View and vote on the article here: customized and most secure firewall
customized and most secure firewall| Category | | | Summary | | Securing your system is easy!? Just use a firewall you can download somewhere,..maybe even only the binaries.., but this is no security! Security is a customized feature of a system, and you need to chance to customize a firewall for your needs. ipfw is a |
| | Body | ipfw - IP firewall and traffic shaper control program
What is ipfw? ipfw is the user interface for controlling the ipfirewall and the
dummynet traffic shaper in FreeBSD. Too many of you it will look like ipchains
or iptables, but there are slight differences between them and ipfw, that are
important. ipfw is basically a ruleset that will give you FULL controll over your
traffic. Each incoming or outgoing packet is passed through the ipfw rules.
If host is acting as a gateway, packets forwarded by the gateway are pro-
cessed by ipfw twice. In case a host is acting as a bridge, packets for-
warded by the bridge are processed by ipfw once. The rules have it's numbers
so users can name them via numbers and either delete them or know their
exactly location within the ruleset (which is very important)!
ipfw works procedural like basic programming languages: first command,
first served. This is very important when you want to add multiple
rules to a specific protocol, a host, or a port.
A configuration always includes a DEFAULT rule (numbered 65535) which
cannot be modified by the programmer and always matches packets. The
action associated with the default rule can be either deny or allow
depending on how the kernel is configured.
The ipfw rule format
ipfw [-X] command [index] action [log] protocol addresses [options]
Let's split this into pieces:
ipfw [-X] is the switch to show the current ruleset. The possible commands are:
ipfw [-X] list (or show)
The switches [-X] supported are:
-t :shows timestamps while listing
-N :tries to resolve addresses and service names in output
-s [field] :sorts the output according to one of the four counters
Now we can finally do the real firewalling:
Each packet can be filtered based on the following information that is
associated with it:
Transmit and receive interface (by name or address)
Direction (incoming or outgoing)
Source and destination IP address (possibly masked)
Protocol (TCP, UDP, ICMP, etc.)
Source and destination port (lists, ranges or masks)
TCP flags
IP fragment flag
IP options
ICMP types
User/group ID of the socket associated with the packet
Remember the syntax: ipfw command [index] action [log] protocol addresses [options]
Valid commands are:
add [index] :adds a rule to the ruleset (with or without a number)
delete [index] :deletes the rule of a specified number (i.e. delete 231)
ipfw command [index] action [log] protocol addresses [options]
Valid actions are:
deny :Discard packets that match this rule. The search terminates.
aliases are: drop
reject :Discard packets that match this rule, and try to send an
ICMP host unreachable notice. Search terminates.
unreach [code] :Discard packets that match this rule, and try to send an
ICMP unreachable notice with [code]. [code] can be a number
from 0-255 or a alias like: srcfail, net-unknown, host-unknown,
isolated, net-prohib, host-prohib et cetera (see ipfw(8) for more)
Search terminates.
reset :TCP packets only. Discard packets that match and sends a
TCP reset (RST) packet back. Search terminates
count :Update counters for all packets that match this rule, the search
won't terminate, it continues with the next rule.
divert [port] :Divert packets that match this rule to the divert socket bound
to port [port]. The search terminates.
tee [port] :Send a copy of packets matching this rule to the divert socket bound
to port [port]. The search terminates and the original packet is
accepted. See my eavedropping VoIP tutorial for the usage :)
skipto [index] :Skip all subsequent rules numbered less than number.
The search continues with the first rule numbered number or higher
allow :Pass the packet on as normal. (aliases are: pass and accept)
This are the most used command. I don't explain the command fwd and check-state
because their usage is for most configuration useless. In case you are interested
in those commands as well, check ipfw(8) for them.
Most of those commands are useful, but in reallife most system will only need a good
ruleset build with allow and deny.
Once again our syntax: ipfw command [index] action [log] protocol addresses [options]
[log] :The log option causes matching rules to be output to the system
console if the kernel was compiled with IPFIREWALL_VERBOSE
Check your syslogd logs for the output.
Next part are protocols:
all :All protocols will match (alias: ip)
tcp :Matches TCP packets only
udp :Matches UDP packets only
icmp :Matches ICMP packets only
This are the most common used protocols and for normal usage this is enough.
(for a complete list, see /etc/protocols).
After the protocol-bit, we have to define the adresses now. addresses is split into
the source-address and the destination-address, both are combined with the 'to' operator.
We have again a couple of ways to display addresses:
address :One address only, like a IP or a hostname.
address/mask-bits :Address and mask-bits, for example for a C subnet we could use
192.216.222.1/24 (24 bits == C subnet), this would cover the entire
C subnet
address:mask-pattern :mask-pattern is an IP address which will be logically AND'ed with
the address given
The keyword any may be used to specify ``any IP address''. Another keyword is 'me' that
will make the rule match any IP number configured on an interface in the system.
This is a computationally semi-expensive check which should be used with care.
You can (and often want to) specifiy ports as well. You can list ports like:
23, 80, 1080
or like:
1-443 (including boundaries)
The complete syntax of the addresses part could be like:
www.adress1.net 80 to 127.0.0.1/10
But you'll get some more examples later :)
Ok, again our syntax: ipfw command [index] action [log] protocol addresses [options]
The options are mostly interfaces, traffic-status etc,..let's have a look:
in :Only match incoming packets.
out :Only match outgoing packets.
via ifX :Packet must be going through interface 'ifX'. For example eth0
via if* :Packet must going through interface if, X is a unit number.
via any :Not a wildcard! Packet must be going through some interface!
via ipno :Packet must be going through some interface using the ipno IP-adress
bridged :Matches only bridged packets. This can be useful for multicast or
broadcast traffic, which would otherwise pass through the firewall twice:
once during bridging, and a second time when the packet is delivered to the
local stack.
frag :Match if the packet is a fragment and this is not the first fragment of
the datagram
ipoptions spec :Match if the IP header contains the comma separated list
of options specified in spec. The supported IP options are:
ssrr (strict source route), lsrr (loose source route), rr
(record packet route) and ts (timestamp). The absence of a particular
option may be denoted with a `!'.
tcpoptions spec :Match if the TCP header contains the comma separated list of options
specified in spec. The supported TCP options are:
mss (maximum segment size), window (tcp window advertise-
ment), sack (selective ack), ts (rfc1323 timestamp) and
cc (rfc1644 t/tcp connection count). The absence of a
particular option may be denoted with a `!'.
icmptypes types :Matches if the ICMP type is present in the list types.
The list may be specified as any combination of ranges and/or individual types
separated by commas. Commonly used ICMP types are: 0 echo reply (ping reply),
3 destination unreachable, 5 redirect, 8 echo request (ping request),
and 11 time exceeded (used to indicate TTL expiration as with traceroute).
established :TCP packets only. Match packets that have the RST or ACK bits set.
Plain text: simply established connections
setup :TCP packets only. Match packets that have the SYN bit set but no ACK bit.
Plain text: connection attemps, trying to setup a new connection
tcpflags spec :TCP packets only. Match if the TCP header contains the comma separated
list of flags specified in spec. The echo reply (0), destination unreachable (3),
source quench (4), redirect (5), echo request (8), router advertisement (9),
router solicitation (10), time-to-live exceeded (11), IP header bad (12),
timestamp request (13), timestamp reply (14), information request (15),
information reply (16), address mask request (17) and address mask reply (18).
uid user :Match all TCP or UDP packets sent by or received for a user. A user may be
matched by name or identification number.
gid group :Same as above,..you know the deal.
Phew, we are done with the theory, congratz! :)
Now we can finally do something more the only read ipfw(8) and some explainations. We will now
start to write some sample rules and rulesets.
Examples:
This command adds an entry which denies all tcp packets from sil.antioffline.org to the telnet port
of phoenix.cyberarmy.com from being forwarded by the host:
ipfw add deny tcp from sil.antioffline.org to phoenix.cyberarmy.com telnet
Notice that you can use the alias 'telnet' instead of the dst-port 23!
This one disallows any connection from the entire 1337 hackers network to my host:
ipfw add deny ip from 133.7.13.37/24 to my.host.org (C Subnet)
If you do not want people sending X sessions to your internal network (a subnet of a class C),
the following command will do the necessary filtering:
ipfw add deny tcp from any to my.org/28 6000 setup
This are only some examples you'll find often. Now we will discuss some important things you have to
take care of. You may have realized that some 'actions' either terminate the search within the ruleset
and some let the search continue. This is important in case you want to have multiple rules matching a
specific traffic like:
You want to count the incoming packets from gary7.nsa.gov, but also tee the traffic:
ipfw add count tcp from gary7.nsa.gov to mynetwork.net/28 in
ipfw add tee 1337 tcp from gary7.nsa.gov to mynetwork.net/28 in
Not hard, or? The count 'action' will keep the ipfw search for matching rules alive, and
the tee 'action' will terminate it. So it's only logic that we use the count 'action' first.
Another example would be to divert outgoing and incoming though NATd when 'ed0' is my outside interface
and the number 6668 is the port that NATd listens to:
ipfw add 2000 divert 6668 all from any to any via ed0
How to allow everyone else to go though, although the previous line make this not useful,
however if i kill natd i don't want the system to freak out:
ipfw add 65000 pass all from any to any
Commands:
The syntax for flushing the chain is:
ipfw flush
The syntax for clearing one or more packet counters is:
ipfw zero [index]
A script to protect a machine with only one connection to the network:
#!/bin/sh
IPFW=/sbin/ipfw
INTERFACE=ed0
# flush all the rules
${IPFW} -f flush
# Local loopback interface is open
${IPFW} add 1000 allow ip from any to any via lo0
${IPFW} add 1001 deny all from any to 127.0.0.0/8
# Allow outgoing traffic
${IPFW} add 2000 pass tcp from any to any out via ${INTERFACE}
# Allow TCP through if setup succeeded
${IPFW} add 3000 pass tcp from any to any established
# Allow IP fragments to pass through
${IPFW} add 4000 pass all from any to any frag
# Allow DNS answers
${IPFW} add 5000 allow udp from any to any 53 out via ${INTERFACE}
${IPFW} add 5001 allow udp from any 53 to any in via ${INTERFACE}
# Deny everything else except for ICMP
${IPFW} add 8000 deny tcp from any to any via ${INTERFACE}
${IPFW} add 8000 deny udp from any to any via ${INTERFACE}
A less restrictive version that would deny access to ports 1-1023:
#!/bin/sh
IPFW=/sbin/ipfw
INTERFACE=en0
# flush all the rules
${IPFW} -f flush
# Allow outgoing traffic
${IPFW} add 2000 pass tcp from any to any out via ${INTERFACE}
# Allow TCP through if setup succeeded
${IPFW} add 3000 pass tcp from any to any established
# Allow IP fragments to pass through
${IPFW} add 4000 pass all from any to any frag
# Deny access to all services running on reserved ports
${IPFW} add 8000 deny tcp from any to any 1-1023 in via ${INTERFACE}
${IPFW} add 8000 deny udp from any to any 1-1023 in via ${INTERFACE}
This should be enough to give you a introduction to ipfw and some way to
implement it. ipfw and related topics like NATd, traffic sharpening with
dummynet et cetera are also discussed within many newgroups like
mailing.freebsd.ipfw and other various *.freebsd.ipfw groups.
If any help with ipfw, NATd or traffic sharpening via dummynet is needed,
don't hestitate to eMail me or join irc.cyberarmy.com #cyberarmy and drop
a line.
gabbana
questions and comments: gabbana@zzine.org
************************************************************
Greets to: sieco, ReDeeMeR, fugjostle, barnseyboy, CHi, reeferman, k_phactor, milchschnitte, decoder, hellz(backdoor), Eidolon, shn, LoXaGoN, intruder, Kaladis, a1b4, pandect, Khris, wa1800z, proud2b, alfer, [0perations],
sat, zvon2k, [HR]c0s, booto, Axem, crun.hr and all I forgot from CA
and my croatian hackers that supported some projects of mine
************************************************************ |
|
This article was imported from zZine. (original author: gabbana)
There are no replies to this post yet.
|