Date: Sat, 18 Jul 1998 14:52:26 +1000 From: "Hallam Oaks P/L list account" <maillist@oaks.com.au> To: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG> Subject: rc.firewall (was Re: Large-scale scan of SNMP ports) Message-ID: <199807180456.OAA04248@mail.aussie.org>
next in thread | raw e-mail | index | archive | help
Ok, here it is. The following script is based on the 'simple' section of
rc.firewall in the standard distribution. it makes the following assumptions -
o you have two interfaces, one to the internet, and one to a LAN
o the two interfaces don't share the same subnet
o the LAN is configured to use a real, routable subnet (no aliasing)
o that subnet is thus routed via the interface used for the 'net connection
o the LAN contains PC's (or whatever) that want access to the net
o any services offered to the PC's (DNS, squid, etc) run on the same
machine as that which executes the below rc.firewall
o http access is via a proxy (we use squid here)
o no outside parties have access to POP, IMAP, HTTP, etc.
o there are no outside logins of any type whatsoever (not even SSH).
I set the max hit count for any one rule to a number higher than the default
(which is, I think, 100). I use 1000 myself. I also do this in my /etc/daily -
echo "Listing IPFW rules and clearing accounting"
/sbin/ipfw -t list
/sbin/ipfw zero
One final warning - I don't consider myself particularly knowledgable in
areas of security. The following rc.firewall could have holes large enough to
fit the Enterprise through sideways. In fact it not only could, but probably
does. so if you use it it's at entirely at your own risk.
The IP addresses given have been modified to ensure whoever uses this actually
types something different in there :) (it won't work as-is).
If anyone does spot errors I'd be pleased to hear about them.
-- Chris
############
# Setup system for firewall service.
# $Id: rc.firewall,v 1.6.2.5 1997/10/21 00:20:35 jkh Exp $
# Adapted from 'SIMPLE' example in rc.firewall by CJC
############
# Set quiet mode if requested
if [ "x$firewall_quiet" = "xYES" ]; then
fwcmd="/sbin/ipfw -q"
else
fwcmd="/sbin/ipfw"
fi
############
# Flush out the list before we begin.
$fwcmd -f flush
############
# Only in rare cases do you want to change these rules
$fwcmd add 1000 pass all from any to any via lo0
$fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8
# our outside interface network and netmask and ip
pppif="tun0"
pppnet="139.XXX.XX.XXX"
pppmask="255.255.255.128"
pppip="139.XXX.XX.XXX"
# our inside interface network and netmask and ip
lanif="fxp0"
lanip="203.XX.XX.2"
# our entire inside network as one class C block
allnet="203.XX.XX.0"
allmask="255.255.255.0"
# two nameservers the LAN needs access to. these sit on the this machine.
ns1="203.XX.XX.11"
ns2="203.XX.XX.21"
# the address of our SMTP and POP3 server (runs on this machine)
mail="203.XX.XX.2"
# the address of our news server (runs on this machine)
news="203.XX.XX.2"
# our squid caching proxy (runs on this machine)
squid="203.XX.XX.2"
# all PC's on our LAN occupy the second 64-byte subnet of our class C
pcs="203.XX.XX.64:255.255.255.192"
# The primary IP address of our ethernet interface
gw="203.XX.XX.2"
# IP addresses of some outside machines that we are interested in
leopold="203.XX.XX.224"
mira="203.X.XXX.131"
####################################################################
# RULES THAT APPLY TO ALL PROTOCOLS
####################################################################
# Stop spoofing
$fwcmd add deny log all from ${allnet}:${allmask} to any in via ${pppif}
$fwcmd add deny log all from ${pppip} to any in via ${lanif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny log all from 192.168.0.0:255.255.0.0 to any via ${pppif}
$fwcmd add deny log all from 172.16.0.0:255.240.0.0 to any via ${pppif}
$fwcmd add deny log all from 10.0.0.0:255.0.0.0 to any via ${pppif}
####################################################################
# RULES THAT APPLY TO TCP ONLY
####################################################################
# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established
# Deny (with no logging) ident queries - we get too many to want to log them
$fwcmd add reject tcp from any to any 113 in via ${pppif}
$fwcmd add reject tcp from any to any 113 out via ${lanif}
# Allow outgoing ssh from any of our PC's
$fwcmd add pass tcp from ${pcs} to any 22 setup
# Allow setup of incoming email
$fwcmd add pass tcp from any to ${mail} 25 setup
# Allow anyone (!) access to our NNTP server (this is entirely intentional)
$fwcmd add pass tcp from any to ${news} 119 setup
# Allow any of our PC's access to NNTP servers elsewhere
$fwcmd add pass tcp from ${pcs} to any 119 setup
# Allow PC's access to the control ports of FTP servers elsewhere.
# They must use PASV mode for data !
$fwcmd add pass tcp from ${pcs} to any 21 setup
# Allow our PC's to have access to Compuserve (eek)
$fwcmd add pass tcp from ${pcs} to any 4144 setup
# Allow our PC's to access our POP server
$fwcmd add pass tcp from ${pcs} to ${mail} 110 via ${lanif} setup
# Allow our PC's local access to the web server
$fwcmd add pass tcp from ${pcs} to ${gw} 80 via ${lanif} setup
# Allow our squid cache to talk to peers
$fwcmd add pass tcp from ${pppip} to any 8080 via ${pppif} setup
# Allow our squid cache to talk to the world (and thus us to talk to anything)
# (One day I'll have to read the squid docs and do this a better way)
$fwcmd add pass tcp from ${pppip} to any via ${pppif} setup
# Allow PC's to talk to our squid cache
$fwcmd add pass tcp from ${pcs} to ${squid} 8000 via ${lanif} setup
# Allow PC's to talk to Perforce SCCS (p4d). The port varies according to setup.
$fwcmd add pass tcp from ${pcs} to ${gw} 1667 via ${lanif} setup
# Allow PC's to talk to the RealAudio proxy
$fwcmd add pass tcp from ${pcs} to ${gw} 1090 via ${lanif} setup
# Allow our lan to talk to Leopold's RA proxy and squid (for testing/maintainence)
$fwcmd add pass tcp from ${pcs} to ${leopold} 1090 setup
$fwcmd add pass tcp from ${pcs} to ${leopold} 8080 setup
# Allow our lan to talk to Mira's POP server
$fwcmd add pass tcp from ${pcs} to ${mira} 110 setup
# Allow DNS zone transfers.
# I Should really restrict this to our secondaries after some recent probes.
$fwcmd add pass tcp from any to ${ns1} 53 setup
$fwcmd add pass tcp from any to ${ns2} 53 setup
# Allow NetBIOS accesses from the local PC's to us
$fwcmd add pass tcp from ${pcs} to ${gw} 139 via ${lanif} setup
# Allow setup of TCP sessions from us (gw) to the world using our class C
# Note that this does not allow the PC's unrestricted access to the world,
# as it only applies to the PPP interface (the PC's are on the lan IF).
$fwcmd add pass tcp from ${allnet}:${allmask} to any out via ${pppif} setup
# allow our local FTP server to connect to the PC's (avoids using PASV mode)
$fwcmd add pass tcp from ${gw} 20 to ${pcs} out via ${lanif} setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${pppif} setup
#####################################################################
# DENY UDP entries ... should go BEFORE the specific PASS UDP entries
#####################################################################
# technically these are unnecessary as we deny everything by default.
# if we add a rule here it's probably because we want a different action
# or because we don't want it logged (e.g. netbios accesses, which we get
# a lot of).
# Reject (with no logging) ident queries from the outside
$fwcmd add reject udp from any to any 113 in via ${pppif}
$fwcmd add reject udp from any to any 113 out via ${lanif}
# Reject (with no logging) NetBIOS name service accesses from outside
$fwcmd add reject udp from any to any 137 via ${pppif}
###############################################################################
# ALLOW UDP entries ... should go AFTER the specific DENY or REJECT UDP entries
###############################################################################
# allow us to send any UDP packet out via the ethernet interface. we have to add
# two rules here as the process sending the packet could be bound to either an
# IP in the class C ('allnet') or our PPP ip address
$fwcmd add pass udp from ${pppip} to any out via ${lanif}
$fwcmd add pass udp from ${allnet}:${allmask} to any out via ${lanif}
# Allow DNS queries from the world to the name servers on this machine
$fwcmd add pass udp from any to ${ns1} 53
$fwcmd add pass udp from any to ${ns2} 53
$fwcmd add pass udp from any to ${gw} 53
# Allow replies to DNS queries to go out
$fwcmd add pass udp from ${ns1} 53 to any
$fwcmd add pass udp from ${ns2} 53 to any
$fwcmd add pass udp from ${gw} 53 to any
# Allow NTP queries
$fwcmd add pass udp from any 123 to ${pppip}
$fwcmd add pass udp from ${pppip} to any 123
# Allow parents and peers ICP access to our squid cache via UDP
# This is too general - we allow anyone to talk. We should really only allow
# the accesses from the parents & peers.
$fwcmd add pass udp from any to ${squid} 3130 via ${pppif}
# Allow our squid cache to send ICP messages to peers via UDP
$fwcmd add pass udp from ${squid} to any 3130 via ${pppif}
# Allow NetBIOS accesses (and broadcasts) from the local network
$fwcmd add pass udp from ${pcs} to any 137 via ${lanif}
$fwcmd add pass udp from ${pcs} to any 138 via ${lanif}
$fwcmd add pass udp from ${gw} to any 138 via ${lanif}
$fwcmd add pass udp from ${gw} to any 137 via ${lanif}
###############################################################################
# ALLOW ICMP ENTRIES
###############################################################################
# Allow ICMP from our local network - so PC's can ping things on the 'net
# Makes the us and the PC's vunerable to certain types of attacks
# It would be nice if IPFW had the ability to 'see' an outgoing ICMP echo request,
# (which we could enable in one direction only), and then optionally automatically
# enable incoming ICMP to the sending IP address for a specified # of seconds.
# But it can't so we just leave it on all the time ...
$fwcmd add pass icmp from any to any
###############################################################################
# ALL
###############################################################################
$fwcmd add deny log all from any to any via ${lanif}
$fwcmd add deny log all from any to any via ${pppif}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807180456.OAA04248>