[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: firewall build - a beginning
- From: Philip Ching (605.734.71) <pching aplcenMP apl jhu edu>
- To: redhat-list redhat com
- Cc: pching aplcenMP apl jhu edu, rcarson home com
- Subject: Re: firewall build - a beginning
- Date: Wed, 10 Mar 1999 12:08:09 -0500 (EST)
Hi Mr. Carson,
Thanks you very much for posting the ipfwadm script.
I have been pondering about security for last few months.
Your email certainly helps me a lot.
I am also reading Mark Grennan's Firewalling & Proxy Server
HOWTO (only the ipfwadm portion though). Looking at your
ipfwadm script I have 5 questions, and hope you will
explain them. Really appreciate.
Thanks!
Philip
>My system is RH 5.2 running 2.0.36 other configuration files are at the
>bottom of this document.
>The IPs in here have been changed as I feel an easy way for hackers to get
>IP's of newer systems is to groom dejanews etc for emails asking questions.
Q1: In order to run your ipfwadm script, do I need to recompile
the kernel?
I have RedHat5.2 and RedHat5.0. Will the kernel work right
out of the box?
>#!/bin/sh
>#
># My ipfwadm rules on a Cable Modem
># Providing support for PC's inside the firewall on a 192.168.1.X network
>#
>#
># Original base by Frank Keeney frank pasadena net
># modified it for my flavor: rjc
>#
># Use at your own risk!
>#
># Your external ip address:
>#
>EXTIP="24.2.122.99/32"
>#
># Misc. startup:
>#
># These items did not need to be activated on my system: rjc
>#
>#echo "1" > /proc/sys/net/ipv4/ip_forward
>#sbin/depmod -a
>#/sbin/modprobe ip_masq_ftp.o
>#/sbin/modprobe ip_masq_raudio.o
>#
># Flush rules:
>#
>ipfwadm -I -f
>ipfwadm -O -f
>ipfwadm -F -f
>#
># Set default to deny:
>#
>ipfwadm -F -p deny
>ipfwadm -I -p deny
>ipfwadm -O -p deny
>#
># Allow masquerading from my internal network:
>#
>/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
># -----------------------
># EXTERNAL INBOUND RULES:
># -----------------------
>#
># Deny packets with localhost, broadcast and multicast addresses:
>#
>ipfwadm -I -a deny -Weth0 -S 224.0.0.0/3 -D $EXTIP -o
>ipfwadm -I -a deny -Weth0 -S 127.0.0.0/8 -D $EXTIP -o
>ipfwadm -I -a deny -Weth0 -S 255.0.0.0/8 -D $EXTIP -o
>#
># Deny rfc 1918 addresses:
>#
>ipfwadm -I -a deny -Weth0 -S 10.0.0.0/8 -D $EXTIP -o
>ipfwadm -I -a deny -Weth0 -S 172.16.0.0/12 -D $EXTIP -o
>ipfwadm -I -a deny -Weth0 -S 192.168.0.0/16 -D $EXTIP -o
>#
># Deny packets without ip address.
>#
>ipfwadm -I -a deny -Weth0 -S 0.0.0.0/32 -D $EXTIP -o
>#
># Prevent spoofing. Deny incoming packets that have
># our external address:
>#
>ipfwadm -I -a deny -Weth0 -S $EXTIP -o
>#
># Allow only specific ICMP:
>#
># http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
># http://www.worldgate.com/~marcs/mtu/
>#
>ipfwadm -I -a accept -Weth0 -S any/0 3 4 11 -P icmp
>#
># Allow only ACKed tcp packets to our network:
>#
>ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 1024:65535 -P tcp -k
>#
># For ftp clients:
>#
>ipfwadm -I -a accept -Weth0 -S any/0 20 -D $EXTIP 1024:65535 -P tcp
Q2: I thought ftp is at port 21. Do you care (or I am missing
something about ftp)?
>#
># Allow http tcp packets to our network:
>#
>ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 80 -P tcp
Q3: Do you care about outbound http/web activity?
Mark Grennan's HOWTO suggest the following:
# Forward Web connection to my box
ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D $EXTIP 80
# Forward Web connection to outside world
ipfwadm -F -a accept -b -P tcp -S $EXTIP 80 -D 0.0.0.0/0 1024:65535
Would you recommend his approach also?
>#
># Allow telnet and ssh from this network:
>#
>ipfwadm -I -a accept -Weth0 -S 24.2.122.0/24 -D $EXTIP 22 23 -P tcp
Q3: I see port 23 is for telnet. But how do you get port 22 for ssh?
I am playing with ssh here. Just don't see any port for the ssh.
>#
># Allow inbound DNS queries on our server:
>#
>ipfwadm -I -a accept -Weth0 -S any/0 -D $EXTIP 53 -P udp
>#
># Allow outbound DNS queries:
>#
>ipfwadm -I -a accept -Weth0 -S any/0 53 -D $EXTIP 1024:65535 -P udp
>#
>#------------------------- added for my flavor ---------------------
>#
># Allow anything from internal
>#
>ipfwadm -I -a accept -S 192.168.1.0/0 -D 192.168.1.1/32
>#
># Allow activity from my workstation at work IP
>#
>ipfwadm -I -a accept -Weth0 -S 224.207.123.5 -D $EXTIP
Q4: How do I setup this rule if I have a range of IP addresses?
For example: 224.207.123.1 224.207.123.2 .... 224.207.123.9
Would the following work?
ipfwadm -I -a accept -Weth0 -S 224.207.123. -D $EXTIP
^
with a period ok?
>#
>#
>#------------------------ end of my flavor ------------------------
>#
># Important!! Deny and log anything else:
>#
>ipfwadm -I -a deny -Weth0 -S any/0 -D any/0 -o
>#
># -----------------------
># EXTERNAL OUTBOUND RULES:
># -----------------------
>#
># Prevent leakage of rfc 1918 addresses:
>#
>ipfwadm -O -a deny -Weth0 -S 10.0.0.0/8 -o
>ipfwadm -O -a deny -Weth0 -S 172.16.0.0/12 -o
>ipfwadm -O -a deny -Weth0 -S 192.168.0.0/16 -o
>ipfwadm -O -a deny -Weth0 -D 10.0.0.0/255.0.0.0 -o
>ipfwadm -O -a deny -Weth0 -D 172.16.0.0/255.240.0.0 -o
>ipfwadm -O -a deny -Weth0 -D 192.168.0.0/255.255.0.0 -o
>#
># Allow everything else:
>#
>ipfwadm -O -a accept -Weth0 -S any/0
>#
># Deny and log anything else:
>#
>ipfwadm -O -a deny -Weth0 -S any/0 -o
Q5: Don't really understand your logic here. Firs accept all
then deny all.
># -----
># Misc:
># -----
>#
># Allow localhost:
>#
>ipfwadm -I -a accept -Wlo -S any/0 -D any/0
>ipfwadm -O -a accept -Wlo -S any/0 -D any/0
>#
># Allow everything on the internal network:
>#
>ipfwadm -I -a accept -Weth1 -S any/0 -D any/0
>ipfwadm -O -a accept -Weth1 -S any/0 -D any/0
>#
># End of script.
>
>
>#Reference:
>#Information from CERT:
>
>#http://www.cert.org/ftp/tech_tips/packet_filtering
>
>#12.30.1998 12:10
>
>/etc/inetd.conf
>
>all on except the following:
>gopher nntp shell login exec talk ntalk dtalk
>pop-2 pop-3 imap uucp tftp bootps finger cfinger systat netstat
>
>
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]