|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
January 26th, 2002, 04:35 PM
|
||||
|
||||
|
ipf filter ruleset for masquerading/NAT
First off thanks for the thread by Terry on the board and the replies by freebsd which were very insightful. However I'm having problems setting up ipf even after using the ruleset in that thread (http://forums.devshed.com/showthrea...9297#post119297) with modifications for my setup.
First of all a network diagram: Code:
______________ __________________
| IPNAT/IPF | | LAN |
| __________ | | ______________ |
_/\__/\_ | | | | | | | |
| | | | FreeBSD | | | | Masqueraded | |
/ Internet \--(tun0)--| System |--(fxp0)--| Workstation | |
\_ _ _ _/ | |__________| | | |______________| |
\/ \/ \/ | | | |
|______________| |__________________|
As you can see I currently have just one machine connected to the freebsd box on fxp0 (an intel express 10/100 card) and the freebsd box in turn is connected to the external network via a PPP interface, tun0. As such IP of the external interface changes on each reconnect to my ISP. Regards the NAT, I'm using ipnat with the following ruleset: Code:
# port 21 ftp proxy mapping: map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp # port 1337 ftp proxy mapping: map tun0 192.168.0.0/24 -> 0/32 proxy port 1337 ftp/tcp # map out the 256 addresses in 192.168.0.0/24 to non-service ports: map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 1025:65535 # finally map all from 192.168/24 to tun0/32: map tun0 192.168.0.0/24 -> 0/32 EDIT>> cf: http://marc.theaimsgroup.com/?l=ipf...26147509716&w=2 This setup works perfectly fine if I set up ipf using a default allow all in/out (I have 'IPFILTER_DEFAULT_BLOCK' built into kernel): Code:
pass in all pass out all together with a filter syncing command 'ipf -y' in my /etc/ppp/ppp.linkup file (to rehash the state table in light of the new address assignment when 'ppp' reconnects). However the problems start when I try and allow in http traffic to port 80 and sshd connections on port 22. The current (minimal) ruleset I have is: Code:
# loopback allow in/out: pass in quick on lo0 all pass out quick on lo0 all # internal NIC allow in/out: pass in quick on fxp0 all pass out quick on fxp0 all # from local LAN out through tun0 and back: pass out quick on tun0 from 192.168.0.0/16 to any pass in quick on tun0 from any to 192.168.0.0/16 # ssh incoming: pass in quick on tun0 proto tcp from any to 0/32 port = 22 flags S keep state # http incoming: pass in quick on tun0 proto tcp from any to 0/32 port = 80 flags S keep state So my questions: Is an address range assignment '0/32' valid in an ipf rule, or do I have to use the facilities provided by ppp to dynamically build a rule each time I reconnect using ppp to reflect the new IP address? Also are the rules underneath the comment: '# from local LAN out through tun0 and back:' valid/secure? Thanks in advance.
__________________
FreeBSD Admin Tips Tricks and Scripts Last edited by munkfish : January 27th, 2002 at 02:35 AM.
|
|
#2
January 26th, 2002, 05:18 PM
|
|||
|
|||
|
1) Remove map tun0 192.168.0.0/24 -> 0/32 proxy port 1337 ftp/tcp
2) The following rulesets: Code:
pass out quick on tun0 from 192.168.0.0/16 to any pass in quick on tun0 from any to 192.168.0.0/16 is to allow IP spoofing. In the pass out rule above, ipf will see your own IP as your external IP (not 192.168.01). As for the pass in rule, like I said in the other thread, say your Windows box has an IP of 192.168.0.2, but ipnat.rules has higher priority than ipf.rules and ipnat.rules gets read first, then rewrite the src addr (192.168.0.2) to your FreeBSD's addr and going out of tun0. That said, you really should block them to disallow IP spoofing. Your tun0 should NEVER get traffic (in/out) from non-routable IPs (192.168.0.0/16). You only need the following two rulesets: pass in quick on fxp0 all pass out quick on fxp0 all to deal with ALL your LAN traffic. You can say fxp0 should only appear in ipf.rules twice, no more, no less. BTW, almost 99% (if not all) of the IPF's howtos out there use a default to accept policy (misleading), so you'd see: block in all block out all with a default to deny policy (everyone should), you can remove those lines and use quick on all rulesets.
|
|
#3
January 26th, 2002, 10:38 PM
|
||||
|
||||
|
Well ironically I just lost a long post because of changing the ipf rules around, very annoying.
 Anyway the gist of it was that the '1337' rule was in ipnat.rules for an ftp server that uses that non-standard port for ftp services - I wouldn't allow that in a production env.  I also posted the complete list that I had based on Terry's post and your comments freebsd in that post - I'll do it again: Code:
################################################################################ ################################################################################ # # IPF Ruleset: # Allows 192.168.0/24 to 'masquerade' through a PPP device, tun0 # Internal NIC is fxp0 # # ascii art network diagram: # # ______________ __________________ # | IPNAT/IPF | | LAN | # | __________ | | ______________ | # _/\__/\_ | | | | | | | | # | | | | FreeBSD | | | | Masqueraded | | # / Internet \--(tun0)--| System |--(fxp0)--| Workstation | | # \_ _ _ _/ | |__________| | | |______________| | # \/ \/ \/ | 192.168.0.1 | | 192.168.0.10 | # |______________| |__________________| # # Services used outgoing on tun0: # www (80,8080), ssh, ftp(21,1337), irc(6666-7000) # Also: # ping, traceroute, host, nmap # # Services used incoming on tun0: # www(80 only), ssh ################################################################################ ################################################################################ # loopback in/out: pass in quick on lo0 pass out quick on lo0 # internal NIC in/out: pass in quick on fxp0 pass out quick on fxp0 # no spoofing: block in log quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 192.168.0.0/16 to any block in log quick on tun0 from 172.16.0.0/12 to any block in log quick on tun0 from 10.0.0.0/8 to any block in log quick on tun0 from 0.0.0.0/8 to any block in log quick on tun0 from 169.254.0.0/16 to any block in log quick on tun0 from 192.0.2.0/24 to any block in log quick on tun0 from 204.152.64.0/23 to any block in log quick on tun0 from 224.0.0.0/3 to any block out log quick on tun0 from any to 127.0.0.0/8 block out log quick on tun0 from any to 192.168.0.0/16 block out log quick on tun0 from any to 172.16.0.0/12 block out log quick on tun0 from any to 10.0.0.0/8 block out log quick on tun0 from any to 0.0.0.0/8 block out log quick on tun0 from any to 169.254.0.0/16 block out log quick on tun0 from any to 192.0.2.0/24 block out log quick on tun0 from any to 204.152.64.0/23 block out log quick on tun0 from any to 224.0.0.0/3 # ssh incoming: pass in quick on tun0 proto tcp from any to 0/32 port = 22 flags S keep state # http incoming: pass in quick on tun0 proto tcp from any to 0/32 port = 80 flags S keep state # external iface out: pass out proto tcp from any to any port = 21 keep state pass out quick proto tcp from any to any flags S/SA keep state pass out quick proto tcp from any to any keep state pass out quick on tun0 proto icmp all pass in quick on tun0 proto icmp all icmp-type 0 pass in quick on tun0 proto icmp all icmp-type 11 # irregular packet blocking: block in log quick on tun0 all with ipopts block in log quick on tun0 all with short block return-rst in log quick on tun0 proto tcp all flags FUP #get rid of everything else block return-rst in log first quick on tun0 proto tcp all flags S block in log first quick on tun0 proto tcp all block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all block in log first quick on tun0 all As this stands, I can't do much at all and it's very annoying. Outgoing through tun0 (internet) I can't use ssh, www, ftp, 'host', 'traceroute' - although I can use IRC and ping, whoopee! Inbound on tun0 people can't access my sshd, nor my httpd either. It seems a large part of the problem is name resolution - namely it not working with these rules (when I change the ruleset back to a default 'allow all', everything works fine). EDIT >> I've managed to solve the name resolution issue with this rule: pass out on tun0 proto udp from any to any port = 53 keep state ftp, www, ssh, nmap all work fine now (well nmap basic scans anyway) I'd hoped to have solved the traceroute problem too by commenting out the block rule for ipopts packets - this wasn't the case however - traceroute output now looks like this now: Code:
[munk /home/munk] # traceroute sonictown.co.uk traceroute to sonictown.co.uk (213.239.5.113), 64 hops max, 40 byte packets traceroute: sendto: No route to host 1 traceroute: wrote sonictown.co.uk 40 chars, ret=-1 Thanks in advance. Last edited by munkfish : January 26th, 2002 at 11:19 PM.
|
|
#4
January 26th, 2002, 11:17 PM
|
|||
|
|||
|
>> the '1337' rule was in ipnat.rules for an ftp server
If you are running an FTP server on your FreeBSD box: 1) why don't you pass in tcp on 1337? 2) Why you need to rewrite src addr (192.168.0.2) and going thru FTP proxy? I still don't think you need that line at all. You just need to tell people (from outside) your FTPd is running on port 1337. Accessing from within your LAN, you don't even need to use FTP proxy. There are still some major problems to your ipf.rules. I'm going to rewrite it, then explain it afterward: Code:
# loopback in/out: pass in quick on lo0 all pass out quick on lo0 all # internal NIC in/out: pass in quick on fxp0 all pass out quick on fxp0 all # no spoofing: block in log quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 192.168.0.0/16 to any block in log quick on tun0 from 172.16.0.0/12 to any block in log quick on tun0 from 10.0.0.0/8 to any block in log quick on tun0 from 255.255.255.255/32 to any block in log quick on tun0 from 0.0.0.0/32 to any block in log quick on tun0 from 169.254.0.0/16 to any block in log quick on tun0 from 192.0.2.0/24 to any block in log quick on tun0 from 204.152.64.0/23 to any block in log quick on tun0 from 224.0.0.0/3 to any block out log quick on tun0 from any to 127.0.0.0/8 block out log quick on tun0 from any to 192.168.0.0/16 block out log quick on tun0 from any to 172.16.0.0/12 block out log quick on tun0 from any to 10.0.0.0/8 block out log quick on tun0 from any to 255.255.255.255/32 block out log quick on tun0 from any to 0.0.0.0/32 block out log quick on tun0 from any to 169.254.0.0/16 block out log quick on tun0 from any to 192.0.2.0/24 block out log quick on tun0 from any to 204.152.64.0/23 block out log quick on tun0 from any to 224.0.0.0/3 # irregular packet blocking: block in log quick on tun0 all with ipopts block in log quick on tun0 all with short block return-rst in log quick on tun0 proto tcp all flags FUP # ssh incoming: pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state # http incoming: pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state # allow traceroute + ping pass in quick on tun0 proto icmp all icmp-type 0 pass in quick on tun0 proto icmp all icmp-type 11 # external iface out: pass out quick on tun0 proto icmp all keep state pass out quick on tun0 proto udp all keep state keep frags pass out proto tcp from any to any port = 21 keep state pass out proto tcp from any to any port = 22 keep state pass out proto tcp from any to any port = 25 keep state pass out proto tcp from any to any port = 80 keep state pass out proto tcp from any to any port = 443 keep state pass out quick proto tcp from any to any flags S/SA keep state pass out quick proto tcp from any to any keep state #get rid of everything else block return-rst in log first quick on tun0 proto tcp all flags S block in log first quick on tun0 proto tcp all block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all block in log first quick on tun0 all You forgot the very important udp pass out ruleset. With a default-to-deny policy, you can't reolve and DNS name at all (if you're using your ISP's caching nameserver). If you run your own DNS (cache/authoritative), check the other thread for the addditional rulesets.
|
|
#5
January 26th, 2002, 11:48 PM
|
||||
|
||||
|
! You posted two mins before I made edits to my last post (about that UDP rule in fact for DNS
 )Right - thanks for those tips / ammendments - I'll make adjustments as necessary. The ssh and http rules (where I was putting '0/32' instead of 'any') make perfect sense now you mention it! Regarding the FTP issue - some confusion here I think - the '1337' rule is only for my NAT'd/masqueraded ftp client transactions - not for ftpd services incoming on tun0. Also, regarding the no-spoof rule: block in log quick on tun0 from 0.0.0.0/8 to any I specified this rule on advice from the authors of the IPF-HOWTO (mirrored here: http://www.darkart.com/mirrors/www....f/ipf-howto.txt) The HOWTO says: Quote:
I imagine this is a moot point! Anyay... I've just made the changes to the sshd and httpd in rules and it works a treat! Very chuffed at that - learnt a lot in the process as well. Many thanks for your time.
|
|
#6
January 27th, 2002, 12:23 AM
|
|||
|
|||
|
>> I'd hoped to have solved the traceroute problem
Because you need udp pass out too. That's why I put pass out quick on tun0 proto udp all keep state keep frags. As far as the 0.0.0.0/8, it makes much sense to block it as well. For 0.0.0.0/32, your ISP setup may vary, for me, I would still block it without a doubt despite what the author says. BTW, whose domain is freebsdhowtos.com? If it's yours, then I have to tell you your host has misconfigured their MX and PTR. If you need to know more, start a new thread in DNS forum. Last edited by freebsd : January 27th, 2002 at 12:26 AM.
|
|
#7
January 27th, 2002, 01:54 AM
|
||||
|
||||
|
>>I put pass out quick on tun0 proto udp all keep state keep frags.
Excellent - works a treat now - thanks. >>As far as the 0.0.0.0/8, it makes much sense to block it as well. For 0.0.0.0/32, your ISP setup may vary, for me, I would still block it without a doubt despite what the author says. Wouldn't blocking 0.0.0.0/8 implicity block 0.0.0.0/32 anyway? >>BTW, whose domain is freebsdhowtos.com? Sorry - not my domain. I just found some interesting articles there. Thanks again.
|
|
#8
January 27th, 2002, 08:36 AM
|
|||
|
|||
|
>> Wouldn't blocking 0.0.0.0/8 implicity block 0.0.0.0/32 anyway?
You're right. I didn't pay too much attention to that. I must have misread something and though you don't want to block 0.0.0.0/32. >> Sorry - not my domain I just wanted to point out that their MX doesn't have an A record, it's CNAME, which is plain bad. Their PTR and SOA are also broken.
|
|
#9
January 27th, 2002, 09:20 AM
|
||||
|
||||
|
>> I just wanted to point out that their MX doesn't ...
argh stop already reminding me I need to learn about DNS/BIND!!! Incidentally what would be the best way to get practical experience with BIND/named on a home network? Realistically can I learn much without administering my own 'live' domain and without having a static IP address? I'd really like to/need to learn more and whilst I've read through the O'Reilly DNS/BIND book it's not much without practical experience. Is the only solution to buy a decent dedicated connection/do co-location??? PS - the ipf script is brilliant as it stands right now - here's a sample output from ping: Code:
server4.hancock6:~$ ping 80.225.46.129 PING 80.225.46.129 (80.225.46.129): 56 data bytes and that's all! Not a hint of an echo reply coming back Furthermore I can even use the more esoteric scan types provided for by nmap et al without a hitch getting back reliable results each time - I'm very impressed!Much appreciative of your help freebsd - thanks!
|
|
#10
January 27th, 2002, 10:20 AM
|
|||
|
|||
|
>> best way to get practical experience with BIND/named on a home network?
Just forget BIND/named as it's one of the worst software ever developed on earth. On a home network, you still can run authoritative DNS server plus caching DNS resolver. But don't use BIND, use djbdns at all time. >> without having a static IP address? That'd put a cap on your growing knowledge/experience. Without that, there are many things you can't do, not to mention it's unreliable when running any type of server without a static IP, since most servers, if not all, rely on DNS in some way. Here's my little script (/usr/local/sbin/ipfctl) for you to play around with: Code:
#!/bin/sh
case "$1" in
reload) /sbin/ipf -IFa -f /etc/ipf.rules -s 2>&1 > /dev/null
echo "ipf rulesets reloaded"
;;
state|flush) /sbin/ipf -AFs -s 2>&1 > /dev/null
/sbin/ipf -IFa -f /etc/ipf.rules -s 2>&1 > /dev/null
echo "ipf state table flushed"
;;
clear) /sbin/ipf -AFS -s 2>&1 > /dev/null
/sbin/ipf -IFa -f /etc/ipf.rules -s 2>&1 > /dev/null
echo "ipf state table cleared"
;;
*)
echo "Usage: $0 option
option:
reload - reload rulesets
flush | state - flush non-active state and reload rulesets
clear - clear all state and reload rulesets"
exit 1
esac
exit 0
|
|
#11
January 27th, 2002, 10:26 AM
|
||||
|
||||
|
Final(?) Version
Code:
################################################################################ ################################################################################ # # IPF Ruleset # ################################################################################ ################################################################################ # File: /etc/ipf.rules # # Description: a firewall ruleset loaded using 'ipf -Fa -f /etc/ipf.rules' # # Email: ockham_razer@hotmail.com # # Date: 2002-02-21 # # OS: FreeBSD 4.4-RELEASE # # Network Diagram: # # ______________ __________________ # | IPNAT/IPF | | LAN | # | __________ | | ______________ | # _/\__/\_ | | | | | | | | # | | | | FreeBSD | | | | Masqueraded | | # / Internet \--(tun0)--| System |--(fxp0)--| Workstation | | # \_ _ _ _/ ppp | |__________| | eth | |______________| | # \/ \/ \/ | 192.168.0.1 | | 192.168.0.10 | # |______________| |__________________| # # # Notes: # - tun0 dynamically assigned IP address from ISP # - NAT implemented using ipf util, 'ipnat(5)', ruleset /etc/ipnat.rules # - ipf filter sync on each redial to ISP using 'ipf -y' via # /etc/ppp/ppp.linkup file # - NAT'ed client OS - win95 # # Services outbound on tun0: # www (80,8080), ssh, ftp(21,1337), irc(6666-7000) # Also: # ping, traceroute, host, nmap, whois, numerous others # # Services inbound on tun0: # www(80 only), ssh # ################################################################################ # ruleset start: ################################################################################ # loopback in/out: pass in quick on lo0 all pass out quick on lo0 all # internal NIC in/out: pass in quick on fxp0 all pass out quick on fxp0 all # no spoofing: block in log quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 192.168.0.0/16 to any block in log quick on tun0 from 172.16.0.0/12 to any block in log quick on tun0 from 10.0.0.0/8 to any block in log quick on tun0 from 255.255.255.255/32 to any block in log quick on tun0 from 0.0.0.0/8 to any block in log quick on tun0 from 0.0.0.0/32 to any block in log quick on tun0 from 169.254.0.0/16 to any block in log quick on tun0 from 192.0.2.0/24 to any block in log quick on tun0 from 204.152.64.0/23 to any block in log quick on tun0 from 224.0.0.0/3 to any block out log quick on tun0 from any to 127.0.0.0/8 block out log quick on tun0 from any to 192.168.0.0/16 block out log quick on tun0 from any to 172.16.0.0/12 block out log quick on tun0 from any to 10.0.0.0/8 block out log quick on tun0 from any to 255.255.255.255/32 block out log quick on tun0 from any to 0.0.0.0/8 block out log quick on tun0 from any to 0.0.0.0/32 block out log quick on tun0 from any to 169.254.0.0/16 block out log quick on tun0 from any to 192.0.2.0/24 block out log quick on tun0 from any to 204.152.64.0/23 block out log quick on tun0 from any to 224.0.0.0/3 # ssh incoming: pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state # http incoming: pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state # external iface out: # FTP: pass out proto tcp from any to any port = 21 keep state pass out quick proto tcp from any to any flags S/SA keep state pass out quick proto tcp from any to any keep state # ping: pass out quick on tun0 proto icmp all pass in quick on tun0 proto icmp all icmp-type 0 pass in quick on tun0 proto icmp all icmp-type 11 # DNS: pass out quick on tun0 proto udp from any to any port = 53 keep state # traceroute: pass out quick on tun0 proto udp all keep state keep frags # irregular packet blocking: # block in log quick on tun0 all with ipopts block in log quick on tun0 all with short block return-rst in log quick on tun0 proto tcp all flags FUP #get rid of everything else block return-rst in log first quick on tun0 proto tcp all flags S block in log first quick on tun0 proto tcp all block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all block in log first quick on tun0 all ################################################################################ ################################################################################ # ruleset end # # cf. # <http://coombs.anu.edu.au/~avalon/ip-filter.html> # - IPF Site Proper # # <http://packetstorm.decepticons.org/...nd_IPFILTER.htm> # - Good article on rebuilding kernel for security optimization # # <http://www.unixcircle.com/ipf> # - mirror of http://www.obfuscation.org/ipf/ - currently down # links to ipf HOWTO and FAQ, with thanks # # <http://www.freebsd.org> ################################################################################ ################################################################################
|
|
#12
January 27th, 2002, 10:52 AM
|
|||
|
|||
|
1) You need to give # irregular packet blocking higher priority above your # ssh incoming. Or else they can sneak in your ssh's pass in ruleset.
2) Next, give all outbound icmp higher priority than udp and tcp. 3) You don't need # DNS. Your pass out udp should do just fine, and with keep frags. 4) # external iface out: In my previous example it was written as: Code:
pass out proto tcp from any to any port = 21 keep state pass out proto tcp from any to any port = 22 keep state pass out proto tcp from any to any port = 25 keep state pass out proto tcp from any to any port = 80 keep state pass out proto tcp from any to any port = 443 keep state pass out quick proto tcp from any to any flags S/SA keep state pass out quick proto tcp from any to any keep state which is equivalent to: Code:
# pass out without quick keyword pass out proto tcp all keep state # quick with flags S/SA pass out quick proto tcp all flags S/SA keep state # usually nothing should hit this rule but it's safer when a packet loss its state pass out quick proto tcp all keep state If you just pass out proto tcp from any to any port = 21 keep state, you will likely be seeing many legitimate packets to get dropped. Last edited by freebsd : January 27th, 2002 at 10:56 AM.
|
|
#13
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
