Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16

    ipf filter ruleset for masquerading/NAT


    First off thanks for the thread by Terry on the board and the replies by freebsd which were very insightful. However I'm having problems setting up ipf even after using the ruleset in that thread (http://forums.devshed.com/showthread...297#post119297) with modifications for my setup.

    First of all a network diagram:

    Code:
                          ______________        __________________
                         |  IPNAT/IPF   |      |       LAN        |
                         |  __________  |      |  ______________  |
       _/\__/\_          | |          | |      | |              | |
      |        |         | | FreeBSD  | |      | | Masqueraded  | |
     / Internet \--(tun0)--|  System  |--(fxp0)--| Workstation  | |
     \_  _  _  _/        | |__________| |      | |______________| |
       \/ \/ \/          |              |      |                  |
                         |______________|      |__________________|
    As you can see I currently have just one machine connected to the freebsd box on fxp0 (an intel express 10/100 card) and the freebsd box in turn is connected to the external network via a PPP interface, tun0. As such IP of the external interface changes on each reconnect to my ISP.

    Regards the NAT, I'm using ipnat with the following ruleset:
    Code:
    # port 21 ftp proxy mapping:
    map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
    # port 1337 ftp proxy mapping:
    map tun0 192.168.0.0/24 -> 0/32 proxy port 1337 ftp/tcp
    # map out the 256 addresses in 192.168.0.0/24 to non-service ports:
    map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 1025:65535
    # finally map all from 192.168/24 to tun0/32:
    map tun0 192.168.0.0/24 -> 0/32
    EDIT>> cf: http://marc.theaimsgroup.com/?l=ipfi...6147509716&w=2

    This setup works perfectly fine if I set up ipf using a default allow all in/out (I have 'IPFILTER_DEFAULT_BLOCK' built into kernel):
    Code:
    pass in all
    pass out all
    together with a filter syncing command 'ipf -y' in my /etc/ppp/ppp.linkup file (to rehash the state table in light of the new address assignment when 'ppp' reconnects).

    However the problems start when I try and allow in http traffic to port 80 and sshd connections on port 22. The current (minimal) ruleset I have is:
    Code:
    # loopback allow in/out:
    pass in quick on lo0 all
    pass out quick on lo0 all
    
    # internal NIC allow in/out:
    pass in quick on fxp0 all
    pass out quick on fxp0 all
    
    # from local LAN out through tun0 and back:
    pass out quick on tun0 from 192.168.0.0/16 to any
    pass in quick on tun0 from any to 192.168.0.0/16
    
    # ssh incoming:
    pass in quick on tun0 proto tcp from any to 0/32 port = 22 flags S keep state
    
    # http incoming:
    pass in quick on tun0 proto tcp from any to 0/32 port = 80 flags S keep state
    So my questions:
    Is an address range assignment '0/32' valid in an ipf rule, or do I have to use the facilities provided by ppp to dynamically build a rule each time I reconnect using ppp to reflect the new IP address?

    Also are the rules underneath the comment: '# from local LAN out through tun0 and back:' valid/secure?

    Thanks in advance.
    Last edited by munkfish; January 27th, 2002 at 03:35 AM.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    1) Remove map tun0 192.168.0.0/24 -> 0/32 proxy port 1337 ftp/tcp

    2) The following rulesets:

    Code:
    pass out quick on tun0 from 192.168.0.0/16 to any
    pass in quick on tun0 from any to 192.168.0.0/16
    is to allow IP spoofing. In the pass out rule above, ipf will see your own IP as your external IP (not 192.168.01). As for the pass in rule, like I said in the other thread, say your Windows box has an IP of 192.168.0.2, but ipnat.rules has higher priority than ipf.rules and ipnat.rules gets read first, then rewrite the src addr (192.168.0.2) to your FreeBSD's addr and going out of tun0. That said, you really should block them to disallow IP spoofing. Your tun0 should NEVER get traffic (in/out) from non-routable IPs (192.168.0.0/16).
    You only need the following two rulesets:

    pass in quick on fxp0 all
    pass out quick on fxp0 all

    to deal with ALL your LAN traffic. You can say fxp0 should only appear in ipf.rules twice, no more, no less.

    BTW, almost 99% (if not all) of the IPF's howtos out there use a default to accept policy (misleading), so you'd see:

    block in all
    block out all

    with a default to deny policy (everyone should), you can remove those lines and use quick on all rulesets.
  4. #3
  5. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    Well ironically I just lost a long post because of changing the ipf rules around, very annoying.

    Anyway the gist of it was that the '1337' rule was in ipnat.rules for an ftp server that uses that non-standard port for ftp services - I wouldn't allow that in a production env.

    I also posted the complete list that I had based on Terry's post and your comments freebsd in that post - I'll do it again:
    Code:
    ################################################################################
    ################################################################################
    #
    # IPF Ruleset:
    # Allows 192.168.0/24 to 'masquerade' through a PPP device, tun0
    # Internal NIC is fxp0
    #
    # ascii art network diagram:
    #
    #                      ______________        __________________
    #                     |  IPNAT/IPF   |      |       LAN        |
    #                     |  __________  |      |  ______________  |
    #   _/\__/\_          | |          | |      | |              | |
    #  |        |         | | FreeBSD  | |      | | Masqueraded  | |
    # / Internet \--(tun0)--|  System  |--(fxp0)--| Workstation  | |
    # \_  _  _  _/        | |__________| |      | |______________| |
    #   \/ \/ \/          | 192.168.0.1  |      |   192.168.0.10   |
    #                     |______________|      |__________________|
    #
    # Services used outgoing on tun0:
    # www (80,8080), ssh, ftp(21,1337), irc(6666-7000)
    # Also:
    # ping, traceroute, host, nmap
    #
    # Services used incoming on tun0:
    # www(80 only), ssh
    ################################################################################
    ################################################################################
    
    # loopback in/out:
    pass in quick on lo0
    pass out quick on lo0
    
    # internal NIC in/out:
    pass in quick on fxp0
    pass out quick on fxp0
    
    # no spoofing:
    block in log quick on tun0 from 127.0.0.0/8 to any
    block in log quick on tun0 from 192.168.0.0/16 to any
    block in log quick on tun0 from 172.16.0.0/12 to any
    block in log quick on tun0 from 10.0.0.0/8 to any
    block in log quick on tun0 from 0.0.0.0/8 to any
    block in log quick on tun0 from 169.254.0.0/16 to any
    block in log quick on tun0 from 192.0.2.0/24 to any
    block in log quick on tun0 from 204.152.64.0/23 to any
    block in log quick on tun0 from 224.0.0.0/3 to any
    block out log quick on tun0 from any to 127.0.0.0/8
    block out log quick on tun0 from any to 192.168.0.0/16
    block out log quick on tun0 from any to 172.16.0.0/12
    block out log quick on tun0 from any to 10.0.0.0/8
    block out log quick on tun0 from any to 0.0.0.0/8
    block out log quick on tun0 from any to 169.254.0.0/16
    block out log quick on tun0 from any to 192.0.2.0/24
    block out log quick on tun0 from any to 204.152.64.0/23
    block out log quick on tun0 from any to 224.0.0.0/3
    
    # ssh incoming:
    pass in quick on tun0 proto tcp from any to 0/32 port = 22 flags S keep state
    
    # http incoming:
    pass in quick on tun0 proto tcp from any to 0/32 port = 80 flags S keep state
    
    # external iface out:
    pass out proto tcp from any to any port = 21 keep state 
    pass out quick proto tcp from any to any flags S/SA keep state 
    pass out quick proto tcp from any to any keep state 
    
    pass out quick on tun0 proto icmp all
    pass in quick on tun0 proto icmp all icmp-type 0
    pass in quick on tun0 proto icmp all icmp-type 11
    
    
    # irregular packet blocking:
    block in log quick on tun0 all with ipopts
    block in log quick on tun0 all with short
    block return-rst in log quick on tun0 proto tcp all flags FUP
    
    #get rid of everything else
    block return-rst in log first quick on tun0 proto tcp all flags S
    block in log first quick on tun0 proto tcp all
    block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all
    block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all
    block in log first quick on tun0 all
    As this stands, I can't do much at all and it's very annoying. Outgoing through tun0 (internet) I can't use ssh, www, ftp, 'host', 'traceroute' - although I can use IRC and ping, whoopee! Inbound on tun0 people can't access my sshd, nor my httpd either. It seems a large part of the problem is name resolution - namely it not working with these rules (when I change the ruleset back to a default 'allow all', everything works fine).
    EDIT >> I've managed to solve the name resolution issue with this rule:

    pass out on tun0 proto udp from any to any port = 53 keep state

    ftp, www, ssh, nmap all work fine now (well nmap basic scans anyway)

    I'd hoped to have solved the traceroute problem too by commenting out the block rule for ipopts packets - this wasn't the case however - traceroute output now looks like this now:
    Code:
    [munk /home/munk] # traceroute sonictown.co.uk
    traceroute to sonictown.co.uk (213.239.5.113), 64 hops max, 40 byte packets
    traceroute: sendto: No route to host
     1 traceroute: wrote sonictown.co.uk 40 chars, ret=-1
    Thanks in advance.
    Last edited by munkfish; January 27th, 2002 at 12:19 AM.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> the '1337' rule was in ipnat.rules for an ftp server

    If you are running an FTP server on your FreeBSD box:

    1) why don't you pass in tcp on 1337?
    2) Why you need to rewrite src addr (192.168.0.2) and going thru FTP proxy?

    I still don't think you need that line at all. You just need to tell people (from outside) your FTPd is running on port 1337. Accessing from within your LAN, you don't even need to use FTP proxy.

    There are still some major problems to your ipf.rules. I'm going to rewrite it, then explain it afterward:

    Code:
    # loopback in/out:
    pass in quick on lo0 all
    pass out quick on lo0 all
    
    # internal NIC in/out:
    pass in quick on fxp0 all
    pass out quick on fxp0 all
    
    # no spoofing:
    block in log quick on tun0 from 127.0.0.0/8 to any
    block in log quick on tun0 from 192.168.0.0/16 to any
    block in log quick on tun0 from 172.16.0.0/12 to any
    block in log quick on tun0 from 10.0.0.0/8 to any
    block in log quick on tun0 from 255.255.255.255/32 to any
    block in log quick on tun0 from 0.0.0.0/32 to any
    block in log quick on tun0 from 169.254.0.0/16 to any
    block in log quick on tun0 from 192.0.2.0/24 to any
    block in log quick on tun0 from 204.152.64.0/23 to any
    block in log quick on tun0 from 224.0.0.0/3 to any
    block out log quick on tun0 from any to 127.0.0.0/8
    block out log quick on tun0 from any to 192.168.0.0/16
    block out log quick on tun0 from any to 172.16.0.0/12
    block out log quick on tun0 from any to 10.0.0.0/8
    block out log quick on tun0 from any to 255.255.255.255/32
    block out log quick on tun0 from any to 0.0.0.0/32
    block out log quick on tun0 from any to 169.254.0.0/16
    block out log quick on tun0 from any to 192.0.2.0/24
    block out log quick on tun0 from any to 204.152.64.0/23
    block out log quick on tun0 from any to 224.0.0.0/3
    
    # irregular packet blocking:
    block in log quick on tun0 all with ipopts
    block in log quick on tun0 all with short
    block return-rst in log quick on tun0 proto tcp all flags FUP
    
    # ssh incoming:
    pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state
    
    # http incoming:
    pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
    
    # allow traceroute + ping
    pass in quick on tun0 proto icmp all icmp-type 0
    pass in quick on tun0 proto icmp all icmp-type 11
    
    # external iface out:
    pass out quick on tun0 proto icmp all keep state
    pass out quick on tun0 proto udp all keep state keep frags
    pass out proto tcp from any to any port = 21 keep state 
    pass out proto tcp from any to any port = 22 keep state 
    pass out proto tcp from any to any port = 25 keep state 
    pass out proto tcp from any to any port = 80 keep state 
    pass out proto tcp from any to any port = 443 keep state 
    pass out quick proto tcp from any to any flags S/SA keep state 
    pass out quick proto tcp from any to any keep state 
    
    #get rid of everything else
    block return-rst in log first quick on tun0 proto tcp all flags S
    block in log first quick on tun0 proto tcp all
    block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all
    block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all
    block in log first quick on tun0 all
    You forgot the very important udp pass out ruleset. With a default-to-deny policy, you can't reolve and DNS name at all (if you're using your ISP's caching nameserver). If you run your own DNS (cache/authoritative), check the other thread for the addditional rulesets.
  8. #5
  9. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    ! You posted two mins before I made edits to my last post (about that UDP rule in fact for DNS)

    Right - thanks for those tips / ammendments - I'll make adjustments as necessary. The ssh and http rules (where I was putting '0/32' instead of 'any') make perfect sense now you mention it!

    Regarding the FTP issue - some confusion here I think - the '1337' rule is only for my NAT'd/masqueraded ftp client transactions - not for ftpd services incoming on tun0.

    Also, regarding the no-spoof rule:
    block in log quick on tun0 from 0.0.0.0/8 to any
    I specified this rule on advice from the authors of the IPF-HOWTO (mirrored here: http://www.darkart.com/mirrors/www.o.../ipf-howto.txt)
    The HOWTO says:
    Most IP stacks treat "0.0.0.0/32" as the default
    gateway, and the rest of the 0.*.*.* network gets handled
    strangely by various systems as a byproduct of how routing
    decisions are made. You should treat 0.0.0.0/8 just like
    127.0.0.0/8
    I imagine this is a moot point!

    Anyay... I've just made the changes to the sshd and httpd in rules and it works a treat! Very chuffed at that - learnt a lot in the process as well.

    Many thanks for your time.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> I'd hoped to have solved the traceroute problem

    Because you need udp pass out too. That's why I put pass out quick on tun0 proto udp all keep state keep frags.

    As far as the 0.0.0.0/8, it makes much sense to block it as well. For 0.0.0.0/32, your ISP setup may vary, for me, I would still block it without a doubt despite what the author says.

    BTW, whose domain is freebsdhowtos.com? If it's yours, then I have to tell you your host has misconfigured their MX and PTR. If you need to know more, start a new thread in DNS forum.
    Last edited by freebsd; January 27th, 2002 at 01:26 AM.
  12. #7
  13. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    >>I put pass out quick on tun0 proto udp all keep state keep frags.
    Excellent - works a treat now - thanks.

    >>As far as the 0.0.0.0/8, it makes much sense to block it as well. For 0.0.0.0/32, your ISP setup may vary, for me, I would still block it without a doubt despite what the author says.
    Wouldn't blocking 0.0.0.0/8 implicity block 0.0.0.0/32 anyway?

    >>BTW, whose domain is freebsdhowtos.com?
    Sorry - not my domain. I just found some interesting articles there.

    Thanks again.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> Wouldn't blocking 0.0.0.0/8 implicity block 0.0.0.0/32 anyway?

    You're right. I didn't pay too much attention to that. I must have misread something and though you don't want to block 0.0.0.0/32.

    >> Sorry - not my domain

    I just wanted to point out that their MX doesn't have an A record, it's CNAME, which is plain bad. Their PTR and SOA are also broken.
  16. #9
  17. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    >> I just wanted to point out that their MX doesn't ...
    argh stop already reminding me I need to learn about DNS/BIND!!!


    Incidentally what would be the best way to get practical experience with BIND/named on a home network? Realistically can I learn much without administering my own 'live' domain and without having a static IP address? I'd really like to/need to learn more and whilst I've read through the O'Reilly DNS/BIND book it's not much without practical experience. Is the only solution to buy a decent dedicated connection/do co-location???

    PS - the ipf script is brilliant as it stands right now - here's a sample output from ping:
    Code:
    server4.hancock6:~$ ping 80.225.46.129
    PING 80.225.46.129 (80.225.46.129): 56 data bytes
    and that's all! Not a hint of an echo reply coming back Furthermore I can even use the more esoteric scan types provided for by nmap et al without a hitch getting back reliable results each time - I'm very impressed!

    Much appreciative of your help freebsd - thanks!
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> best way to get practical experience with BIND/named on a home network?

    Just forget BIND/named as it's one of the worst software ever developed on earth. On a home network, you still can run authoritative DNS server plus caching DNS resolver. But don't use BIND, use djbdns at all time.

    >> without having a static IP address?

    That'd put a cap on your growing knowledge/experience. Without that, there are many things you can't do, not to mention it's unreliable when running any type of server without a static IP, since most servers, if not all, rely on DNS in some way.

    Here's my little script (/usr/local/sbin/ipfctl) for you to play around with:
    Code:
    #!/bin/sh
    
    case "$1" in
            reload) /sbin/ipf -IFa -f /etc/ipf.rules -s 2>&1 > /dev/null
                    echo "ipf rulesets reloaded"
                    ;;
       state|flush) /sbin/ipf -AFs -s 2>&1 > /dev/null
                    /sbin/ipf -IFa -f /etc/ipf.rules -s 2>&1 > /dev/null
                    echo "ipf state table flushed"
                    ;;
            clear)  /sbin/ipf -AFS -s 2>&1 > /dev/null
                    /sbin/ipf -IFa -f /etc/ipf.rules -s 2>&1 > /dev/null
                    echo "ipf state table cleared"
                    ;;
            *)
    echo "Usage: $0 option
    option:
            reload - reload rulesets
            flush | state - flush non-active state and reload rulesets
            clear - clear all state and reload rulesets"
            exit 1
    esac
    exit 0
  20. #11
  21. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16

    Final(?) Version


    Code:
    ################################################################################
    ################################################################################
    #
    # IPF Ruleset
    #
    ################################################################################
    ################################################################################
    # File:         /etc/ipf.rules
    #
    # Description:  a firewall ruleset loaded using 'ipf -Fa -f /etc/ipf.rules'
    #
    # Email:        ockham_razer@hotmail.com
    #
    # Date:         2002-02-21
    #
    # OS:           FreeBSD 4.4-RELEASE
    #
    # Network Diagram:
    #
    #                      ______________        __________________
    #                     |  IPNAT/IPF   |      |       LAN        |
    #                     |  __________  |      |  ______________  |
    #   _/\__/\_          | |          | |      | |              | |
    #  |        |         | | FreeBSD  | |      | | Masqueraded  | |
    # / Internet \--(tun0)--|  System  |--(fxp0)--| Workstation  | |
    # \_  _  _  _/    ppp | |__________| |  eth | |______________| |
    #   \/ \/ \/          | 192.168.0.1  |      |   192.168.0.10   |
    #                     |______________|      |__________________|
    #
    #
    # Notes:
    # - tun0 dynamically assigned IP address from ISP
    # - NAT implemented using ipf util, 'ipnat(5)', ruleset /etc/ipnat.rules
    # - ipf filter sync on each redial to ISP using 'ipf -y' via
    #   /etc/ppp/ppp.linkup file
    # - NAT'ed client OS - win95
    #
    # Services outbound on tun0:
    # www (80,8080), ssh, ftp(21,1337), irc(6666-7000)
    # Also:
    # ping, traceroute, host, nmap, whois, numerous others
    #
    # Services inbound on tun0:
    # www(80 only), ssh
    #
    ################################################################################
    # ruleset start:
    ################################################################################
    # loopback in/out:
    pass in quick on lo0 all
    pass out quick on lo0 all
    
    # internal NIC in/out:
    pass in quick on fxp0 all
    pass out quick on fxp0 all
    
    # no spoofing:
    block in log quick on tun0 from 127.0.0.0/8 to any
    block in log quick on tun0 from 192.168.0.0/16 to any
    block in log quick on tun0 from 172.16.0.0/12 to any
    block in log quick on tun0 from 10.0.0.0/8 to any
    block in log quick on tun0 from 255.255.255.255/32 to any
    block in log quick on tun0 from 0.0.0.0/8 to any
    block in log quick on tun0 from 0.0.0.0/32 to any
    block in log quick on tun0 from 169.254.0.0/16 to any
    block in log quick on tun0 from 192.0.2.0/24 to any
    block in log quick on tun0 from 204.152.64.0/23 to any
    block in log quick on tun0 from 224.0.0.0/3 to any
    block out log quick on tun0 from any to 127.0.0.0/8
    block out log quick on tun0 from any to 192.168.0.0/16
    block out log quick on tun0 from any to 172.16.0.0/12
    block out log quick on tun0 from any to 10.0.0.0/8
    block out log quick on tun0 from any to 255.255.255.255/32
    block out log quick on tun0 from any to 0.0.0.0/8
    block out log quick on tun0 from any to 0.0.0.0/32
    block out log quick on tun0 from any to 169.254.0.0/16
    block out log quick on tun0 from any to 192.0.2.0/24
    block out log quick on tun0 from any to 204.152.64.0/23
    block out log quick on tun0 from any to 224.0.0.0/3
    
    # ssh incoming:
    pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state
    
    # http incoming:
    pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
    
    # external iface out:
    # FTP:
    pass out proto tcp from any to any port = 21 keep state
    pass out quick proto tcp from any to any flags S/SA keep state
    pass out quick proto tcp from any to any keep state
    # ping:
    pass out quick on tun0 proto icmp all
    pass in quick on tun0 proto icmp all icmp-type 0
    pass in quick on tun0 proto icmp all icmp-type 11
    # DNS:
    pass out quick on tun0 proto udp from any to any port = 53 keep state
    # traceroute:
    pass out quick on tun0 proto udp all keep state keep frags
    
    # irregular packet blocking:
    # block in log quick on tun0 all with ipopts
    block in log quick on tun0 all with short
    block return-rst in log quick on tun0 proto tcp all flags FUP
    
    #get rid of everything else
    block return-rst in log first quick on tun0 proto tcp all flags S
    block in log first quick on tun0 proto tcp all
    block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all
    block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all
    block in log first quick on tun0 all
    ################################################################################
    ################################################################################
    # ruleset end
    #
    # cf.
    # <http://coombs.anu.edu.au/~avalon/ip-filter.html>
    #	- IPF Site Proper
    #
    # <http://packetstorm.decepticons.org/p...d_IPFILTER.htm>
    #	- Good article on rebuilding kernel for security optimization
    #
    # <http://www.unixcircle.com/ipf>
    #	- mirror of http://www.obfuscation.org/ipf/ - currently down
    #	  links to ipf HOWTO and FAQ, with thanks
    #
    # <http://www.freebsd.org>
    ################################################################################
    ################################################################################
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    1) You need to give # irregular packet blocking higher priority above your # ssh incoming. Or else they can sneak in your ssh's pass in ruleset.

    2) Next, give all outbound icmp higher priority than udp and tcp.

    3) You don't need # DNS. Your pass out udp should do just fine, and with keep frags.

    4) # external iface out:
    In my previous example it was written as:
    Code:
    pass out proto tcp from any to any port = 21 keep state 
    pass out proto tcp from any to any port = 22 keep state 
    pass out proto tcp from any to any port = 25 keep state 
    pass out proto tcp from any to any port = 80 keep state 
    pass out proto tcp from any to any port = 443 keep state 
    pass out quick proto tcp from any to any flags S/SA keep state 
    pass out quick proto tcp from any to any keep state
    which is equivalent to:
    Code:
    # pass out without quick keyword
    pass out proto tcp all keep state
    # quick with flags S/SA
    pass out quick proto tcp all flags S/SA keep state
    # usually nothing should hit this rule but it's safer when a packet loss its state
    pass out quick proto tcp all keep state
    If you just pass out proto tcp from any to any port = 21 keep state, you will likely be seeing many legitimate packets to get dropped.
    Last edited by freebsd; January 27th, 2002 at 11:56 AM.
  24. #13
  25. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    First off sorry I didn't see your last post re bind/dns! We posted at the same time by the looks of it again...

    I seem to remember you mentioning the tcp tools by djb before - I had a quick browse and given what you say above re bind vs djbdns I think a visit to djb's site is in order again. Thanks for the tip.

    It looks like I'll have to invest some money into obtaining at least a static address and a few domains then, hopefully on a decent connection. My only worry is spending $300+/month for a server that will not be making any money for me whilst I get up to speed on securing and managing the seemingly unending number of admin tasks that need to be completed before I can take money off people for a hosting service.


    Anyway, thanks for the ipfctl script - that will help immensely. I'd written a minimal start / stop sh script in rc.d to start ipnat/ipf at boot, although the stdout/stderror redirection and swapping in/out of old/new rulesets in your script I'd not thought of.

    With this said it brings to mind a question regarding the nature of my ppp connection being dynamic and hence being brought down and back up every 3 hours. Presently the command 'ipf -y' is run as a bg proc from my /etc/ppp/ppp.linkup script - ie every time the ppp connection is rebuilt.

    From the scarce documentation of the '-y' ipf switch, my understanding is that 'ipf -y' syncs the internal kernel list of NAT mappings to reflect a change in address such as at a DHCP lease change or ppp reconnect. Is running 'ipf -y' all that's required on recieving a new IP address from my ISP?


    Anyway... I made the changes you suggested above to the ruleset - hope I interpreted your: "give all outbound icmp higher priority than udp and tcp" correctly in the rule reordering:

    Code:
    ################################################################################
    ################################################################################
    #
    # IPF Ruleset
    #
    ################################################################################
    ################################################################################
    # File:         /etc/ipf.rules
    #
    # Description:  a firewall ruleset loaded using 'ipf -Fa -f /etc/ipf.rules'
    #
    # Email:        ockham_razer@hotmail.com
    #
    # Date:         2002-02-21
    #
    # OS:           FreeBSD 4.4-RELEASE
    #
    # Network Diagram:
    #
    #                      ______________        __________________
    #                     |  IPNAT/IPF   |      |       LAN        |
    #                     |  __________  |      |  ______________  |
    #   _/\__/\_          | |          | |      | |              | |
    #  |        |         | | FreeBSD  | |      | | Masqueraded  | |
    # / Internet \--(tun0)--|  System  |--(fxp0)--| Workstation  | |
    # \_  _  _  _/    ppp | |__________| |  eth | |______________| |
    #   \/ \/ \/          | 192.168.0.1  |      |   192.168.0.10   |
    #                     |______________|      |__________________|
    #
    #
    # Notes:
    # - tun0 dynamically assigned IP address from ISP
    # - NAT implemented using ipf util, 'ipnat(5)', ruleset /etc/ipnat.rules
    # - ipf filter sync on each redial to ISP using 'ipf -y' via
    #   /etc/ppp/ppp.linkup file
    # - NAT'ed client OS - win95
    #
    # Services outbound on tun0:
    # www (80,8080), ssh, ftp(21,1337), irc(6666-7000)
    # Also:
    # ping, traceroute, host, nmap, whois, numerous others
    #
    # Services inbound on tun0:
    # www(80 only), ssh
    #
    ################################################################################
    # ruleset start:
    ################################################################################
    # loopback in/out:
    pass in quick on lo0 all
    pass out quick on lo0 all
    
    # internal NIC in/out:
    pass in quick on fxp0 all
    pass out quick on fxp0 all
    
    # no spoofing:
    block in log quick on tun0 from 127.0.0.0/8 to any
    block in log quick on tun0 from 192.168.0.0/16 to any
    block in log quick on tun0 from 172.16.0.0/12 to any
    block in log quick on tun0 from 10.0.0.0/8 to any
    block in log quick on tun0 from 255.255.255.255/32 to any
    block in log quick on tun0 from 0.0.0.0/8 to any
    block in log quick on tun0 from 0.0.0.0/32 to any
    block in log quick on tun0 from 169.254.0.0/16 to any
    block in log quick on tun0 from 192.0.2.0/24 to any
    block in log quick on tun0 from 204.152.64.0/23 to any
    block in log quick on tun0 from 224.0.0.0/3 to any
    block out log quick on tun0 from any to 127.0.0.0/8
    block out log quick on tun0 from any to 192.168.0.0/16
    block out log quick on tun0 from any to 172.16.0.0/12
    block out log quick on tun0 from any to 10.0.0.0/8
    block out log quick on tun0 from any to 255.255.255.255/32
    block out log quick on tun0 from any to 0.0.0.0/8
    block out log quick on tun0 from any to 0.0.0.0/32
    block out log quick on tun0 from any to 169.254.0.0/16
    block out log quick on tun0 from any to 192.0.2.0/24
    block out log quick on tun0 from any to 204.152.64.0/23
    block out log quick on tun0 from any to 224.0.0.0/3
    
    # irregular packet blocking:
    # block in log quick on tun0 all with ipopts
    block in log quick on tun0 all with short
    block return-rst in log quick on tun0 proto tcp all flags FUP
    
    # ssh incoming:
    pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state
    
    # http incoming:
    pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
    
    # external iface out:
    # icmp out:
    pass out quick on tun0 proto icmp all
    
    # TCP out:
    pass out proto tcp all keep state
    pass out quick proto tcp all flags S/SA keep state
    pass out quick proto tcp all keep state
    
    # UDP out:
    pass out quick on tun0 proto udp all keep state keep frags
    
    #external iface in:
    # restricted icmp:
    pass in quick on tun0 proto icmp all icmp-type 0
    pass in quick on tun0 proto icmp all icmp-type 11
    
    #get rid of everything else
    block return-rst in log first quick on tun0 proto tcp all flags S
    block in log first quick on tun0 proto tcp all
    block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all
    block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all
    block in log first quick on tun0 all
    ################################################################################
    ################################################################################
    # ruleset end
    #
    # cf.
    # <http://coombs.anu.edu.au/~avalon/ip-filter.html>
    #	- IPF Site Proper
    #
    # <http://packetstorm.decepticons.org/p...d_IPFILTER.htm>
    #	- Good article on rebuilding kernel for security optimization
    #
    # <http://www.unixcircle.com/ipf>
    #	- mirror of http://www.obfuscation.org/ipf/ - currently down
    #	  links to ipf HOWTO and FAQ, with thanks
    #
    # <http://www.freebsd.org>
    ################################################################################
    ################################################################################
    Regarding this block:
    Code:
    # block in log quick on tun0 all with ipopts
    block in log quick on tun0 all with short
    block return-rst in log quick on tun0 proto tcp all flags FUP
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> invest some money into obtaining at least a static address

    Maybe 3 or 4 static IP plus reverse DNS. But is it really $300 in UK? It seems quite alot of money. Over here in US you can get up to 32 static IPs with 768/768 for about $170/month.

    >> ipf -y' syncs the internal kernel list of NAT mappings to reflect a change

    I do not have any experience with the -y switch. Maybe you can figure out when it should be executed and insert it to the appropriate execute order. Basically if you launch another shell session and run ipfstat -t (top command like), then run ipfctl with different options you can see how it affects your state table. Under ST with 4/4 is fully established session.

    As for the changes, I'd use the following order:

    Code:
    # http incoming:
    pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
    
    #external iface in:
    # restricted icmp:
    pass in quick on tun0 proto icmp all icmp-type 0
    pass in quick on tun0 proto icmp all icmp-type 11
    
    # external iface out:
    # icmp out:
    pass out quick on tun0 proto icmp all
    
    # UDP out:
    pass out quick on tun0 proto udp all keep state keep frags
    
    # TCP out:
    pass out proto tcp all keep state
    pass out quick proto tcp all flags S/SA keep state
    pass out quick proto tcp all keep state
  28. #15
  29. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    16
    >> But is it really $300 in UK?
    I was referring to the rental of a dedicated server (probably in US, seems to be cheaper over there). Rental sounds like the cheapest option, short of buying a server and getting it colocated perhaps. Do you have any pointers on this (ie best places to go for renting servers/colocation etc)?

    Thanks for the reordering rules tip too:
    Code:
    ################################################################################
    ################################################################################
    #
    # IPF Ruleset
    #
    ################################################################################
    ################################################################################
    # File:         /etc/ipf.rules
    #
    # Description:  a firewall ruleset loaded using 'ipf -Fa -f /etc/ipf.rules'
    #
    # Email:        ockham_razer@hotmail.com
    #
    # Date:         2002-02-21
    #
    # OS:           FreeBSD 4.4-RELEASE
    #
    # Network Diagram:
    #
    #                      ______________        __________________
    #                     |  IPNAT/IPF   |      |       LAN        |
    #                     |  __________  |      |  ______________  |
    #   _/\__/\_          | |          | |      | |              | |
    #  |        |         | | FreeBSD  | |      | | Masqueraded  | |
    # / Internet \--(tun0)--|  System  |--(fxp0)--| Workstation  | |
    # \_  _  _  _/    ppp | |__________| |  eth | |______________| |
    #   \/ \/ \/          | 192.168.0.1  |      |   192.168.0.10   |
    #                     |______________|      |__________________|
    #
    #
    # Notes:
    # - tun0 dynamically assigned IP address from ISP
    # - NAT implemented using ipf util, 'ipnat(5)', ruleset /etc/ipnat.rules
    # - ipf filter sync on each redial to ISP using 'ipf -y' via
    #   /etc/ppp/ppp.linkup file
    # - NAT'ed client OS - win95
    #
    # Services outbound on tun0:
    # www (80,8080), ssh, ftp(21,1337), irc(6666-7000)
    # Also:
    # ping, traceroute, host, nmap, whois, numerous others
    #
    # Services inbound on tun0:
    # www(80 only), ssh
    #
    ################################################################################
    # ruleset start:
    ################################################################################
    # loopback in/out:
    pass in quick on lo0 all
    pass out quick on lo0 all
    
    # internal NIC in/out:
    pass in quick on fxp0 all
    pass out quick on fxp0 all
    
    # no spoofing:
    block in log quick on tun0 from 127.0.0.0/8 to any
    block in log quick on tun0 from 192.168.0.0/16 to any
    block in log quick on tun0 from 172.16.0.0/12 to any
    block in log quick on tun0 from 10.0.0.0/8 to any
    block in log quick on tun0 from 255.255.255.255/32 to any
    block in log quick on tun0 from 0.0.0.0/8 to any
    block in log quick on tun0 from 0.0.0.0/32 to any
    block in log quick on tun0 from 169.254.0.0/16 to any
    block in log quick on tun0 from 192.0.2.0/24 to any
    block in log quick on tun0 from 204.152.64.0/23 to any
    block in log quick on tun0 from 224.0.0.0/3 to any
    block out log quick on tun0 from any to 127.0.0.0/8
    block out log quick on tun0 from any to 192.168.0.0/16
    block out log quick on tun0 from any to 172.16.0.0/12
    block out log quick on tun0 from any to 10.0.0.0/8
    block out log quick on tun0 from any to 255.255.255.255/32
    block out log quick on tun0 from any to 0.0.0.0/8
    block out log quick on tun0 from any to 0.0.0.0/32
    block out log quick on tun0 from any to 169.254.0.0/16
    block out log quick on tun0 from any to 192.0.2.0/24
    block out log quick on tun0 from any to 204.152.64.0/23
    block out log quick on tun0 from any to 224.0.0.0/3
    
    # irregular packet blocking:
    # block in log quick on tun0 all with ipopts
    block in log quick on tun0 all with short
    block return-rst in log quick on tun0 proto tcp all flags FUP
    
    # ssh incoming:
    pass in quick on tun0 proto tcp from any to any port = 22 flags S keep state
    
    # http incoming:
    pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
    
    #external iface in:
    # restricted icmp:
    pass in quick on tun0 proto icmp all icmp-type 0
    pass in quick on tun0 proto icmp all icmp-type 11
    
    # external iface out:
    # icmp out:
    pass out quick on tun0 proto icmp all
    
    # UDP out:
    pass out quick on tun0 proto udp all keep state keep frags
    
    # TCP out:
    pass out proto tcp all keep state
    pass out quick proto tcp all flags S/SA keep state
    pass out quick proto tcp all keep state
    
    #get rid of everything else
    block return-rst in log first quick on tun0 proto tcp all flags S
    block in log first quick on tun0 proto tcp all
    block return-icmp-as-dest(port-unr) in log first quick on tun0 proto udp all
    block return-icmp-as-dest(host-unr) in log first quick on tun0 proto icmp all
    block in log first quick on tun0 all
    ################################################################################
    ################################################################################
    # ruleset end
    #
    # cf.
    # <http://coombs.anu.edu.au/~avalon/ip-filter.html>
    #	- IPF Site Proper
    #
    # <http://packetstorm.decepticons.org/p...d_IPFILTER.htm>
    #	- Good article on rebuilding kernel for security optimization
    #
    # <http://www.unixcircle.com/ipf>
    #	- mirror of http://www.obfuscation.org/ipf/ - currently down
    #	  links to ipf HOWTO and FAQ, with thanks
    #
    # <http://www.freebsd.org>
    ################################################################################
    ################################################################################
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo