easy Firewall setup

Antonio Olivares olivares14031 at gmail.com
Sun Jul 31 19:26:26 UTC 2011


On Sun, Jul 31, 2011 at 11:15 AM, Antonio Olivares
<olivares14031 at gmail.com> wrote:
>> A> Is there an easy firewall setup available somewhere (like the one
>> A> referenced below but for FreeBSD)?
>>
>>   Here's a script you can use to generate a rules file for IPF.
>>
>> --
>
> Karl,
>
> I have used your script and it generated me a nice ipf.rules file
>
> /************* ipf.rules ********************/
> quadcore# cat /etc/ipf.rules
> # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011
> #
> # NAME:
> #    /etc/ipf.rules
> #
> # DESCRIPTION:
> #    Ruleset for IPF packet filter.
> #
> # AUTHOR:
> #    Antonio Olivares <olivares14031 at gmail.com>
>
> # --------------------------------------------------------------------
> # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP.
> block in quick on msk0 proto udp  from any to any port = 68
> block in quick on msk0 proto udp  from any to any port = 137
> block in quick on msk0 proto udp  from any to any port = 138
> block in quick on msk0 proto igmp from any to any
>
> # --------------------------------------------------------------------
> # Now block everything coming down the network.
> block in  log  on msk0 all
> block out log  on msk0 all
>
> # --------------------------------------------------------------------
> # Get rid of anything with options, as these can be used to hack.
> block in  log quick     from any to any with ipopts
>
> # --------------------------------------------------------------------
> # Get rid of short TCP/IP fragments (too small for valid comparison)
> # as these can be used to hack.
> block in  log quick proto tcp from any to any with short
>
> # --------------------------------------------------------------------
> # Allow all traffic on loopback.
> pass  in  quick on lo0 all
> pass  out quick on lo0 all
>
> # --------------------------------------------------------------------
> # Block all the private routable addresses, as these should never
> # come down the network, nor should we be talking to them.
> block out quick on msk0 from any               to 192.168.0.0/16
> block out quick on msk0 from any               to 172.16.0.0/12
> block out quick on msk0 from any               to 127.0.0.0/8
> block out quick on msk0 from any               to 10.0.0.0/8
> block out quick on msk0 from any               to 0.0.0.0/8
> block out quick on msk0 from any               to 169.254.0.0/16
> block out quick on msk0 from any               to 192.0.2.0/24
> block out quick on msk0 from any               to 204.152.64.0/23
> block out quick on msk0 from any               to 224.0.0.0/3
>
> block in  quick on msk0 from 192.168.0.0/16    to any
> block in  quick on msk0 from 172.16.0.0/12     to any
> block in  quick on msk0 from 10.0.0.0/8        to any
> block in  quick on msk0 from 127.0.0.0/8       to any
> block in  quick on msk0 from 0.0.0.0/8         to any
> block in  quick on msk0 from 169.254.0.0/16    to any
> block in  quick on msk0 from 192.0.2.0/24      to any
> block in  quick on msk0 from 204.152.64.0/23   to any
> block in  quick on msk0 from 224.0.0.0/3       to any
>
> # --------------------------------------------------------------------
> # Block and log portmapper attempts.
> block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state
>
> # --------------------------------------------------------------------
> # Allow outbound state related packets.
> pass  out quick on msk0 proto tcp from any to any flags S keep state
> pass  out quick on msk0 proto udp from any to any keep state
>
> # --------------------------------------------------------------------
> # Allow ping and traceroute.  Since we're doing everything quick,
> # we must have passes before blocks.
> pass  in quick on msk0 proto icmp from any to any icmp-type  0 keep state
> pass  in quick on msk0 proto icmp from any to any icmp-type  8 keep state
> pass  in quick on msk0 proto icmp from any to any icmp-type 11 keep state
> pass out quick on msk0 proto icmp from any to any icmp-type  0 keep state
> pass out quick on msk0 proto icmp from any to any icmp-type  8 keep state
> pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state
> block in log quick on msk0 proto icmp from any to any
>
> # --------------------------------------------------------------------
> # Allow DNS; should this be just from nameservers?
> pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state
> pass in quick on msk0 proto udp from any to any port = 53 keep state
>
> # --------------------------------------------------------------------
> # Allow ssh and mail from anywhere: tcpserver filters addresses
> pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state
> pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state
>
> # --------------------------------------------------------------------
> # Allow http from selected addresses.
> pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state
> pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 80 flags S keep state
>
> # --------------------------------------------------------------------
> # Allow secure http from selected addresses.
> pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 443 flags S
> keep state
> pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 443 flags S
> keep state
>
> # --------------------------------------------------------------------
> # Copyright (C) 2011
> # EOF
> /************************************************************/
>
> I add
> /*******************/
> lpd_enable="YES"
> ipfilter_enable="YES"
> ipfileter_rules="/etc/ipf.rules"
> ipmon_enable="YES"
> ipmon_flags="-Ds"
> /******************/
> to /etc/rc.conf, I load the kernel module:
>
> quadcore# kldload /boot/kernel/ipl.ko
>
> I verify it is working:
>
> with # ipf -V
>
>
> quadcore# ipf -Fa -f /etc/ipf.rules
>
> Then I cannot browse :(
>
>
> quadcore# ipfstat
> bad packets:            in 0    out 0
>  IPv6 packets:          in 0 out 0
>  input packets:         blocked 17 passed 14 nomatch 14 counted 0 short 0
> output packets:         blocked 68 passed 22 nomatch 22 counted 0 short 0
>  input packets logged:  blocked 0 passed 0
> output packets logged:  blocked 0 passed 0
>  packets logged:        input 0 output 0
>  log failures:          input 0 output 0
> fragment state(in):     kept 0  lost 0  not fragmented 0
> fragment state(out):    kept 0  lost 0  not fragmented 0
> packet state(in):       kept 0  lost 0
> packet state(out):      kept 0  lost 0
> ICMP replies:   0       TCP RSTs sent:  0
> Invalid source(in):     0
> Result cache hits(in):  10      (out):  0
> IN Pullups succeeded:   0       failed: 0
> OUT Pullups succeeded:  0       failed: 0
> Fastroute successes:    0       failures:       0
> TCP cksum fails(in):    0       (out):  0
> IPF Ticks:      574
> Packet log flags set: (0)
>        none
>
>
> But I have to stop the firewall
>
> ipf -D
>
> and run
> # ifconfig msk0 up
>
> and I can browse.  My best guess is that there is a problem with ipv6
> and ipv4, but I don't know how to troubleshoot this.  I had generated
> the script a while ago but I got errors, I did not know that the
> kernel module had to be loaded:
>
> # kldload /boot/kernel/ipl.ko
> verify that it is working with
> # ipf -V
>
> I read this over at these pages:
>
> http://manuuus.co.in/configure-ipf-firewall-in-freebsd/
>
> http://www.pc-freak.net/handbook/firewalls-ipf.html
>
> I know about ipfw too[Thanks Polytropon, I have simple setup you
> suggested but at school machine], and this time I tried the script
> which also is very good, but I have little problem.
>
> Is there anything I have to do, like turn on ipv6 to be able to
> browse?  how do I check which version I have?
>
> Thanks for advice given.
>
> Regards,
>
> Antonio
>

Karl & et all,

I could not get the ipfw easy firewall solution to work either.
However after trial and error I commented out the 192.0.X settings,

#block in  quick on msk0 from 192.168.0.0/16    to any
#block out  quick on msk0 from 192.168.0.0/16    to any

since I get ip

quadcore# ifconfig -a
msk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=c011a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,VLAN_HWTSO,LINKSTATE>
	ether 00:1d:60:33:ca:b0
	inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (100baseTX
<full-duplex,flowcontrol,rxpause,txpause>)
	status: active

I thought to myself the above script will block it.  After I commented
these out, restarted the firewall

# ipf -E
# ipf -V
# ipf -Fa -f /etc/ipf.rules

quadcore# ipfstat
bad packets:		in 0	out 0
 IPv6 packets:		in 0 out 0
 input packets:		blocked 44 passed 6605 nomatch 0 counted 0 short 0
output packets:		blocked 26 passed 5278 nomatch 0 counted 0 short 0
 input packets logged:	blocked 9 passed 0
output packets logged:	blocked 26 passed 0
 packets logged:	input 0 output 0
 log failures:		input 0 output 0
fragment state(in):	kept 0	lost 0	not fragmented 0
fragment state(out):	kept 0	lost 0	not fragmented 0
packet state(in):	kept 0	lost 0
packet state(out):	kept 490	lost 0
ICMP replies:	0	TCP RSTs sent:	0
Invalid source(in):	0
Result cache hits(in):	24	(out):	16
IN Pullups succeeded:	0	failed:	0
OUT Pullups succeeded:	0	failed:	0
Fastroute successes:	0	failures:	0
TCP cksum fails(in):	0	(out):	0
IPF Ticks:	4258
Packet log flags set: (0)
	none
quadcore# ipf -V
ipf: IP Filter: v4.1.28 (496)
Kernel: IP Filter: v4.1.28
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10f

It is working :) ;  I hope it works after a reboot as well, if it does
not it will be back to the drawing board :(

Regards,

Antonio


More information about the freebsd-questions mailing list