From owner-freebsd-questions Fri Jan 31 12:47: 7 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4515937B401 for ; Fri, 31 Jan 2003 12:47:02 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 473B143FC2 for ; Fri, 31 Jan 2003 12:47:01 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (2f3c9a2e3e2f35dfeeedfd11cbadd187@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h0VKbBXN030192; Fri, 31 Jan 2003 14:37:11 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h0VKbBEE030191; Fri, 31 Jan 2003 14:37:11 -0600 (CST) Date: Fri, 31 Jan 2003 14:37:11 -0600 From: Redmond Militante To: JoeB , freebsd-questions@freebsd.org Subject: Re: please comment on my nat/ipfw rules (resent) Message-ID: <20030131203711.GI29383@darkpossum> Reply-To: Redmond Militante References: <20030131131815.GA9488@darkpossum> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="D6z0c4W1rkZNF4Vu" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Tofu: The other white meat substitute. Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --D6z0c4W1rkZNF4Vu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi you've sold me :) do you have any good online tutorials to recommend for setting up a gateway= /firewall/natd machine using ipfilter/ipnat? thanks redmond > 1. Your firewall rules are not working at all, except for the natd > redirect option. This is caused by the kernel compile time option > IPFIREWALL_DEFAULT_TO_ACCEPT. This option tell your firewall that > any packet that does not match a rule is allowed to pass on through > the firewall. Comment out that option in your kernel options source > and recompile your kernel to take the default of default-to-deny and > your current rules set will stop functioning. >=20 > 2. You are using the simplest of the rule types 'state-less'. Using > this type of rules you have to not only have a rule to allow the > packet out you also have to have a rule to allow the packet in. See > rules 220 & 230 of your posted rule set to see how it should be > done. >=20 > 3. There are 3 classes of rules, each class has separate packet > interrogation abilities. Each proceeding class has greater packet > interrogation abilities than the previous one. These are stateless, > simple stateful, and advanced stateful. The advanced stateful rule > class is the only class having technically advanced interrogation > abilities capable of defending against the flood of different attack > methods currently employed by perpetrators. Stateless and Simple > Stateful IPFW firewall rules are inadequate to protect the users > system in today's internet environment and leaves the user > unknowingly believing they are protected when in reality they are > not. >=20 >=20 > 4. The advanced stateful rule option keep-state works as documented > only when used in a rule set that does not use the divert rule. > Simply stated the IPFW advanced stateful rule option keep-state does > not function correctly when used in a IPFW firewall that also is > using the IPFW built in NATD function. For the most complete > keep-state protection the other FIREWALL solution (IPFILTER) that > comes with FBSD should be used. Just checkout the IPFW list archives > and you will see this subject discussed in detail with out any > solution forthcoming. >=20 >=20 > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Redmond > Militante > Sent: Friday, January 31, 2003 8:18 AM > To: freebsd-questions@freebsd.org > Subject: please comment on my nat/ipfw rules (resent) >=20 >=20 > hi all >=20 > i have my test machine set up as a gateway box, with ipfw/natd > configured on it, set up to filter/redirect packets bound for a > client on my internal network. >=20 > external ip of my internal client is aliased to the outside nic of > the gateway box >=20 >=20 > gateway machine's kernel has been recompiled with: >=20 > options IPFIREWALL > options IPDIVERT > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_VERBOSE >=20 >=20 >=20 > gateway's /etc/rc.conf looks like >=20 > defaultrouter=3D"129.x.x.1" > hostname=3D"hostname.com" > ifconfig_xl0=3D"inet 129.x.x.1 netmask 255.255.255.0" > #aliasing internal client's ip to the outside nic of gateway box > ifconfig_xl0_alias0=3D"inet 129.x.1.20 netmask 255.0.0.0" > #inside nic of gateway box > ifconfig_xl1=3D"inet 10.0.0.1 netmask 255.0.0.0" > gateway_enable=3D"YES" > firewall_enable=3D"YES" > #firewall_script=3D"/etc/rc.firewall" > firewall_type=3D"/etc/ipfw.rules" > natd_enable=3D"YES" > #natd interface is outside nic > natd_interface=3D"xl0" > #natd flags redirect any traffic bound for ip of www3 to internal > ip of www3 > natd_flags=3D"-redirect_address 10.0.0.2 129.x.x.20" > kern_securelevel_enable=3D"NO" > ......... >=20 >=20 >=20 > internal client's /etc/rc.conf looks like >=20 > second machine's /etc/rc.conf: >=20 > defaultrouter=3D"10.0.0.1" > ifconfig_xl0=3D"inet 10.0.0.2 netmask 255.0.0.0" > ................ >=20 >=20 > looks like this setup is working. the internal client is a basic > webserver/ftp server. i am able to ftp to it, ssh to it, view > webpages that it serves up, etc. with it hooked up to the internal > nic of the gateway box. >=20 > i am now trying to come up with a good set of firewall rules on the > gateway box to filter out all unnecessary traffic to my internal > network. the following is my /etc/ipfw.rules on the gateway box. >=20 > -----------------------------snip------------------------------ >=20 > # firewall_type=3D"/etc/ipfw.rules" > # enquirer ipfw.rules >=20 > # NAT > add 00100 divert 8668 ip from any to any via xl0 >=20 > # loopback > add 00210 allow ip from any to any via lo0 > add 00220 deny ip from any to 127.0.0.0/8 > add 00230 deny ip from 127.0.0.0/8 to any >=20 > #allow tcp in for nfs shares > #add 00301 allow tcp from 129.x.x.x to any in via xl0 > #add 00302 allow tcp from 129.x.x.x to any in via xl0 >=20 > #allow tcp in for ftp,ssh, smtp, httpd > add 00303 allow tcp from any to any in 21,22,25,80,10000 via xl0 >=20 > #deny rest of incoming tcp > add 00309 deny log tcp from any to any in established >=20 > #from man 8 ipfw: allow only outbound tcp connections i've created > add 00310 allow tcp from any to any out via xl0 >=20 >=20 > #allow udp in for gateway for DNS > add 00300 allow udp from 10.0.0.0/24 to 129.105.49.1 53 via xl0 >=20 > #allow udp in for nfs shares > #add 00401 allow udp from 129.x.x.x to any in recv xl0 > #add 00402 allow udp from 129.x.x.x to any in recv xl0 >=20 > #allow all udp out from machine > add 00404 allow udp from any to any out via xl0 >=20 > #allow some icmp types (codes not supported) > ##########allow path-mtu in both directions > add 00500 allow icmp from any to any icmptypes 3 > ##########allow source quench in and out > add 00501 allow icmp from any to any icmptypes 4 > ##########allow me to ping out and receive response back > add 00502 allow icmp from any to any icmptypes 8 out > add 00503 allow icmp from any to any icmptypes 0 in > ##########allow me to run traceroute > add 00504 allow icmp from any to any icmptypes 11 in > add 00600 deny log ip from any to any >=20 > #--- end ipfw.rules ---# >=20 > -----------------------------snip------------------------------ >=20 >=20 > any comments on how i could improve this set of ipfw rules to > better secure my internal client would be appreciated. thanks again >=20 > redmond >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 --D6z0c4W1rkZNF4Vu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Ot53FNjun16SvHYRAhQ6AJ9Ch7CftEO8hQdkgTU6uNvCWYnIjQCgkXhR zCBatENUjDs1R0AOlvkNUMA= =lJDQ -----END PGP SIGNATURE----- --D6z0c4W1rkZNF4Vu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message