'RE: basic firewall problems -restrictive? (after faq!)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: basic firewall problems -restrictive? (after faq!)
From:       "Russell Morrison" <rmorrison () axys ! net>
Date:       2003-11-11 22:04:52
[Download RAW message or body]

Sorry,

I guess I should read the entire email more clearly instead of just skimming
but the premise of what I said in my previous email is the same, once you
allow state on your "in" session on the ne1 interface, you do not need to
worry about corresponding "out" traffic on the ne0 as long as you track
state and use quick.  So, if there is specific traffic coming from the LAN
that is allowed out, you just have an "in" rule for that traffic on ne1.
Again, keep state and use quick.  If you have specific traffic that comes
just from the firewall you would create an "out" rules from the firewall out
to the internet.  Again, keep state and use quick to bypass the rest of the
rules.

Russell



-----Original Message-----
From: owner-ipfilter@coombs.anu.edu.au
[mailto:owner-ipfilter@coombs.anu.edu.au]On Behalf Of Amadeus
Sent: Monday, November 10, 2003 9:42 PM
To: ipfilter@coombs.anu.edu.au
Subject: basic firewall problems -restrictive? (after faq!)


Hello,

I am trying to make a strict firewall so as to limit bandwidth costs.

I've read the howto, the faq and searched the archives (as well as posting
on bulletin

boards already!) but have not found out what is wrong with the following.

ipf.conf:

############
# ne0 = ethernet internet link
# ne1 = ethernet local network (10.10.1.0/24) link
# 10.10.1.99 = firewall ip
# xxx.the.ip.236 = firewall ip on ne0
############

# the firewall is not running any services to  be accessed via ne0
# the only allowed out for this system should be:
#	21 ftp
#	25 smtp
#	110 pop3
#	80 http
#	22 ssh
#	?? MSN Messenger
#	?? YAP Phone
#	53 DNS lookups
#
# for port 80 only the firewall can access this (so we force LAN clients to
use the cache)
# for port 53 only the firewall can access this (so we force LAN clients to
use our DNS

server)

# also icmp traffic should be allowed (for pings and traceroutes)

# for the local network 10.10.1.0/24 we are running the following services:
#	80 apache
#	23 telnet
#	22 ssh
#	53 bind
#	21 proftpd
#	67 dhcpd
#	3128 squid
##################

# start by blocking all traffic on the internet interface

block in on ne0 all
block out on ne0 all

# allow LAN users to access services above

pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 22 keep
state
pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 25 keep
state
pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 110 keep
state
pass out quick on ne0 proto tcp from 10.10.1.0/24 to any port = 21 keep
state

# allow FIREWALL to access more services
# (I think this is where the problem is)

pass out quick on ne0 proto tcp from xxx.the.ip.236 to any port = 53 keep
state
pass out quick on ne0 proto tcp from xxx.the.ip.236 to any port = 80 keep
state

# LAN setup

block in on ne1 all
block out on ne1 all

pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 3128
keep state
pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 53
keep state
pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 80
keep state
pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 67
keep state
pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 21
keep state
pass in quick on ne1 proto tcp from 10.10.1.0/24 to 10.10.1.99 port = 23
keep state

# What about icmp?

pass out quick proto icmp from 10.10.1.0/24 to any icmp-type 8 code 0 keep
state

My ipnat.conf is:

map ne0 10.10.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map ne0 10.10.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ne0 10.10.1.0/24 -> 0/32

Now for all the rulesets I've seen before, they block bad traffic and let
the rest in. I

thought it would be simpler if I blocked all traffic, and let only what I
knew should be

coming in.

Is the approach wrong? Financially the internet bills are extremely
expensive in this

country, so I need a very strict ruleset. Also I saw the count method in
ipf which might be

useful - at the moment I'm using ipaudit - how does the count method work?

Many thanks in advance, this has been trailing around for a while now, but
as you could

guess I'm not an expert for this (I don';t undesrtand the nat part).

Amadeus
--
poff@sixbit.org
SDF Public Access UNIX System - http://sdf.lonestar.org

***********************************************************************
Confidentiality Notice: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential and privileged information. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended 
recipient, please contact the sender by reply e-mail and destroy all 
copies of the original message along with any accompanying attachments.
***********************************************************************
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic