass all ICMP messages through.
> # Make sure they're rate-limited by setting `net.inet.icmp.icmplim'
> add allow icmp from any to any
>
> # First of all state checking. This will allow through any packet
> # that is marked as "legitimate" by one of the following rules.
> ipfw add check state
> ipfw add deny tcp from any to any established
>
> # Allow DNS or NTP sessions that originate from us.
> ipfw add allow udp from any to any 53,123 out keep-state
>
> # Add all TCP connections that originate from us
> ipfw add allow tcp from any to any out setup keep-state
>
> # Pass and log all incoming ftp-data connections.
> ipfw add allow tcp from any 20 to any in setup keep-state
>
> # Pass and log all incoming connections to: ftp, ssh, mail and www.
> ipfw add allow tcp from any to any 21,22,25,80,443 to in setup keep-state
>
> AFAIK, anything else can be blocked without stopping you from doing your
> real work.
>
> - Giorgos
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFA0MQMd1N/Kyhy5tIRAkwqAJ0QEcUQMJWCQxKC6aM9GY6gcslsogCdF64z
KIshVA1Ub8RROMm/LCFIUD4=
=3peR
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list