Date: Sun, 31 Jul 2011 14:26:25 -0500 From: Antonio Olivares <olivares14031@gmail.com> To: vogelke+unix@pobox.com Cc: Polytropon <freebsd@edvax.de>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: easy Firewall setup Message-ID: <CAJ5UdcNBd34X7D9QS4abCZewoh0kTTAuTen9-q8bwCyGGNv-CA@mail.gmail.com> In-Reply-To: <CAJ5UdcPTc1qO5cvNdZL8j2vjZ94g5r_qGpYVooGd2L1ygwMsEA@mail.gmail.com> References: <BANLkTi=Ve56c_QhFnA5c0xoRPf82eZZ=1w@mail.gmail.com> <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil> <CAJ5UdcPTc1qO5cvNdZL8j2vjZ94g5r_qGpYVooGd2L1ygwMsEA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 31, 2011 at 11:15 AM, Antonio Olivares <olivares14031@gmail.com> wrote: >> A> Is there an easy firewall setup available somewhere (like the one >> A> referenced below but for FreeBSD)? >> >> =A0 Here's a script you can use to generate a rules file for IPF. >> >> -- > > Karl, > > I have used your script and it generated me a nice ipf.rules file > > /************* ipf.rules ********************/ > quadcore# cat /etc/ipf.rules > # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011 > # > # NAME: > # =A0 =A0/etc/ipf.rules > # > # DESCRIPTION: > # =A0 =A0Ruleset for IPF packet filter. > # > # AUTHOR: > # =A0 =A0Antonio Olivares <olivares14031@gmail.com> > > # -------------------------------------------------------------------- > # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. > block in quick on msk0 proto udp =A0from any to any port =3D 68 > block in quick on msk0 proto udp =A0from any to any port =3D 137 > block in quick on msk0 proto udp =A0from any to any port =3D 138 > block in quick on msk0 proto igmp from any to any > > # -------------------------------------------------------------------- > # Now block everything coming down the network. > block in =A0log =A0on msk0 all > block out log =A0on msk0 all > > # -------------------------------------------------------------------- > # Get rid of anything with options, as these can be used to hack. > block in =A0log quick =A0 =A0 from any to any with ipopts > > # -------------------------------------------------------------------- > # Get rid of short TCP/IP fragments (too small for valid comparison) > # as these can be used to hack. > block in =A0log quick proto tcp from any to any with short > > # -------------------------------------------------------------------- > # Allow all traffic on loopback. > pass =A0in =A0quick on lo0 all > pass =A0out quick on lo0 all > > # -------------------------------------------------------------------- > # Block all the private routable addresses, as these should never > # come down the network, nor should we be talking to them. > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 192.168.0= .0/16 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 172.16.0.= 0/12 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 127.0.0.0= /8 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 10.0.0.0/= 8 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 0.0.0.0/8 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 169.254.0= .0/16 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 192.0.2.0= /24 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 204.152.6= 4.0/23 > block out quick on msk0 from any =A0 =A0 =A0 =A0 =A0 =A0 =A0 to 224.0.0.0= /3 > > block in =A0quick on msk0 from 192.168.0.0/16 =A0 =A0to any > block in =A0quick on msk0 from 172.16.0.0/12 =A0 =A0 to any > block in =A0quick on msk0 from 10.0.0.0/8 =A0 =A0 =A0 =A0to any > block in =A0quick on msk0 from 127.0.0.0/8 =A0 =A0 =A0 to any > block in =A0quick on msk0 from 0.0.0.0/8 =A0 =A0 =A0 =A0 to any > block in =A0quick on msk0 from 169.254.0.0/16 =A0 =A0to any > block in =A0quick on msk0 from 192.0.2.0/24 =A0 =A0 =A0to any > block in =A0quick on msk0 from 204.152.64.0/23 =A0 to any > block in =A0quick on msk0 from 224.0.0.0/3 =A0 =A0 =A0 to any > > # -------------------------------------------------------------------- > # Block and log portmapper attempts. > block in log quick on msk0 proto tcp/udp from any to any port =3D 111 kee= p state > > # -------------------------------------------------------------------- > # Allow outbound state related packets. > pass =A0out quick on msk0 proto tcp from any to any flags S keep state > pass =A0out quick on msk0 proto udp from any to any keep state > > # -------------------------------------------------------------------- > # Allow ping and traceroute. =A0Since we're doing everything quick, > # we must have passes before blocks. > pass =A0in quick on msk0 proto icmp from any to any icmp-type =A00 keep s= tate > pass =A0in quick on msk0 proto icmp from any to any icmp-type =A08 keep s= tate > pass =A0in quick on msk0 proto icmp from any to any icmp-type 11 keep sta= te > pass out quick on msk0 proto icmp from any to any icmp-type =A00 keep sta= te > pass out quick on msk0 proto icmp from any to any icmp-type =A08 keep sta= te > pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state > block in log quick on msk0 proto icmp from any to any > > # -------------------------------------------------------------------- > # Allow DNS; should this be just from nameservers? > pass in quick on msk0 proto tcp from any to any port =3D 53 flags S keep = state > pass in quick on msk0 proto udp from any to any port =3D 53 keep state > > # -------------------------------------------------------------------- > # Allow ssh and mail from anywhere: tcpserver filters addresses > pass in quick on msk0 proto tcp from any to any port =3D 22 flags S keep = state > pass in quick on msk0 proto tcp from any to any port =3D 25 flags S keep = state > > # -------------------------------------------------------------------- > # Allow http from selected addresses. > pass in quick on msk0 proto tcp from 1.2.3.4 to any port =3D 80 flags S k= eep state > pass in quick on msk0 proto tcp from 1.2.3.5 to any port =3D 80 flags S k= eep state > > # -------------------------------------------------------------------- > # Allow secure http from selected addresses. > pass in quick on msk0 proto tcp from 1.2.3.4 to any port =3D 443 flags S > keep state > pass in quick on msk0 proto tcp from 1.2.3.5 to any port =3D 443 flags S > keep state > > # -------------------------------------------------------------------- > # Copyright (C) 2011 > # EOF > /************************************************************/ > > I add > /*******************/ > lpd_enable=3D"YES" > ipfilter_enable=3D"YES" > ipfileter_rules=3D"/etc/ipf.rules" > ipmon_enable=3D"YES" > ipmon_flags=3D"-Ds" > /******************/ > to /etc/rc.conf, I load the kernel module: > > quadcore# kldload /boot/kernel/ipl.ko > > I verify it is working: > > with # ipf -V > > > quadcore# ipf -Fa -f /etc/ipf.rules > > Then I cannot browse :( > > > quadcore# ipfstat > bad packets: =A0 =A0 =A0 =A0 =A0 =A0in 0 =A0 =A0out 0 > =A0IPv6 packets: =A0 =A0 =A0 =A0 =A0in 0 out 0 > =A0input packets: =A0 =A0 =A0 =A0 blocked 17 passed 14 nomatch 14 counted= 0 short 0 > output packets: =A0 =A0 =A0 =A0 blocked 68 passed 22 nomatch 22 counted 0= short 0 > =A0input packets logged: =A0blocked 0 passed 0 > output packets logged: =A0blocked 0 passed 0 > =A0packets logged: =A0 =A0 =A0 =A0input 0 output 0 > =A0log failures: =A0 =A0 =A0 =A0 =A0input 0 output 0 > fragment state(in): =A0 =A0 kept 0 =A0lost 0 =A0not fragmented 0 > fragment state(out): =A0 =A0kept 0 =A0lost 0 =A0not fragmented 0 > packet state(in): =A0 =A0 =A0 kept 0 =A0lost 0 > packet state(out): =A0 =A0 =A0kept 0 =A0lost 0 > ICMP replies: =A0 0 =A0 =A0 =A0 TCP RSTs sent: =A00 > Invalid source(in): =A0 =A0 0 > Result cache hits(in): =A010 =A0 =A0 =A0(out): =A00 > IN Pullups succeeded: =A0 0 =A0 =A0 =A0 failed: 0 > OUT Pullups succeeded: =A00 =A0 =A0 =A0 failed: 0 > Fastroute successes: =A0 =A00 =A0 =A0 =A0 failures: =A0 =A0 =A0 0 > TCP cksum fails(in): =A0 =A00 =A0 =A0 =A0 (out): =A00 > IPF Ticks: =A0 =A0 =A0574 > Packet log flags set: (0) > =A0 =A0 =A0 =A0none > > > But I have to stop the firewall > > ipf -D > > and run > # ifconfig msk0 up > > and I can browse. =A0My best guess is that there is a problem with ipv6 > and ipv4, but I don't know how to troubleshoot this. =A0I had generated > the script a while ago but I got errors, I did not know that the > kernel module had to be loaded: > > # kldload /boot/kernel/ipl.ko > verify that it is working with > # ipf -V > > I read this over at these pages: > > http://manuuus.co.in/configure-ipf-firewall-in-freebsd/ > > http://www.pc-freak.net/handbook/firewalls-ipf.html > > I know about ipfw too[Thanks Polytropon, I have simple setup you > suggested but at school machine], and this time I tried the script > which also is very good, but I have little problem. > > Is there anything I have to do, like turn on ipv6 to be able to > browse? =A0how do I check which version I have? > > Thanks for advice given. > > Regards, > > Antonio > Karl & et all, I could not get the ipfw easy firewall solution to work either. However after trial and error I commented out the 192.0.X settings, #block in quick on msk0 from 192.168.0.0/16 to any #block out quick on msk0 from 192.168.0.0/16 to any since I get ip quadcore# ifconfig -a msk0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 150= 0 options=3Dc011a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,VLAN_HWTSO,LINKSTATE> ether 00:1d:60:33:ca:b0 inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (100baseTX <full-duplex,flowcontrol,rxpause,txpause>) status: active I thought to myself the above script will block it. After I commented these out, restarted the firewall # ipf -E # ipf -V # ipf -Fa -f /etc/ipf.rules quadcore# ipfstat bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 44 passed 6605 nomatch 0 counted 0 short 0 output packets: blocked 26 passed 5278 nomatch 0 counted 0 short 0 input packets logged: blocked 9 passed 0 output packets logged: blocked 26 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 490 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 24 (out): 16 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 4258 Packet log flags set: (0) none quadcore# ipf -V ipf: IP Filter: v4.1.28 (496) Kernel: IP Filter: v4.1.28 Running: yes Log Flags: 0 =3D none set Default: pass all, Logging: available Active list: 0 Feature mask: 0x10f It is working :) ; I hope it works after a reboot as well, if it does not it will be back to the drawing board :( Regards, Antonio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ5UdcNBd34X7D9QS4abCZewoh0kTTAuTen9-q8bwCyGGNv-CA>