pavement

Firewall, Configuring

From FreeBSDwiki
Revision as of 15:51, 13 November 2004 by Jimbo (Talk | contribs)
Jump to: navigation, search

IPFW firewall ruleset

Sample firewall script - this sets up a firewall on a "bastion" server that both runs publically accessible services and acts as a NAT-enabled firewall for a protected network running behind it. It's a plain-and-simple shell script that can be run directly from the command line - but remember, if you're running this on a "default deny" system (one which denies ALL connectivity from ANYwhere under the default ruleset - which is recommended in order to avoid a "race condition" situation in which an attacker could compromise the system before the ruleset is completely loaded), YOU WILL LOSE NETWORK CONNECTIVITY on the very first line of this script - meaning that you CANNOT run it from a remote shell session, or the script will stop operating before it ever punches any holes back through for you.

If you need to restart a firewall remotely, you'll need to use some trickery like scheduling it with the at scheduler. THAT will work, since it won't depend on network connectivity to finish running the script. However, if you're running untested modifications, you'll probably want to schedule ANOTHER job with at for 5 minutes later to pull your firewall back to a "known accessible" configuration, just in case you oopsied... could save you a long drive out to a colo.

With no further ado, here's the ipfw script.

#!/bin/sh
#Quietly flush out rules
/sbin/ipfw -q -f flush

#Set command prefix (add "-q" option after development to turn on quiet mode)
cmd="/sbin/ipfw add"

# set outside and inside network interfaces
oif="xl0"
iif="ed0"

# set private IP of this server and the netmask of the whole LAN side
server="192.168.0.1"
inside="192.168.0.0/24"

######Localhost stuff
#
#allow the computer to talk to itself
$cmd 00080 allow ip from any to any via lo0

#don't let anything from the "outside" talk to localhost
$cmd 00081 deny ip from any to 127.0.0.0/8

#don't let the computer talk other computers as localhost
$cmd 00082 deny log ip from 127.0.0.0/8 to any
#
#######

####### DHCP stuff
#
# you need this to be able to renew your DHCP lease from your ISP
$cmd 00083 allow udp from any 67 to any 68 in recv rl0
#
#####

######### deny-and-log bogus packets by tcpflags
#
# XMAS tree
        $cmd 00084 deny log tcp from any to any in tcpflags fin,psh,urg recv $oif
# NULL scan (no flag set at all)
        $cmd 00085 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv $oif
# SYN flood (SYN,FIN)
        $cmd 00086 deny log tcp from any to any in tcpflags syn,fin recv $oif
# Stealth FIN scan (FIN,RST)
        $cmd 00087 deny log tcp from any to any in tcpflags fin,rst recv $oif
# forced packet routing
        $cmd 00089 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv $oif
#
#######



######### Things served via this machine directly 
######### Any services on this machine should be placed here,
######### before the NAT Divert rule
#
#HTTP
        $cmd 00500 allow tcp from any to any 80 in via $oif
#SSH
        $cmd 00510 allow tcp from any to any 22 in via $oif
#FTP
        $cmd 00570 allow ip from any to any 20 in via $oif
        $cmd 00571 allow ip from any to any 21 in via $oif
        $cmd 00572 allow tcp from any 21 to any out via $oif
#
####


#####NATD stuff

#natd Divert rule
        $cmd 01000 divert natd all from any to any via $oif

######


####All connections originating from my network are allowed

# check to see if a dynamic rule has been created that matches this packet
        $cmd 01100 check-state
# let everything on your internal network talk to the firewall
        $cmd 01101 allow all from any to any via $iif keep-state 
# setup a dynamic rule for any connections being started from inside
        $cmd 01102 allow all from any to any out via $oif keep-state 
# deny ACK packets that did not match the dynamic rule table - do not log, too many false positives
        $cmd 01103 deny tcp from any to any established in via $oif 
#deny fragments as bogus packets
        $cmd 01104 deny log all from any to any frag in via $oif 
#####


####### ICMP stuff

#allow path-mtu in both directions
$cmd 01200 allow icmp from any to any icmptypes 3

#allow source quench in and out
$cmd 01201 allow icmp from any to any icmptypes 4

#allow outbound traceroutes
$cmd 01204 allow icmp from any to any icmptypes 11 in

#allow outbound pings and incoming ping responses
$cmd 01202 allow icmp from any to any icmptypes 8 out
$cmd 01203 allow icmp from any to any icmptypes 0 in

########



##### This section is for exposing services to the internet from the LAN
#####  It is placed AFTER the NATD Divert rule, so these services can be
#####  diverted in /etc/natd.conf

#VNC
        $cmd 01550 allow tcp from any to any 5900 in
#KAZAA
        $cmd 01580 allow ip from any to $inside 1214 in via $oif
#SOULSEEK
        $cmd 01590 allow ip from any to $inside 2234 in via $oif
        $cmd 01591 allow ip from any to $inside 5534 in via $oif
#EMULE
        $cmd 01600 allow tcp from any to $inside 4662 in via $oif
        $cmd 01601 allow udp from any to $inside 4672 in via $oif
#BITTORRENT
        $cmd 01610 allow ip from any to $inside 30000-40000 in via $oif

####

######## SOME THINGS ARE TOO NOISY TO LIVE
######## In this section we deny things that would be denied anyway, but that we just
######## don't want logged.  Be careful with this - in general, you probably want to 
######## avoid putting anything in here that doesn't specify a known source address that
######## is relatively trustworthy.  You also want to be very careful about who knows
######## what this section of your firewall configs looks like, because they can then
######## use the info to craft probes and attacks they know you won't see or log.

# Don't bother logging IGMP crap from the ISP
$cmd 9004 deny igmp from 172.16.210.1 to any in via $oif

# Don't bother logging DNS garbage inbound from the ISP's DNS boxes
$cmd 9006 deny udp from 4.31.99.0/24\{100-103\} 53 to any dst-port 50000-65535 in via rl0

#####

######## Stealth scans of closed ports
########  this section is to deny and log stealth scans that we can't really deny 
########  on open ports because doing so would disrupt legitimate services.

# ACK scan (ACK,RST)
        $cmd 60000 deny log tcp from any to any in tcpflags ack,rst recv $oif

#####

#############
############# DEFAULT RULE - deny it, and log it, 'cause we're secure like that.
#############
#
$cmd 65000 deny log all from any to any



helpful links:

http://www.freebsddiary.org/ipfw.php

http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html

http://blogs.geekdojo.net/andy/articles/1807.aspx VERY VERY helpful

http://www.acme.com/firewall.html more with the SUPER helpfulness


http://www.daniweb.com/tutorials/2949.html for getting dhcpd running

Personal tools