Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Apr 2011 21:43:58 -0500
From:      Antonio Olivares <olivares14031@gmail.com>
To:        vogelke+unix@pobox.com
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: easy Firewall setup
Message-ID:  <BANLkTin0Pvio14y6%2B_Bu1nftCqPdr-Cmxg@mail.gmail.com>
In-Reply-To: <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil>
References:  <BANLkTi=Ve56c_QhFnA5c0xoRPf82eZZ=1w@mail.gmail.com> <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Karl for your script :) this will help tremendously

Also thanks to  Daniel & Polytropon & Krad & Warren & Fbsd for your
suggestions & help.  Sorry I could not get back since the network went
down.  I will report back as soon as I can get going again.

Regards,

Antonio

On Tue, Apr 26, 2011 at 1:48 PM, Karl Vogel <vogelke+unix@pobox.com> wrote:
>>> On Mon, 25 Apr 2011 19:43:33 -0500,
>>> Antonio Olivares <olivares14031@gmail.com> said:
>
> A> Is there an easy firewall setup available somewhere (like the one
> A> referenced below but for FreeBSD)?
>
> =A0 Here's a script you can use to generate a rules file for IPF.
>
> --
> Karl Vogel =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0I don't speak for t=
he USAF or my company
>
> The only freedom which deserves the name, is that of pursuing our own goo=
d
> in our own way, so long as we do not attempt to deprive others of theirs,
> or impede their efforts to obtain it. =A0 =A0 =A0 =A0--John Stuart Mill, =
"On Liberty"
>
> -------------------------------------------------------------------------=
--
> #!/bin/sh
> # This is a shell archive (produced by GNU sharutils 4.6).
> # To extract the files from this archive, save it to some FILE, remove
> # everything before the `!/bin/sh' line above, then type `sh FILE'.
> #
> # Existing files will *not* be overwritten unless `-c' is specified.
> # This format requires very little intelligence at unshar time.
> # "if test", "echo", "mkdir", and "sed" may be needed.
> #
> # This shar contains:
> # length mode =A0 =A0 =A0 name
> # ------ ---------- ------------------------------------------
> # =A0 7197 -rw-r--r-- ipf-sample-ruleset
> # =A0 =A0 71 -rw-r--r-- ipf.break
> # =A0 =A0144 -rw-r--r-- ipf.header
> # =A0 =A0 64 -rw-r--r-- ipf.whitelist
> # =A0 4977 -rwxr-xr-x make-ipf-rules
> #
> echo=3Decho
> shar_tty=3D shar_n=3D shar_c=3D'
> '
> mkdir _sh14472 || ( echo 'failed to create locking directory' '_sh14472';=
 exit 1 )
> # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf-sample-ruleset =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> if test -f 'ipf-sample-ruleset' && test "$first_param" !=3D -c; then
> =A0$echo 'x -' SKIPPING 'ipf-sample-ruleset' '(file already exists)'
> else
> =A0$echo 'x -' extracting 'ipf-sample-ruleset' '(text)'
> =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf-sample-ruleset' &&
> X#################################################################
> X# http://www.pc-freak.net/handbook/firewalls-ipf.html
> X# No restrictions on Inside LAN Interface for private network
> X# Not needed unless you have LAN
> X#################################################################
> X
> X#pass out quick on xl0 all
> X#pass in quick on xl0 all
> X
> X#################################################################
> X# No restrictions on Loopback Interface
> X#################################################################
> Xpass in quick on lo0 all
> Xpass out quick on lo0 all
> X
> X#################################################################
> X# Interface facing Public Internet (Outbound Section)
> X# Interrogate session start requests originating from behind the
> X# firewall on the private network
> X# or from this gateway server destine for the public Internet.
> X#################################################################
> X
> X# Allow out access to my ISP's Domain name server.
> X# xxx must be the IP address of your ISP's DNS.
> X# Dup these lines if your ISP has more than one DNS server
> X# Get the IP addresses from /etc/resolv.conf file
> Xpass out quick on dc0 proto tcp from any to xxx port =3D 53 flags S keep=
 state
> Xpass out quick on dc0 proto udp from any to xxx port =3D 53 keep state
> X
> X# Allow out access to my ISP's DHCP server for cable or DSL networks.
> X# This rule is not needed for 'user ppp' type connection to the
> X# public Internet, so you can delete this whole group.
> X# Use the following rule and check log for IP address.
> X# Then put IP address in commented out rule & delete first rule
> Xpass out log quick on dc0 proto udp from any to any port =3D 67 keep sta=
te
> X#pass out quick on dc0 proto udp from any to z.z.z.z port =3D 67 keep st=
ate
> X
> X
> X# Allow out non-secure standard www function
> Xpass out quick on dc0 proto tcp from any to any port =3D 80 flags S keep=
 state
> X
> X# Allow out secure www function https over TLS SSL
> Xpass out quick on dc0 proto tcp from any to any port =3D 443 flags S kee=
p state
> X
> X# Allow out send & get email function
> Xpass out quick on dc0 proto tcp from any to any port =3D 110 flags S kee=
p state
> Xpass out quick on dc0 proto tcp from any to any port =3D 25 flags S keep=
 state
> X
> X# Allow out Time
> Xpass out quick on dc0 proto tcp from any to any port =3D 37 flags S keep=
 state
> X
> X# Allow out nntp news
> Xpass out quick on dc0 proto tcp from any to any port =3D 119 flags S kee=
p state
> X
> X# Allow out gateway & LAN users non-secure FTP ( both passive & active m=
odes)
> X# This function uses the IPNAT built in FTP proxy function coded in
> X# the nat rules file to make this single rule function correctly.
> X# If you want to use the pkg_add command to install application packages
> X# on your gateway system you need this rule.
> Xpass out quick on dc0 proto tcp from any to any port =3D 21 flags S keep=
 state
> X
> X# Allow out secure FTP, Telnet, and SCP
> X# This function is using SSH (secure shell)
> Xpass out quick on dc0 proto tcp from any to any port =3D 22 flags S keep=
 state
> X
> X# Allow out non-secure Telnet
> Xpass out quick on dc0 proto tcp from any to any port =3D 23 flags S keep=
 state
> X
> X# Allow out FBSD CVSUP function
> Xpass out quick on dc0 proto tcp from any to any port =3D 5999 flags S ke=
ep state
> X
> X# Allow out ping to public Internet
> Xpass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
> X
> X# Allow out whois for LAN PC to public Internet
> Xpass out quick on dc0 proto tcp from any to any port =3D 43 flags S keep=
 state
> X
> X# Block and log only the first occurrence of everything
> X# else that's trying to get out.
> X# This rule enforces the block all by default logic.
> Xblock out log first quick on dc0 all
> X
> X#################################################################
> X# Interface facing Public Internet (Inbound Section)
> X# Interrogate packets originating from the public Internet
> X# destine for this gateway server or the private network.
> X#################################################################
> X
> X# Block all inbound traffic from non-routable or reserved address spaces
> Xblock in quick on dc0 from 192.168.0.0/16 to any =A0 =A0#RFC 1918 privat=
e IP
> Xblock in quick on dc0 from 172.16.0.0/12 to any =A0 =A0 #RFC 1918 privat=
e IP
> Xblock in quick on dc0 from 10.0.0.0/8 to any =A0 =A0 =A0 =A0#RFC 1918 pr=
ivate IP
> Xblock in quick on dc0 from 127.0.0.0/8 to any =A0 =A0 =A0 #loopback
> Xblock in quick on dc0 from 0.0.0.0/8 to any =A0 =A0 =A0 =A0 #loopback
> Xblock in quick on dc0 from 169.254.0.0/16 to any =A0 =A0#DHCP auto-confi=
g
> Xblock in quick on dc0 from 192.0.2.0/24 to any =A0 =A0 =A0#reserved for =
docs
> Xblock in quick on dc0 from 204.152.64.0/23 to any =A0 #Sun cluster inter=
connect
> Xblock in quick on dc0 from 224.0.0.0/3 to any =A0 =A0 =A0 #Class D & E m=
ulticast
> X
> X##### Block a bunch of different nasty things. ############
> X# That I do not want to see in the log
> X
> X# Block frags
> Xblock in quick on dc0 all with frags
> X
> X# Block short tcp packets
> Xblock in quick on dc0 proto tcp all with short
> X
> X# block source routed packets
> Xblock in quick on dc0 all with opt lsrr
> Xblock in quick on dc0 all with opt ssrr
> X
> X# Block nmap OS fingerprint attempts
> X# Log first occurrence of these so I can get their IP address
> Xblock in log first quick on dc0 proto tcp from any to any flags FUP
> X
> X# Block anything with special options
> Xblock in quick on dc0 all with ipopts
> X
> X# Block public pings
> Xblock in quick on dc0 proto icmp all icmp-type 8
> X
> X# Block ident
> Xblock in quick on dc0 proto tcp from any to any port =3D 113
> X
> X# Block all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession
> X# Netbios is MS/Windows sharing services.
> X# Block MS/Windows hosts2 name server requests 81
> Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 1=
37
> Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 1=
38
> Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 1=
39
> Xblock in log first quick on dc0 proto tcp/udp from any to any port =3D 8=
1
> X
> X# Allow traffic in from ISP's DHCP server. This rule must contain
> X# the IP address of your ISP's DHCP server as it's the only
> X# authorized source to send this packet type. Only necessary for
> X# cable or DSL configurations. This rule is not needed for
> X# 'user ppp' type connection to the public Internet.
> X# This is the same IP address you captured and
> X# used in the outbound section.
> Xpass in quick on dc0 proto udp from z.z.z.z to any port =3D 68 keep stat=
e
> X
> X# Allow in standard www function because I have apache server
> Xpass in quick on dc0 proto tcp from any to any port =3D 80 flags S keep =
state
> X
> X# Allow in non-secure Telnet session from public Internet
> X# labeled non-secure because ID/PW passed over public Internet as clear =
text.
> X# Delete this sample group if you do not have telnet server enabled.
> X#pass in quick on dc0 proto tcp from any to any port =3D 23 flags S keep=
 state
> X
> X# Allow in secure FTP, Telnet, and SCP from public Internet
> X# This function is using SSH (secure shell)
> Xpass in quick on dc0 proto tcp from any to any port =3D 22 flags S keep =
state
> X
> X# Block and log only first occurrence of all remaining traffic
> X# coming into the firewall. The logging of only the first
> X# occurrence stops a .denial of service. attack targeted
> X# at filling up your log file space.
> X# This rule enforces the block all by default logic.
> Xblock in log first quick on dc0 all
> X################### End of rules file ##################################=
###
> SHAR_EOF
> =A0: || $echo 'restore of' 'ipf-sample-ruleset' 'failed'
> fi
> # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf.break =3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
> if test -f 'ipf.break' && test "$first_param" !=3D -c; then
> =A0$echo 'x -' SKIPPING 'ipf.break' '(file already exists)'
> else
> =A0$echo 'x -' extracting 'ipf.break' '(text)'
> =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf.break' &&
> X# --------------------------------------------------------------------
> SHAR_EOF
> =A0: || $echo 'restore of' 'ipf.break' 'failed'
> fi
> # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf.header =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
> if test -f 'ipf.header' && test "$first_param" !=3D -c; then
> =A0$echo 'x -' SKIPPING 'ipf.header' '(file already exists)'
> else
> =A0$echo 'x -' extracting 'ipf.header' '(text)'
> =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf.header' &&
> X#
> X# NAME:
> X# =A0 =A0/etc/ipf.rules
> X#
> X# DESCRIPTION:
> X# =A0 =A0Ruleset for IPF packet filter.
> X#
> X# AUTHOR:
> X# =A0 =A0Antonio Olivares <olivares14031@gmail.com>
> X
> SHAR_EOF
> =A0: || $echo 'restore of' 'ipf.header' 'failed'
> fi
> # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ipf.whitelist =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
> if test -f 'ipf.whitelist' && test "$first_param" !=3D -c; then
> =A0$echo 'x -' SKIPPING 'ipf.whitelist' '(file already exists)'
> else
> =A0$echo 'x -' extracting 'ipf.whitelist' '(text)'
> =A0sed 's/^X//' << 'SHAR_EOF' > 'ipf.whitelist' &&
> Xfriend@some.host.com =A0 =A01.2.3.4
> Xbuddy@somewhere.else =A0 =A01.2.3.5
> SHAR_EOF
> =A0: || $echo 'restore of' 'ipf.whitelist' 'failed'
> fi
> # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D make-ipf-rules =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
> if test -f 'make-ipf-rules' && test "$first_param" !=3D -c; then
> =A0$echo 'x -' SKIPPING 'make-ipf-rules' '(file already exists)'
> else
> =A0$echo 'x -' extracting 'make-ipf-rules' '(text)'
> =A0sed 's/^X//' << 'SHAR_EOF' > 'make-ipf-rules' &&
> X#!/bin/ksh
> X#
> X# $Date: 2011-04-26 14:22:54-04 $
> X# $Source: /home/vogelke/notebook/2011/0324/ipf/RCS/make-ipf-rules,v $
> X# $UUID: eaf3390f-4ef2-3cda-85ad-583f1413d9e0 $
> X#
> X#<make-ipf-rules: Make IPF rules using list of valid hosts.
> X
> Xexport PATH=3D/usr/local/bin:/bin:/usr/bin:/usr/sbin:/sbin
> Xtag=3D${0##*/}
> X
> Xversion () {
> X =A0 =A0rcs=3D'$Revision: 1.10 $'
> X =A0 =A0set X $rcs
> X =A0 =A0echo $tag v$3
> X}
> X
> X# Network interface; set directly or run ifconfig.
> Xset X $(ifconfig -a | grep RUNNING | grep -v LOOPBACK | tr -d ':')
> Xoif=3D$2
> X
> X# Abbreviations and templates.
> Xks=3D"keep state"
> Xfks=3D"flags S keep state"
> X
> Xheader=3D'ipf.header'
> Xtest -f "$header" || { echo $header not found; exit 1; }
> X
> Xgood=3D'ipf.whitelist'
> Xtest -f "$good" || { echo $good not found; exit 1; }
> X
> Xsec=3D''
> Xtest -f "ipf.break" && sec=3D$(cat ipf.break)
> X
> X# --------------------------------------------------------------------
> X# This is boilerplate that should always be included.
> X
> Xecho "# Generated by $(version) at $(date)"
> Xcat $header
> X
> Xcat << PART1
> X$sec
> X# We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP.
> Xblock in quick on $oif proto udp =A0from any to any port =3D 68
> Xblock in quick on $oif proto udp =A0from any to any port =3D 137
> Xblock in quick on $oif proto udp =A0from any to any port =3D 138
> Xblock in quick on $oif proto igmp from any to any
> X
> X$sec
> X# Now block everything coming down the network.
> Xblock in =A0log =A0on $oif all
> Xblock out log =A0on $oif all
> X
> X$sec
> X# Get rid of anything with options, as these can be used to hack.
> Xblock in =A0log quick =A0 =A0 from any to any with ipopts
> X
> X$sec
> X# Get rid of short TCP/IP fragments (too small for valid comparison)
> X# as these can be used to hack.
> Xblock in =A0log quick proto tcp from any to any with short
> X
> X$sec
> X# Allow all traffic on loopback.
> Xpass =A0in =A0quick on lo0 all
> Xpass =A0out quick on lo0 all
> X
> X$sec
> X# Block all the private routable addresses, as these should never
> X# come down the network, nor should we be talking to them.
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 192.168.=
0.0/16
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 172.16.0=
.0/12
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 127.0.0.=
0/8
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 10.0.0.0=
/8
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 0.0.0.0/=
8
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 169.254.=
0.0/16
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 192.0.2.=
0/24
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 204.152.=
64.0/23
> Xblock out quick on $oif from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 224.0.0.=
0/3
> X
> Xblock in =A0quick on $oif from 192.168.0.0/16 =A0 =A0to any
> Xblock in =A0quick on $oif from 172.16.0.0/12 =A0 =A0 to any
> Xblock in =A0quick on $oif from 10.0.0.0/8 =A0 =A0 =A0 =A0to any
> Xblock in =A0quick on $oif from 127.0.0.0/8 =A0 =A0 =A0 to any
> Xblock in =A0quick on $oif from 0.0.0.0/8 =A0 =A0 =A0 =A0 to any
> Xblock in =A0quick on $oif from 169.254.0.0/16 =A0 =A0to any
> Xblock in =A0quick on $oif from 192.0.2.0/24 =A0 =A0 =A0to any
> Xblock in =A0quick on $oif from 204.152.64.0/23 =A0 to any
> Xblock in =A0quick on $oif from 224.0.0.0/3 =A0 =A0 =A0 to any
> X
> X$sec
> X# Block and log portmapper attempts.
> Xblock in log quick on $oif proto tcp/udp from any to any port =3D 111 $k=
s
> X
> X$sec
> X# Allow outbound state related packets.
> Xpass =A0out quick on $oif proto tcp from any to any $fks
> Xpass =A0out quick on $oif proto udp from any to any $ks
> X
> X$sec
> X# Allow ping and traceroute. =A0Since we're doing everything quick,
> X# we must have passes before blocks.
> Xpass =A0in quick on $oif proto icmp from any to any icmp-type =A00 $ks
> Xpass =A0in quick on $oif proto icmp from any to any icmp-type =A08 $ks
> Xpass =A0in quick on $oif proto icmp from any to any icmp-type 11 $ks
> Xpass out quick on $oif proto icmp from any to any icmp-type =A00 $ks
> Xpass out quick on $oif proto icmp from any to any icmp-type =A08 $ks
> Xpass out quick on $oif proto icmp from any to any icmp-type 11 $ks
> Xblock in log quick on $oif proto icmp from any to any
> X
> X$sec
> X# Allow DNS; should this be just from nameservers?
> Xpass in quick on $oif proto tcp from any to any port =3D 53 $fks
> Xpass in quick on $oif proto udp from any to any port =3D 53 $ks
> X
> X$sec
> X# Allow ssh and mail from anywhere: tcpserver filters addresses
> Xpass in quick on $oif proto tcp from any to any port =3D 22 $fks
> Xpass in quick on $oif proto tcp from any to any port =3D 25 $fks
> X
> XPART1
> X
> X# --------------------------------------------------------------------
> X# This is host-specific. =A0"sortcmd" sorts IP addresses correctly.
> X
> Xecho "$sec"
> Xecho '# Allow http from selected addresses.'
> Xsortcmd=3D'/bin/sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n'
> X
> Xawk '{print $2}' $good | $sortcmd | uniq |
> Xwhile read ip; do
> X =A0 =A0echo "pass in quick on $oif proto tcp from $ip to any port =3D 8=
0 $fks"
> Xdone
> Xecho
> X
> Xecho "$sec"
> Xecho '# Allow secure http from selected addresses.'
> Xawk '{print $2}' $good | $sortcmd | uniq |
> Xwhile read ip; do
> X =A0 =A0echo "pass in quick on $oif proto tcp from $ip to any port =3D 4=
43 $fks"
> Xdone
> X
> X# --------------------------------------------------------------------
> X# Footer.
> X
> Xcat << FOOTER
> X
> X$sec
> X# Copyright (C) $(date +%Y) $COMPANY
> X# EOF
> XFOOTER
> X
> Xexit 0
> SHAR_EOF
> =A0: || $echo 'restore of' 'make-ipf-rules' 'failed'
> fi
> $echo $shar_n 'x -' 'lock directory' "\`_sh14472': " $shar_c
> if rm -fr _sh14472; then
> =A0$echo 'removed'
> else
> =A0$echo 'failed to remove'
> fi
> exit 0
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTin0Pvio14y6%2B_Bu1nftCqPdr-Cmxg>