IPF firewalling

Erik Norgaard norgaard at locolomo.org
Sun Jan 16 13:00:29 PST 2005 

Kövesdán Gábor wrote:
> Thanks for your answer, I've modified my rules as You suggested, but I
> haven't made groups yet. Thus the new ruleset is:

But did you resolve the named problem?

> # I don't want to filter outgoing packets
> pass out quick all
> 
> # The incoming packets for dhcp, dns, ssh, mail, ftp, www
> pass in quick on rl0 proto udp from any to any port = 68 keep state keep
> frags
> pass in quick on rl0 proto udp from any to any port = 53 keep state keep
> frags
> pass in quick on rl0 proto tcp from any to any port = 53 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 25 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state
> keep frags
> pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state
> keep frags
> 
> # Some advanced stuff - will be set later
> #block return-rst in log quick on rl0 proto tcp from any to any
> #block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any
> to any
> #block in quick on rl0 all
> 
> # Allow everything for the loopback interface
> pass in quick on lo0 all
> pass out quick on lo0 all

Now reading this - maybe you left out the default action at the top of 
the ruleset? - I only see pass rules and unless you compiled your kernel 
with default block, then default is pass, leaving your host with no 
effective firewall at all.

> I ran the ipf -Fa && ipf -f /etc/ipf.rules2 command (ipf.rules2 is this
> ruleset) via ssh, but then my connection closed, and I was unable to
> reconnect via ssh until flushing the rules and loading this ruleset:

> pass in all
> pass out all

Should suffice just to flush the rules, unless you compile your kernel 
with default block. Whatever default is, it is always a good idea for 
clarity to include a catch all rule.

Also, make sure to add "log" and start ipmon, when something falls 
through or is blocked for other reasons, you have a log entry stating 
which rule blocked so you can debug your ruleset. - I see I left it out 
in the default rules I suggested, these rules should go at top of the file:

block out log all
block in  log all

Whatever falls through your ruleset will be logged so you can analyse it.

When you flush your rulesets, the state table is not flushed, so you 
shouldn't loose your connection. Also, I recommend you reading rules 
into the inactive ruletable first. Then swap. This way you make sure 
your rules does not contain typos and you don't leave your firewall/host 
vulnerable.

# ipf -IFa && ipf -I -f <rulefile> && ipf -s && sleep 60 && ipf -s

lets you test the new ruleset 60 seconds, should you loose connection. 
If things work then

# ipf -Ifa && ipf -I -f <rulefile> && ipf -s && ipf -IFa

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list