easy Firewall setup
Antonio Olivares
olivares14031 at gmail.com
Sun Jul 31 19:26:26 UTC 2011
On Sun, Jul 31, 2011 at 11:15 AM, Antonio Olivares
<olivares14031 at gmail.com> wrote:
>> A> Is there an easy firewall setup available somewhere (like the one
>> A> referenced below but for FreeBSD)?
>>
>> Here's a script you can use to generate a rules file for IPF.
>>
>> --
>
> Karl,
>
> I have used your script and it generated me a nice ipf.rules file
>
> /************* ipf.rules ********************/
> quadcore# cat /etc/ipf.rules
> # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011
> #
> # NAME:
> # /etc/ipf.rules
> #
> # DESCRIPTION:
> # Ruleset for IPF packet filter.
> #
> # AUTHOR:
> # Antonio Olivares <olivares14031 at gmail.com>
>
> # --------------------------------------------------------------------
> # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP.
> block in quick on msk0 proto udp from any to any port = 68
> block in quick on msk0 proto udp from any to any port = 137
> block in quick on msk0 proto udp from any to any port = 138
> block in quick on msk0 proto igmp from any to any
>
> # --------------------------------------------------------------------
> # Now block everything coming down the network.
> block in log on msk0 all
> block out log on msk0 all
>
> # --------------------------------------------------------------------
> # Get rid of anything with options, as these can be used to hack.
> block in log quick from any to any with ipopts
>
> # --------------------------------------------------------------------
> # Get rid of short TCP/IP fragments (too small for valid comparison)
> # as these can be used to hack.
> block in log quick proto tcp from any to any with short
>
> # --------------------------------------------------------------------
> # Allow all traffic on loopback.
> pass in quick on lo0 all
> pass out quick on lo0 all
>
> # --------------------------------------------------------------------
> # Block all the private routable addresses, as these should never
> # come down the network, nor should we be talking to them.
> block out quick on msk0 from any to 192.168.0.0/16
> block out quick on msk0 from any to 172.16.0.0/12
> block out quick on msk0 from any to 127.0.0.0/8
> block out quick on msk0 from any to 10.0.0.0/8
> block out quick on msk0 from any to 0.0.0.0/8
> block out quick on msk0 from any to 169.254.0.0/16
> block out quick on msk0 from any to 192.0.2.0/24
> block out quick on msk0 from any to 204.152.64.0/23
> block out quick on msk0 from any to 224.0.0.0/3
>
> block in quick on msk0 from 192.168.0.0/16 to any
> block in quick on msk0 from 172.16.0.0/12 to any
> block in quick on msk0 from 10.0.0.0/8 to any
> block in quick on msk0 from 127.0.0.0/8 to any
> block in quick on msk0 from 0.0.0.0/8 to any
> block in quick on msk0 from 169.254.0.0/16 to any
> block in quick on msk0 from 192.0.2.0/24 to any
> block in quick on msk0 from 204.152.64.0/23 to any
> block in quick on msk0 from 224.0.0.0/3 to any
>
> # --------------------------------------------------------------------
> # Block and log portmapper attempts.
> block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state
>
> # --------------------------------------------------------------------
> # Allow outbound state related packets.
> pass out quick on msk0 proto tcp from any to any flags S keep state
> pass out quick on msk0 proto udp from any to any keep state
>
> # --------------------------------------------------------------------
> # Allow ping and traceroute. Since we're doing everything quick,
> # we must have passes before blocks.
> pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state
> pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state
> pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state
> pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state
> pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state
> pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state
> block in log quick on msk0 proto icmp from any to any
>
> # --------------------------------------------------------------------
> # Allow DNS; should this be just from nameservers?
> pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state
> pass in quick on msk0 proto udp from any to any port = 53 keep state
>
> # --------------------------------------------------------------------
> # Allow ssh and mail from anywhere: tcpserver filters addresses
> pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state
> pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state
>
> # --------------------------------------------------------------------
> # Allow http from selected addresses.
> pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state
> pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 80 flags S keep state
>
> # --------------------------------------------------------------------
> # Allow secure http from selected addresses.
> pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 443 flags S
> keep state
> pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 443 flags S
> keep state
>
> # --------------------------------------------------------------------
> # Copyright (C) 2011
> # EOF
> /************************************************************/
>
> I add
> /*******************/
> lpd_enable="YES"
> ipfilter_enable="YES"
> ipfileter_rules="/etc/ipf.rules"
> ipmon_enable="YES"
> ipmon_flags="-Ds"
> /******************/
> to /etc/rc.conf, I load the kernel module:
>
> quadcore# kldload /boot/kernel/ipl.ko
>
> I verify it is working:
>
> with # ipf -V
>
>
> quadcore# ipf -Fa -f /etc/ipf.rules
>
> Then I cannot browse :(
>
>
> quadcore# ipfstat
> bad packets: in 0 out 0
> IPv6 packets: in 0 out 0
> input packets: blocked 17 passed 14 nomatch 14 counted 0 short 0
> output packets: blocked 68 passed 22 nomatch 22 counted 0 short 0
> input packets logged: blocked 0 passed 0
> output packets logged: blocked 0 passed 0
> packets logged: input 0 output 0
> log failures: input 0 output 0
> fragment state(in): kept 0 lost 0 not fragmented 0
> fragment state(out): kept 0 lost 0 not fragmented 0
> packet state(in): kept 0 lost 0
> packet state(out): kept 0 lost 0
> ICMP replies: 0 TCP RSTs sent: 0
> Invalid source(in): 0
> Result cache hits(in): 10 (out): 0
> IN Pullups succeeded: 0 failed: 0
> OUT Pullups succeeded: 0 failed: 0
> Fastroute successes: 0 failures: 0
> TCP cksum fails(in): 0 (out): 0
> IPF Ticks: 574
> Packet log flags set: (0)
> none
>
>
> But I have to stop the firewall
>
> ipf -D
>
> and run
> # ifconfig msk0 up
>
> and I can browse. My best guess is that there is a problem with ipv6
> and ipv4, but I don't know how to troubleshoot this. I had generated
> the script a while ago but I got errors, I did not know that the
> kernel module had to be loaded:
>
> # kldload /boot/kernel/ipl.ko
> verify that it is working with
> # ipf -V
>
> I read this over at these pages:
>
> http://manuuus.co.in/configure-ipf-firewall-in-freebsd/
>
> http://www.pc-freak.net/handbook/firewalls-ipf.html
>
> I know about ipfw too[Thanks Polytropon, I have simple setup you
> suggested but at school machine], and this time I tried the script
> which also is very good, but I have little problem.
>
> Is there anything I have to do, like turn on ipv6 to be able to
> browse? how do I check which version I have?
>
> Thanks for advice given.
>
> Regards,
>
> Antonio
>
Karl & et all,
I could not get the ipfw easy firewall solution to work either.
However after trial and error I commented out the 192.0.X settings,
#block in quick on msk0 from 192.168.0.0/16 to any
#block out quick on msk0 from 192.168.0.0/16 to any
since I get ip
quadcore# ifconfig -a
msk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c011a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:1d:60:33:ca:b0
inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX
<full-duplex,flowcontrol,rxpause,txpause>)
status: active
I thought to myself the above script will block it. After I commented
these out, restarted the firewall
# ipf -E
# ipf -V
# ipf -Fa -f /etc/ipf.rules
quadcore# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 44 passed 6605 nomatch 0 counted 0 short 0
output packets: blocked 26 passed 5278 nomatch 0 counted 0 short 0
input packets logged: blocked 9 passed 0
output packets logged: blocked 26 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 490 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 24 (out): 16
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 4258
Packet log flags set: (0)
none
quadcore# ipf -V
ipf: IP Filter: v4.1.28 (496)
Kernel: IP Filter: v4.1.28
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10f
It is working :) ; I hope it works after a reboot as well, if it does
not it will be back to the drawing board :(
Regards,
Antonio
More information about the freebsd-questions
mailing list