Date: Sun, 31 Jul 2011 11:15:30 -0500 From: Antonio Olivares <olivares14031@gmail.com> To: vogelke+unix@pobox.com Cc: Polytropon <freebsd@edvax.de>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: easy Firewall setup Message-ID: <CAJ5UdcPTc1qO5cvNdZL8j2vjZ94g5r_qGpYVooGd2L1ygwMsEA@mail.gmail.com> In-Reply-To: <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil> References: <BANLkTi=Ve56c_QhFnA5c0xoRPf82eZZ=1w@mail.gmail.com> <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil>
next in thread | previous in thread | raw e-mail | index | archive | help
> A> Is there an easy firewall setup available somewhere (like the one > A> referenced below but for FreeBSD)? > > =A0 Here's a script you can use to generate a rules file for IPF. > > -- Karl, I have used your script and it generated me a nice ipf.rules file /************* ipf.rules ********************/ quadcore# cat /etc/ipf.rules # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011 # # NAME: # /etc/ipf.rules # # DESCRIPTION: # Ruleset for IPF packet filter. # # AUTHOR: # Antonio Olivares <olivares14031@gmail.com> # -------------------------------------------------------------------- # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. block in quick on msk0 proto udp from any to any port =3D 68 block in quick on msk0 proto udp from any to any port =3D 137 block in quick on msk0 proto udp from any to any port =3D 138 block in quick on msk0 proto igmp from any to any # -------------------------------------------------------------------- # Now block everything coming down the network. block in log on msk0 all block out log on msk0 all # -------------------------------------------------------------------- # Get rid of anything with options, as these can be used to hack. block in log quick from any to any with ipopts # -------------------------------------------------------------------- # Get rid of short TCP/IP fragments (too small for valid comparison) # as these can be used to hack. block in log quick proto tcp from any to any with short # -------------------------------------------------------------------- # Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # -------------------------------------------------------------------- # Block all the private routable addresses, as these should never # come down the network, nor should we be talking to them. block out quick on msk0 from any to 192.168.0.0/16 block out quick on msk0 from any to 172.16.0.0/12 block out quick on msk0 from any to 127.0.0.0/8 block out quick on msk0 from any to 10.0.0.0/8 block out quick on msk0 from any to 0.0.0.0/8 block out quick on msk0 from any to 169.254.0.0/16 block out quick on msk0 from any to 192.0.2.0/24 block out quick on msk0 from any to 204.152.64.0/23 block out quick on msk0 from any to 224.0.0.0/3 block in quick on msk0 from 192.168.0.0/16 to any block in quick on msk0 from 172.16.0.0/12 to any block in quick on msk0 from 10.0.0.0/8 to any block in quick on msk0 from 127.0.0.0/8 to any block in quick on msk0 from 0.0.0.0/8 to any block in quick on msk0 from 169.254.0.0/16 to any block in quick on msk0 from 192.0.2.0/24 to any block in quick on msk0 from 204.152.64.0/23 to any block in quick on msk0 from 224.0.0.0/3 to any # -------------------------------------------------------------------- # Block and log portmapper attempts. block in log quick on msk0 proto tcp/udp from any to any port =3D 111 keep = state # -------------------------------------------------------------------- # Allow outbound state related packets. pass out quick on msk0 proto tcp from any to any flags S keep state pass out quick on msk0 proto udp from any to any keep state # -------------------------------------------------------------------- # Allow ping and traceroute. Since we're doing everything quick, # we must have passes before blocks. pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state block in log quick on msk0 proto icmp from any to any # -------------------------------------------------------------------- # Allow DNS; should this be just from nameservers? pass in quick on msk0 proto tcp from any to any port =3D 53 flags S keep st= ate pass in quick on msk0 proto udp from any to any port =3D 53 keep state # -------------------------------------------------------------------- # Allow ssh and mail from anywhere: tcpserver filters addresses pass in quick on msk0 proto tcp from any to any port =3D 22 flags S keep st= ate pass in quick on msk0 proto tcp from any to any port =3D 25 flags S keep st= ate # -------------------------------------------------------------------- # Allow http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port =3D 80 flags S kee= p state pass in quick on msk0 proto tcp from 1.2.3.5 to any port =3D 80 flags S kee= p state # -------------------------------------------------------------------- # Allow secure http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port =3D 443 flags S keep state pass in quick on msk0 proto tcp from 1.2.3.5 to any port =3D 443 flags S keep state # -------------------------------------------------------------------- # Copyright (C) 2011 # EOF /************************************************************/ I add /*******************/ lpd_enable=3D"YES" ipfilter_enable=3D"YES" ipfileter_rules=3D"/etc/ipf.rules" ipmon_enable=3D"YES" ipmon_flags=3D"-Ds" /******************/ to /etc/rc.conf, I load the kernel module: quadcore# kldload /boot/kernel/ipl.ko I verify it is working: with # ipf -V quadcore# ipf -Fa -f /etc/ipf.rules Then I cannot browse :( quadcore# ipfstat bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 17 passed 14 nomatch 14 counted 0 short 0 output packets: blocked 68 passed 22 nomatch 22 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 10 (out): 0 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 574 Packet log flags set: (0) none But I have to stop the firewall ipf -D and run # ifconfig msk0 up and I can browse. My best guess is that there is a problem with ipv6 and ipv4, but I don't know how to troubleshoot this. I had generated the script a while ago but I got errors, I did not know that the kernel module had to be loaded: # kldload /boot/kernel/ipl.ko verify that it is working with # ipf -V I read this over at these pages: http://manuuus.co.in/configure-ipf-firewall-in-freebsd/ http://www.pc-freak.net/handbook/firewalls-ipf.html I know about ipfw too[Thanks Polytropon, I have simple setup you suggested but at school machine], and this time I tried the script which also is very good, but I have little problem. Is there anything I have to do, like turn on ipv6 to be able to browse? how do I check which version I have? Thanks for advice given. Regards, Antonio
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ5UdcPTc1qO5cvNdZL8j2vjZ94g5r_qGpYVooGd2L1ygwMsEA>