Date: Sat, 22 Feb 2014 02:43:03 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44024 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402220243.s1M2h3JL099191@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Sat Feb 22 02:43:03 2014 New Revision: 44024 URL: http://svnweb.freebsd.org/changeset/doc/44024 Log: Cleanup sample ruleset. Move stuff that applies to all firewalls to Concepts section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sat Feb 22 01:58:09 2014 (r44023) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sat Feb 22 02:43:03 2014 (r44024) @@ -170,6 +170,15 @@ selection criteria to create rules which will pass or block services.</para> + <para>To lookup unknown port numbers, refer to + <filename>/etc/services</filename>. Alternatively, visit <uri + xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri> + and do a port number lookup to find the purpose of a + particular port number.</para> + + <para>Check out this link for port numbers used by Trojans <uri + xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para> + <para>A firewall ruleset can be either <quote>exclusive</quote> or <quote>inclusive</quote>. An exclusive firewall allows all traffic through except for the @@ -1699,7 +1708,7 @@ ipnat_rules="/etc/ipnat.rules" # rule </sect2> <sect2> - <title><application>IPF</application> Rulesets</title> + <title><application>IPF</application> Rule Syntax</title> <indexterm> <primary><application>IPFILTER</application></primary> @@ -1988,198 +1997,98 @@ ipnat_rules="/etc/ipnat.rules" # rule </sect2> <sect2> - <!-- XXX: This section needs a rewrite --> - - <title>Inclusive Ruleset Example</title> + <title>Example Ruleset</title> - <para>The following ruleset is an example of an inclusive type - of firewall which only allows services matching - <literal>pass</literal> rules and blocks all others by - default. Network firewalls intended to protect other machines - should have at least two interfaces, and are generally - configured to trust the <acronym>LAN</acronym> and to not - trust the public Internet. Alternatively, a host based - firewall might be configured to protect only the system it is - running on, and is appropriate for servers on an untrusted - network or a desktop system not protected by firewall on the - network.</para> + <para>This section demonstrates how to create an example ruleset + which only allows services matching + <literal>pass</literal> rules and blocks all others.</para> - <para>&os; uses interface <filename>lo0</filename> and IP + <para>&os; uses the loopback interface (<filename>lo0</filename>) and the <acronym>IP</acronym> address <systemitem class="ipaddress">127.0.0.1</systemitem> - for internal communication within the operating system. The - firewall rules must contain rules to allow free movement of - these internally used packets.</para> - - <para>The interface which faces the public Internet is the one - specified in the rules that authorize and control access of - the outbound and inbound connections.</para> - - <para>In cases where one or more NICs are cabled to private - network segments, those interfaces may require rules to allow - packets originating from those LAN interfaces transit to each - other or to the Internet.</para> - - <para>The rules should be organized into three major - sections: the trusted interfaces, then the public - interface outbound, and lastly, the public untrusted interface - inbound.</para> + for internal communication. The + firewall ruleset must contain rules to allow free movement of + these internally used packets:</para> - <para>The rules in each of the public interface sections should + <programlisting># no restrictions on loopback interface +pass in quick on lo0 all +pass out quick on lo0 all</programlisting> + + <para>The public interface connected to the Internet is used to + authorize and control access of + all outbound and inbound connections. If one or more interfaces are cabled to private + networks, those internal interfaces may require rules to allow + packets originating from the <acronym>LAN</acronym> to flow between the internal networks + or to the interface attached to the Internet. The ruleset should be organized into three major + sections: any trusted internal interfaces, outbound connections through the public + interface, and inbound connections through the public interface.</para> + + <para>These two rules allow all traffic to pass through a trusted + <acronym>LAN</acronym> interface named <filename>xl0</filename>:</para> + + <programlisting># no restrictions on inside LAN interface for private network +pass out quick on xl0 all +pass in quick on xl0 all</programlisting> + + <para>The rules for the public interface's outbound and inbound sections should have the most frequently matched rules placed before less commonly matched rules, with the last rule in the section - blocking and logging all packets on that interface and + blocking and logging all packets for that interface and direction.</para> - <para>The outbound section in the following ruleset only - contains <literal>pass</literal> rules which uniquely identify - the services that are authorized for public Internet access. - All the rules use <literal>quick</literal>, - <literal>on</literal>, <literal>proto</literal>, - <literal>port</literal>, and <literal>keep state</literal>. - The <literal>proto tcp</literal> rules include - <literal>flag</literal> to identify the session start request - as the triggering packet to activate the stateful - facility.</para> - - <para>The inbound section blocks undesirable packets first, for - two different reasons. The first is that malicious packets - may be partial matches for legitimate traffic. These packets - have to be discarded rather than allowed, based on their - partial matches against the <literal>allow</literal> rules. - The second reason is that known and uninteresting rejects may - be blocked silently, rather than being logged by the last rule - in the section.</para> - - <para>The ruleset should ensure that there is no response - returned for any undesirable traffic. Invalid packets should - be silently dropped so that the attacker has no knowledge if - the packets reached the system. Rules that include a - <literal>log first</literal> option, will only log the event - the first time they are triggered. This option is included in - the sample <literal>nmap OS fingerprint</literal> rule. The - <package>security/nmap</package> utility is - commonly used by attackers who attempt to identify the - operating system of the server.</para> - - <para>Any time there are logged messages on a rule with - the <literal>log first</literal> option, - <command>ipfstat -hio</command> should be executed - to evaluate how many times the rule has been matched. A - large number of matches usually indicates that the system is - being flooded or is under attack.</para> - - <para>To lookup unknown port numbers, refer to - <filename>/etc/services</filename>. Alternatively, visit <uri - xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri> - and do a port number lookup to find the purpose of a - particular port number.</para> - - <para>Check out this link for port numbers used by Trojans <uri - xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para> - - <para>The following ruleset creates an - <literal>inclusive</literal> firewall ruleset which can be - easily customized by commenting out - <literal>pass</literal> rules for services that should not - be authorized.</para> - - <para>To avoid logging unwanted messages, add a - <literal>block</literal> rule in the inbound section.</para> - - <para>Change the <filename>dc0</filename> interface name in - every rule to the interface name that connects the system to - the public Internet.</para> - - <para>The following statements were added to - <filename>/etc/ipf.rules</filename>:</para> - - <programlisting>################################################################# -# No restrictions on Inside LAN Interface for private network -# Not needed unless you have LAN -################################################################# - -#pass out quick on xl0 all -#pass in quick on xl0 all - -################################################################# -# No restrictions on Loopback Interface -################################################################# -pass in quick on lo0 all -pass out quick on lo0 all - -################################################################# -# Interface facing Public Internet (Outbound Section) -# Match session start requests originating from behind the -# firewall on the private network -# or from this gateway server destined for the public Internet. -################################################################# + <para>This set of rules defines the outbound section of the + public interface named <filename>dc0</filename>. + These rules keep state and identify + the specific services that internal systems are authorized for public Internet access. + All the rules use <literal>quick</literal> and specify the + appropriate port numbers and, where applicable, destination + addresses.</para> -# Allow out access to my ISP's Domain name server. -# xxx must be the IP address of your ISP's DNS. -# Dup these lines if your ISP has more than one DNS server -# Get the IP addresses from /etc/resolv.conf file -pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state + <programlisting># interface facing Internet (outbound) +# Matches session start requests originating from or behind the +# firewall, destined for the Internet. + +# Allow outbound access to public DNS servers. +# Replace x.x.x. with address listed in /etc/resolv.conf. +# Repeat for each DNS server. +pass out quick on dc0 proto tcp from any to x.x.x. port = 53 flags S keep state pass out quick on dc0 proto udp from any to xxx port = 53 keep state -# Allow out access to my ISP's DHCP server for cable or DSL networks. -# This rule is not needed for 'user ppp' type connection to the -# public Internet, so you can delete this whole group. -# Use the following rule and check log for IP address. -# Then put IP address in commented out rule & delete first rule +# Allow access to ISP's specified DHCP server for cable or DSL networks. +# Use the first rule, then check log for the IP address of DHCP server. +# Then, uncomment the second rule, replace z.z.z.z with the IP address, +# and comment out the first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state - -# Allow out non-secure standard www function +# Allow HTTP and HTTPS pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state - -# Allow out secure www function https over TLS SSL pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state -# Allow out send & get email function +# Allow email pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state -# Allow out Time +# Allow NTP pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state -# Allow out nntp news -pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state - -# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes) -# This function uses the IP<acronym>NAT</acronym> built in FTP proxy function coded in -# the nat rules file to make this single rule function correctly. -# If you want to use the pkg_add command to install application packages -# on your gateway system you need this rule. +# Allow FTP pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state -# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements) -# This function is using SSH (secure shell) +# Allow SSH pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state -# Allow out insecure Telnet -pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state - -# Allow out FreeBSD CVSup -pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state - -# Allow out ping to public Internet +# Allow ping pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state -# Allow out whois from LAN to public Internet -pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state - -# Block and log only the first occurrence of everything -# else that's trying to get out. -# This rule implements the default block -block out log first quick on dc0 all - -################################################################# -# Interface facing Public Internet (Inbound Section) -# Match packets originating from the public Internet -# destined for this gateway server or the private network. -################################################################# +# Block and log everything else +block out log first quick on dc0 all</programlisting> + + <para>This example of the rules in the inbound section of the + public interface blocks all undesirable packets first. + This reduces the number of packets that are + logged by the last rule.</para> + <programlisting># interface facing Internet (inbound) # Block all inbound traffic from non-routable or reserved address spaces block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP @@ -2191,67 +2100,52 @@ block in quick on dc0 from 192.0.2.0/24 block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast -##### Block a bunch of different nasty things. ############ -# That I do not want to see in the log - -# Block frags +# Block fragments and too short tcp packets block in quick on dc0 all with frags - -# Block short tcp packets block in quick on dc0 proto tcp all with short # block source routed packets block in quick on dc0 all with opt lsrr block in quick on dc0 all with opt ssrr -# Block nmap OS fingerprint attempts -# Log first occurrence of these so I can get their IP address +# Block OS fingerprint attempts and log first occurrence block in log first quick on dc0 proto tcp from any to any flags FUP # Block anything with special options block in quick on dc0 all with ipopts -# Block public pings +# Block public pings and ident block in quick on dc0 proto icmp all icmp-type 8 - -# Block ident block in quick on dc0 proto tcp from any to any port = 113 -# Block all Netbios service. 137=name, 138=datagram, 139=session -# Netbios is MS/Windows sharing services. -# Block MS/Windows hosts2 name server requests 81 +# Block incoming Netbios services block in log first quick on dc0 proto tcp/udp from any to any port = 137 block in log first quick on dc0 proto tcp/udp from any to any port = 138 block in log first quick on dc0 proto tcp/udp from any to any port = 139 -block in log first quick on dc0 proto tcp/udp from any to any port = 81 +block in log first quick on dc0 proto tcp/udp from any to any port = 81</programlisting> -# Allow traffic in from ISP's DHCP server. This rule must contain -# the IP address of your ISP's DHCP server as it is the only -# authorized source to send this packet type. Only necessary for -# cable or DSL configurations. This rule is not needed for -# 'user ppp' type connection to the public Internet. -# This is the same IP address you captured and -# used in the outbound section. -pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state - -# Allow in standard www function because I have apache server -pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state + <para>Any time there are logged messages on a rule with + the <literal>log first</literal> option, run + <command>ipfstat -hio</command> + to evaluate how many times the rule has been matched. A + large number of matches may indicate that the system is + under attack.</para> -# Allow in non-secure Telnet session from public Internet -# labeled non-secure because ID/PW passed over public Internet as clear text. -# Delete this sample group if you do not have telnet server enabled. -#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state + <para>The rest of the rules in the inbound section define which + connections are allowed to be initiated from the Internet. + The last rule denies all connections which were not explicitly + allowed by previous rules in this section.</para> + + <programlisting> +# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with +# the same IP address used in the outbound section. +pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state -# Allow in secure FTP, Telnet, and SCP from public Internet -# This function is using SSH (secure shell) -pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state +# Allow public connections to specified internal web server +pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state -# Block and log only first occurrence of all remaining traffic -# coming into the firewall. The logging of only the first -# occurrence avoids filling up disk with Denial of Service logs. -# This rule implements the default block. -block in log first quick on dc0 all -################### End of rules file #####################################</programlisting> +# Block and log only first occurrence of all remaining traffic. +block in log first quick on dc0 all</programlisting> </sect2> <sect2 xml:id="firewalls-ipf-rules-script">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402220243.s1M2h3JL099191>