IPFW: Blocking me out. How to debug?
Ian Smith
smithi at nimnet.asn.au
Sun Dec 30 06:35:14 PST 2007
On Sat, 29 Dec 2007, W. D. wrote:
> At 08:49 12/22/2007, Ian Smith wrote:
> >Warning: overlong message.
> > > > > >W. D. wrote:
[.. slashing mercilessly ..]
> >Ok, so your nameserver will be making upstream requests too, and you'll
> >need to do TCP 53 traffic with your secondary nameserver/s as well as
> >UDP 53 traffic with upstream nameservers, up to the root unless you're
> >only using specified upstream forwarders. Given that you're checking TCP
> >setup, allowing established, then maybe:
> >
> > allow udp from me to any 53 out keep-state # my requests
> > allow udp from any to me 53 in keep-state # serve outside requests
> > allow tcp from me to $secondaries 53 setup # zone transfers out
> > allow tcp from $secondaries to me 53 setup # zone transfers in
>
> What is $secondaries?
An example of why I prefer scripted rulesets :) Here, a list of one or
more secondary nameservers that need to do axfrs to refresh domain/s for
which you are the primary/master, and any domains you are secondary for.
> >though you'll want to protect named with ACLs for xfers as well.
>
> "ACLs"? What are those?
Access Control Lists.
See named.conf(5) and the section in the BIND 9 Administrator Reference
Manual which you'll most likely want to refer to. If you installed the
doc distribution (see below) then the full cross-referenced HTML version
is at /usr/share/doc/bind9/arm - I usually symlink both /usr/share/doc
and /usr/local/share/doc into webspace.
> >access to only your LAN. Will this webserver later have a public IP
> >address, or run behind NAT with port forwarding?
>
> Public IP.
So will your LAN also have access to services on this machine? ie will
this box have an address on your LAN also? alias on the same interface?
> > > > > >> # FTP:
> > > > > >> add allow tcp from any to any ftp in setup
> > > > > >> add allow tcp from any to any ftp\-data in setup
> > > > > >> add allow tcp from any ftp\-data to any setup out
> >
> > > >Mmm, I prefer using and enforcing FTP passive mode, but YMMV.
> > >
> > > How would I do that? This guy doesn't think it's even
> > > possible:
> > > http://tinyurl.com/2z6ynr
> >
> >Mmm, ok. Passive mode needs allowing connections to this port range
> > net.inet.ip.portrange.hifirst: 49152
> > net.inet.ip.portrange.hilast: 65535
> >which is adjustable, but I'm unsure of my ground regarding ftp - pass.
>
> How would I write this as a rule?
I did try to pass ..
# ipfw add allow tcp from any to me 49152-65535 in setup
but that's only safe if you'll run no other services in that range.
Below in your new ruleset you specify as a range:
> # FTP Passive (Ports 10000-65000):
> add allow tcp from me to any 10000-65000 in setup
but I think you mean 'any to me'?, and the range is unnecesarily larger
than ftpd uses, ie .hifirst to .hilast and you can probably limit your
range further - I'm unsure how hard passive mode ftpd hunts for free
ports to bind to, or what. Maybe someone else can help out here .. ?
> > > Am using this link, since "man ipfw" doesn't work on 6.2. (I dare
> > > someone to explain to me how to get it to work):
> > > http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8
> >
> >That's weird. Does man work for others in section 8, eg man mount ?
>
> Nope. How to get working?
(re)install the manpages and doc distributions from the distribution CD,
or by FTP or whatever you used or want to use.
You can use sysinstall / configure / distributions, select manpages and
doc, select media when asked, visit options if you need to set anything
else, then install. Don't go _anywhere near_ partitioning or labelling
disks or mess with anything else, even for a peek, in my experience.
> Here is my latest /etc/ipfw.rules. Please critique:
>
> # Filename: ipfw.rules
> # Description: ipfw firewall ruleset
> # Locattion: /etc/ipfw.rules
> # Date: 2007 Dec 29
>
> # By default, everything is denied access. You
> # need to specifically allow something for it
> # to work.
>
> # Debugging tools:
> #
> # Check the syntax of the rules file:
> # ipfw -n /etc/ipfw.rules
> #
> # Stop, then restart ipfw:
> # ipfw disable firewall; /etc/rc.d/ipfw start
Or '/etc/rc.d/ipfw stop; /etc/rc.d/ipfw start' which includes the
dis/enabling. '/etc/rc.d/ipfw restart' probably works too, modulo
caveats in ipfw(8) about doing these sorts of things remotely.
> # List firewall hits:
> # ipfw -a -S -N -t list
-S is overkill/noise unless actually using sets. -N can be slow if any
addresses prove hard to resolve, but I guess that info may be useful :)
> # Zero out hits counter:
> # ifpw zero
<shudder> I'd never use this command without including rule number/s,
but then I use counters for um, accounting. Fine while testing ..
> # View the log:
> # tail -f /var/log/ipfw/ipfw.log
Study/search logs: less -S /var/log/ipfw/ipfw.log*
> # Allow anything on the local loopback:
> add allow all from any to any via lo0
>
> # Disallow Spoofers: =========================
> # For more info, see:
> # RFC3330
> # http://en.wikipedia.org/wiki/Private_network
> #
> # "This" Network:
> add deny log ip from any to 0.0.0.0/8 in
> add deny log ip from 0.0.0.0/8 to any in
>
> # IANA Reserved:
> add deny log ip from any to 1.0.0.0/8 in
> add deny log ip from 1.0.0.0/8 to any in
>
> # IANA Reserved:
> add deny log ip from any to 2.0.0.0/8 in
> add deny log ip from 2.0.0.0/8 to any in
>
> # Class A Private Network:
> add deny log ip from any to 10.0.0.0/8 in
> add deny log ip from 10.0.0.0/8 to any in
>
> # Localhost:
> add deny log ip from any to 127.0.0.0/8 in
> add deny log ip from 127.0.0.0/8 to any in
>
> # Link Local/Auto-Config:
> add deny log ip from any to 169.254.0.0/16 in
> add deny log ip from 169.254.0.0/16 to any in
>
> # Class B Private Network:
> add deny log ip from any to 172.16.0.0/12 in
> add deny log ip from 172.16.0.0/12 to any in
>
> # TEST-NET/Examples:
> add deny log ip from any to 192.0.2.0/24 in
> add deny log ip from 192.0.2.0/24 to any in
>
> # Class C Private Network:
> add deny log ip from any to 192.168.0.0/16 in
> add deny log ip from 192.168.0.0/16 to any in
>
> # IPV6to4 relay anycast addresses:
> add deny log ip from any to 192.88.99.0/24 in
> add deny log ip from 192.88.99.0/24 to any in
>
> # Interconnect Benchmarks:
> add deny log ip from any to 198.18.0.0/15 in
> add deny log ip from 198.18.0.0/15 to any in
>
> # Multicast:
> add deny log ip from any to 224.0.0.0/3 in
> add deny log ip from 224.0.0.0/3 to any in
>
> # Class E Reserved:
> add deny log ip from any to 240.0.0.0/4 in
> add deny log ip from 240.0.0.0/4 to any in
>
> # Spoofers ===================================
Every one of those, except of course any RFC1918 net like 192.168/16 you
may be serving on the LAN (?) that you need to allow, you can drop the
'in' from, so they work to stop _outbound_ spoofing by/from your system
also. The spoofing section in /etc/rc.firewall 'simple' works for me.
> # Initialize the system to keep track of states:
> add check-state
> # ============================================
> # Allow already established connections. These
> # connections are allowed by the subsequent
> # rules listed below this one.
> add allow tcp from any to me in established
> add allow tcp from me to any out established
> # ============================================
>
> # Deny fragmented packets: ===================
> add deny log ip from any to any frag
> # ============================================
>
> # ICMP - Pings: ==============================
> # Count inbound pings (8 = Echo Request)
> add count icmp from any to any icmptypes 8 in
>
> # Allow pings, ping replies, and host unreach:
> # 0 = Echo Reply
> # 3 = Destination Unreachable
> # 8 = Echo Request
> # 11 = Time-to-Live exceeded (for traceroute)
> add allow icmp from any to any icmptypes 0,8,3,11
> # ICMP =======================================
>
> # Allow UDP traceroutes: =====================
> add allow udp from any to any 33434-34458 in
> add allow udp from any 33434-34458 to any out
> # ============================================
>
> # DNS (Port 53): ============================
> # add allow udp from any to any domain out
> # add allow udp from any domain to any in
>
> # My DNS requests
> add allow udp from me to any 53 out keep-state
>
> # Serve outside DNS requests
> add allow udp from any to me 53 in keep-state
>
> # DNS Zone transfers out
> # ??? add allow tcp from me to $secondaries 53 setup
>
> # DNS Zone transfers in
> # ??? add allow tcp from $secondaries to me 53 setup
> # DNS ========================================
As discussed above.
> # SSH (Port 22) ==============================
> # Note that /etc/hosts.allow has restrictions
> # on which IP addresses are allowed.
> #
> add allow tcp from any to me ssh in setup
> add allow tcp from me to any ssh in setup
> # SSH ========================================
Drop the 'in' from the second one (or use 'out'). It's not needed on
the first either, now that you're specifying direction and preventing
spoofing, you can let these sort of rules work on either or both passes.
> # HTTP: ======================================
> # HTTP (Port 80):
> add allow tcp from any to me http in setup
> add allow tcp from me to any http in setup
As the previous.
> # HTTPS (Port 443):
> add allow tcp from any to me https in setup
>
> # HTTPS for Plesk Server Administrator (Port 8443):
> add allow tcp from any to me dst-port 8443 in setup
> # HTTP = ======================================
>
> # MAIL: ======================================
> # POP3 (Port 110)
> add allow tcp from any to me pop3 in setup
>
> # POP3S (Port 995)
> add allow tcp from any to me pop3s in setup
>
> # SMTP (Port 25):
> add allow tcp from any to me smtp in setup
Won't you need 'me to any smtp out setup' too?
> # SMTPS (Port 465):
> add allow tcp from any to me smtps in setup
>
> # IMAP (Port 143):
> add allow tcp from any to me imap in setup
>
> # IMAPS (Port 993):
> add allow tcp from any to me imaps in setup
> # MAIL =======================================
>
>
> # FTP (Port 21): =============================
> add allow tcp from any to me ftp in setup
> add allow tcp from me to any ftp in setup
second one, should be out, or both (ie omitted) as the others above?
> # FTP Data (Port 20):
> add allow tcp from any to me ftp\-data in setup
> add allow tcp from any ftp\-data to me setup out
>
> # FTP Passive (Ports 10000-65000):
> add allow tcp from me to any 10000-65000 in setup
>
> # FTPS (Port 990):
> add allow tcp from any to me ftps in setup
> add allow tcp from me to any ftps in setup
>
> # FTP ========================================
second one, out?
> # Allow NTP in and out to Navobs.WUstl.edu:
> add allow udp from me ntp to 128.252.19.1 ntp out
> add allow udp from 128.252.19.1 ntp to me ntp in
> # NTP ========================================
>
> # Allow UserID of "root" unfettered access:
> add allow tcp from me to any out setup uid root
> # ============================================
Ah, ok, that would cover your outbound mail connects too.
There may be other users (ie you) needing outbound access too, but you
can always find out from logging why something expected to work isn't :)
> # MySQL (Port 3306): =========================
> # add allow tcp from any to me 3306 in setup
> # add allow tcp from me to any 3306 in setup
> # MySQL ======================================
again, second one, going out?
> # PgSQL (Port 5432): =========================
> # add allow tcp from any to me 5432 in setup
> # add allow tcp from me to any 5432 in setup
> # PgSQL ======================================
ditto. I guess you'll have both the SQL servers well restricted by
config too, and everything else. You're running plenty of services.
> # TomCat (Port 9080): ========================
> # add allow tcp from any to me 9080 in setup
> # add allow tcp from me to any 9080 in setup
> # TomCat =====================================
ditto?
> # Plesk Server Administrator - PSA ===========
> # Get updates on port 5224
> add allow tcp from me to 64.131.90.31 dst-port 5224 out setup
> # add allow tcp from 64.131.90.31 to me dst-port 5224 in setup
> # ============================================
>
>
> # Deny and log everything else: ==============
> add deny log ip from any to me in
> add deny log ip from any to me out
> add deny log ip from me to any in
> add deny log ip from me to any out
Nothing survives the above gauntlet, so nothing reaches below. If you
put these above the 'ip' = 'all' rules above, they'd count the denied
udp first, then the rest, if that's what you want.
> add deny log udp from any to me in
> add deny log udp from any to me out
> add deny log udp from me to any in
> add deny log udp from me to any out
> # ============================================
cheers, Ian
More information about the freebsd-questions
mailing list