'Re: Ipfilter rules and advices'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Ipfilter rules and advices
From:       "Thomas Beer" <mailings () analogon ! com>
Date:       2004-09-29 20:26:42
Message-ID: 3345.217.80.239.8.1096489602.squirrel () 217 ! 80 ! 239 ! 8
[Download RAW message or body]

Hi,

by a quick scan it seems ok. Anyhow, you may take a look at
http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html
and Phils tutorial at http://www.phildev.net/ipf/

Rules are in general very individual. You need to take into
account your specific network topology, protection level,
running services and daemons etc. Finding the right balance
seems to be an art.

Hope that helps Tom

> hi.
> I'm new on this list.
>
> Is this methode enought secure :
>
> -> firewall# vi /boot/loader.conf
> ipl_load="YES"
>
> -> firewall# vi /etc/rc.conf
> icmp_drop_redirects="YES"
> defaultrouter="10.0.0.138"
> gateway_enable="YES"
> hostname="firewall.lookali.com"
> ifconfig_rl0="inet 10.0.0.1  netmask 255.255.255.0"  # interface wan
> ifconfig_fxp0="inet 192.168.0.1 netmask 255.255.255.0" # interface lan
> ifconfig_lo0="inet 127.0.0.1"
> keymap="fr.iso.acc"
> linux_enable="YES"
> moused_enable="YES"
> saver="daemon"
> sshd_enable="YES"
> usbd_enable="YES"
>
> ipfilter_enable="YES"
> ipfilter_flags=""
> ipmon_enable="YES"
> ipmon_flags="-Dsvn"
> ipfilter_rules="/etc/ipf.rules"
> ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
> ipnat_enable="YES"
>
> -> firewall# vi /etc/sysctl.conf
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
>
> -> firewall# vi /etc/ipnat.rules
> #Autoriser le lan a sortir sur internet
> map rl0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
>
> -> firewall# vi /etc/ipf.rules
> # Autoriser le Traffic sur la loopback
> #
> pass in quick on lo0
> pass out quick on lo0
>
> # On bloque le traffic entrant - on decide apres
> #
> block in log on rl0 proto tcp from any to any
> block in on rl0 proto udp from any to any
> block in on rl0 proto icmp from any to any
>
> # On bloque aussi le traffic sortant
> # du firewall
> block out on rl0 from any to any
>
> #----------------------------------------------------#
> # Protection WAN
> # Règles Anti-spoofing
> #
> block in log quick on rl0 from 192.168.0.30/32 to any
> block in quick on rl0 from 172.16.0.0/12 to any
> block in quick on rl0 from 10.0.0.0/8 to any
> block in quick on rl0 from 169.254.0.0/16 to any
> block in quick on rl0 from 192.0.2.0/24 to any
> block in quick on rl0 from 204.152.64.0/23 to any
> block in quick on rl0 from 224.0.0.0/3 to any
> block in log quick on rl0 from 127.0.0.0/8 to any
>
> # now we are blocking packets that are too short to
> # contain a complete header, or with source routing
> # options (most-likely setted to bypass our firewall)
> #----------------------------------------------------------------
> block in quick on rl0 from any to any with frags
> block in log quick from any to any with short
> block in log quick on rl0 from any to any with opt lsrr
> block in log quick on rl0 from any to any with opt ssrr
> #----------------------------------------------------------------
> # drop any IP packets with options set
> # ipopts include lsrr and ssrr (source routed frags)
> #----------------------------------------------------------------
> block in log quick on rl0 from any to any with ipopts
> #----------------------------------------------------------------
> # Block nmap OS fingerprint attempts
> # Log first occurrence of these so I can get their IP address
> block in log quick on rl0 proto tcp from any to any flags FUP
>
> block in log quick on rl0 proto tcp from any to 192.168.0.30/32 port = 113
>
> # On autorise une connexion ssh sur le serveur
> #
> pass in quick on rl0 proto tcp from any to 192.168.0.30/32 port = 22 keep
> state
> pass out quick on rl0 proto tcp from any to 192.168.0.30/32 port = 22 keep
> state
>
> # On autorise le lan a sortir
> #
> pass in log on fxp0 proto tcp/udp from any to any keep state
> pass in log on fxp0 proto icmp from any to any keep state
> pass out log on fxp0 proto tcp/udp from any to any keep state
> pass out log on fxp0 proto icmp from any to any keep state
>
> # Si aucune règle matcher, refuser le paquet/connexion
> block in log level local0.alert quick on rl0 from any to any
> block out log level local0.alert quick on rl0 from any to any
>
> Cordially
> Nicolas M.
>
>
>
>
>
>
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic