svn commit: r44079 - head/en_US.ISO8859-1/books/handbook/firewalls

Dru Lavigne dru at FreeBSD.org
Wed Feb 26 21:53:13 UTC 2014


Author: dru
Date: Wed Feb 26 21:53:13 2014
New Revision: 44079
URL: http://svnweb.freebsd.org/changeset/doc/44079

Log:
  Move Example Ruleset to under Rule Syntax.
  Cleanup the Example Ruleset.
  At some point, the ping rules and the incoming HTTP/SSH rules should be tightened.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Wed Feb 26 21:27:52 2014	(r44078)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Wed Feb 26 21:53:13 2014	(r44079)
@@ -1987,6 +1987,140 @@ options    IPDIVERT			# enables NAT</pro
       </variablelist>
     </sect2>
 
+    <sect2>
+	<title>Example Ruleset</title>
+
+	<para>This section demonstrates how to create an example
+	  stateful firewall ruleset script named
+	  <filename>/etc/ipfw.rules</filename>.  In this example, all
+	  connection rules use <literal>in</literal> or
+	  <literal>out</literal> to clarify the direction.  They also
+	  use <literal>via</literal>
+	  <replaceable>interface-name</replaceable> to specify
+	  the interface the packet is traveling over.</para>
+
+	<para>The firewall script begins by indicating that it is a
+	  Bourne shell script and flushes any existing rules.  It then
+	  creates the <literal>cmd</literal> variable so that
+	  <literal>ipfw add</literal> does not have to be typed at the
+	  beginning of every rule.  It also defines the
+	  <literal>pif</literal> variable which represents the name of
+	  the interface that is attached to the Internet.</para>
+
+	<programlisting>#!/bin/sh
+# Flush out the list before we begin.
+ipfw -q -f flush
+
+# Set rules command prefix
+cmd="ipfw -q add"
+pif="dc0"     # interface name of NIC attached to Internet</programlisting>
+
+	<para>The first two rules allow all traffic on the trusted
+	  internal interface and on the loopback interface:</para>
+
+	<programlisting># Change xl0 to LAN NIC interface name
+$cmd 00005 allow all from any to any via xl0
+
+# No restrictions on Loopback Interface
+$cmd 00010 allow all from any to any via lo0</programlisting>
+
+	<para>The next rule allows the packet through if it matches
+	  an existing entry in the dynamic rules table:</para>
+
+	<programlisting>$cmd 00015 check-state</programlisting>
+
+	<para>The next set of rules defines which stateful connections
+	  internal systems can create to hosts on the Internet:</para>
+
+	<programlisting># Allow access to public DNS
+# Replace x.x.x.x with the IP address of a public DNS server
+# and repeat for each DNS server in /etc/resolv.conf
+$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
+$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state
+
+# Allow access to ISP's DHCP server for cable/DSL configurations.
+# Use the first rule and check log for IP address.
+# Then, uncomment the second rule, input the IP address, and delete the first rule
+$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
+#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state
+
+# Allow outbound HTTP and HTTPS connections
+$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
+$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
+
+# Allow outbound email connections
+$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
+$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
+
+# Allow outbound ping
+$cmd 00250 allow icmp from any to any out via $pif keep-state
+
+# Allow outbound NTP
+$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
+
+# Allow outbound SSH
+$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
+
+# deny and log all other outbound connections
+$cmd 00299 deny log all from any to any out via $pif</programlisting>
+
+	<para>The next set of rules controls connections from
+	  Internet hosts to the internal network.  It starts by
+	  denying packets typically associated with attacks and then
+	  explicitly allows specific types of connections.  All the
+	  authorized services that originate from the Internet use
+	  <literal>limit</literal> to prevent flooding.</para>
+
+	<programlisting># Deny all inbound traffic from non-routable reserved address spaces
+$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif     #RFC 1918 private IP
+$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif      #RFC 1918 private IP
+$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif         #RFC 1918 private IP
+$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        #loopback
+$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif          #loopback
+$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif     #DHCP auto-config
+$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
+$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif    #Sun cluster interconnect
+$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif        #Class D & E multicast
+
+# Deny public pings
+$cmd 00310 deny icmp from any to any in via $pif
+
+# Deny ident
+$cmd 00315 deny tcp from any to any 113 in via $pif
+
+# Deny all Netbios services.
+$cmd 00320 deny tcp from any to any 137 in via $pif
+$cmd 00321 deny tcp from any to any 138 in via $pif
+$cmd 00322 deny tcp from any to any 139 in via $pif
+$cmd 00323 deny tcp from any to any 81 in via $pif
+
+# Deny fragments
+$cmd 00330 deny all from any to any frag in via $pif
+
+# Deny ACK packets that did not match the dynamic rule table
+$cmd 00332 deny tcp from any to any established in via $pif
+
+# Allow traffic from ISP's DHCP server.
+# Replace x.x.x.x with the same IP address used in rule 00120.
+#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state
+
+# Allow HTTP connections to internal web server
+$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
+
+# Allow inbound SSH connections
+$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
+
+# Reject and log all other incoming connections
+$cmd 00499 deny log all from any to any in via $pif</programlisting>
+
+	<para>The last rule logs all packets that do not match any of
+	  the rules in the
+	  ruleset:</para>
+
+	<programlisting># Everything else is denied and logged 
+$cmd 00999 deny log all from any to any</programlisting>
+      </sect2>
+      
     <sect2 xml:id="firewalls-ipfw-cmd">
       <title>The <application>IPFW</application> Command</title>
 
@@ -2155,199 +2289,6 @@ ks="keep-state"        # just too lazy t
       </sect3>
 
       <sect3>
-	<title>An Example Stateful Ruleset</title>
-
-	<para>The following sample ruleset is a complete inclusive
-	  type ruleset.  Comment out any
-	  <literal>pass</literal> rules for services that are not
-	  required.  To avoid logging undesired messages, add a
-	  <literal>deny</literal> rule in the inbound section.
-	  Change the <filename>dc0</filename> in every rule to the
-	  device name of the interface that connects the system to the
-	  Internet.</para>
-
-	<para>There is a noticeable pattern in the usage of these
-	  rules.</para>
-
-	<itemizedlist>
-	  <listitem>
-	    <para>All statements that are a request to start a session
-	      to the Internet use
-	      <literal>keep-state</literal>.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>All the authorized services that originate from
-	      the Internet use <literal>limit</literal> to prevent
-	      flooding.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>All rules use <literal>in</literal> or
-	      <literal>out</literal> to clarify direction.</para>
-	  </listitem>
-
-	  <listitem>
-	    <para>All rules use <literal>via</literal>
-	      <replaceable>interface-name</replaceable> to specify
-	      the interface the packet is traveling over.</para>
-	  </listitem>
-	</itemizedlist>
-
-	<para>The following rules go into
-	  <filename>/etc/ipfw.rules</filename>:</para>
-
-	<programlisting>################ Start of IPFW rules file ###############################
-# Flush out the list before we begin.
-ipfw -q -f flush
-
-# Set rules command prefix
-cmd="ipfw -q add"
-pif="dc0"     # public interface name of NIC
-              # facing the public Internet
-
-#################################################################
-# No restrictions on Inside LAN Interface for private network
-# Not needed unless you have LAN.
-# Change xl0 to your LAN NIC interface name
-#################################################################
-#$cmd 00005 allow all from any to any via xl0
-
-#################################################################
-# No restrictions on Loopback Interface
-#################################################################
-$cmd 00010 allow all from any to any via lo0
-
-#################################################################
-# Allow the packet through if it has previous been added to the
-# the "dynamic" rules table by a allow keep-state statement.
-#################################################################
-$cmd 00015 check-state
-
-#################################################################
-# Interface facing Public Internet (Outbound Section)
-# Interrogate session start requests originating from behind the
-# firewall on the private network or from this gateway server
-# destined for the public Internet.
-#################################################################
-
-# Allow out access to my ISP's Domain name server.
-# x.x.x.x must be the IP address of your ISP.s DNS
-# Dup these lines if your ISP has more than one DNS server
-# Get the IP addresses from /etc/resolv.conf file
-$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
-$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state
-
-# Allow out access to my ISP's DHCP server for cable/DSL configurations.
-# This rule is not needed for .user ppp. connection to the public Internet.
-# so you can delete this whole group.
-# Use the following rule and check log for IP address.
-# Then put IP address in commented out rule & delete first rule
-$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
-#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state
-
-# Allow out non-secure standard www function
-$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
-
-# Allow out secure www function https over TLS SSL
-$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
-
-# Allow out send & get email function
-$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
-$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
-
-# Allow out FBSD (make install & CVSUP) functions
-# Basically give user root "GOD" privileges.
-$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root
-
-# Allow out ping
-$cmd 00250 allow icmp from any to any out via $pif keep-state
-
-# Allow out Time
-$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
-
-# Allow out nntp news (i.e., news groups)
-$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state
-
-# Allow out secure FTP, Telnet, and SCP
-# This function is using SSH (secure shell)
-$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
-
-# Allow out whois
-$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
-
-# deny and log everything else that.s trying to get out.
-# This rule enforces the block all by default logic.
-$cmd 00299 deny log all from any to any out via $pif
-
-#################################################################
-# Interface facing Public Internet (Inbound Section)
-# Check packets originating from the public Internet
-# destined for this gateway server or the private network.
-#################################################################
-
-# Deny all inbound traffic from non-routable reserved address spaces
-$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif  #RFC 1918 private IP
-$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif     #RFC 1918 private IP
-$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif          #RFC 1918 private IP
-$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        #loopback
-$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif            #loopback
-$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif   #DHCP auto-config
-$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs
-$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster interconnect
-$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif         #Class D & E multicast
-
-# Deny public pings
-$cmd 00310 deny icmp from any to any in via $pif
-
-# Deny ident
-$cmd 00315 deny tcp from any to any 113 in via $pif
-
-# Deny all Netbios service. 137=name, 138=datagram, 139=session
-# Netbios is MS/Windows sharing services.
-# Block MS/Windows hosts2 name server requests 81
-$cmd 00320 deny tcp from any to any 137 in via $pif
-$cmd 00321 deny tcp from any to any 138 in via $pif
-$cmd 00322 deny tcp from any to any 139 in via $pif
-$cmd 00323 deny tcp from any to any 81 in via $pif
-
-# Deny any late arriving packets
-$cmd 00330 deny all from any to any frag in via $pif
-
-# Deny ACK packets that did not match the dynamic rule table
-$cmd 00332 deny tcp from any to any established in via $pif
-
-# Allow traffic in from ISP's DHCP server. This rule must contain
-# the IP address of your ISP.s DHCP server as it.s the only
-# authorized source to send this packet type.
-# Only necessary for cable or DSL configurations.
-# This rule is not needed for .user ppp. type connection to
-# the public Internet. This is the same IP address you captured
-# and used in the outbound section.
-#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state
-
-# Allow in standard www function because I have apache server
-$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
-
-# Allow in secure FTP, Telnet, and SCP from public Internet
-$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
-
-# Allow in non-secure Telnet session from public Internet
-# labeled non-secure because ID & PW are passed over public
-# Internet as clear text.
-# Delete this sample group if you do not have telnet server enabled.
-$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2
-
-# Reject & Log all incoming connections from the outside
-$cmd 00499 deny log all from any to any in via $pif
-
-# Everything else is denied by default
-# deny and log all packets that fell through to see what they are
-$cmd 00999 deny log all from any to any
-################ End of IPFW rules file ###############################</programlisting>
-      </sect3>
-
-      <sect3>
 	<title>An Example <acronym>NAT</acronym> and Stateful
 	  Ruleset</title>
 


More information about the svn-doc-all mailing list