ipf freeBSD firewall configuration

lord-fu · 10-07-2005, 12:22 AM

Hello,
I am trying to configure my ipf firewall , I pretty much copied and pasted all relevant lines from the bsd handbook to get myself a basic firewall that would allow a webserver,vsftpd, and ssh. When I load it I pretty much lock myself off from the world,.could someone offer any help?

OSIRIS# ifconfig
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:4ff:fe99:d054%xl0 prefixlen 64 scopeid 0x1
ether 00:50:04:99:d0:54
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active

##################################OSIRIS ipfilter rulesets#####################################

#################################################################
# No restrictions on loopback
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on xl0 proto tcp from any to 65.24.7.3 port = 53 flags S keep state
pass out quick on xl0 proto udp from any to 65.24.7.3 port = 53 keep state

# Allow out secure www function https over TLS SSL
pass out quick on xl0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on xl0 proto tcp from any to any port = 110 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 25 flags S keep state

# Allow out Time
pass out quick on xl0 proto tcp from any to any port = 37 flags S keep state

# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on xl0 proto tcp from any to any port = 21 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 20 flags S keep state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on xl0 proto tcp from any to any port = 2112 flags S keep state

# Allow out FBSD CVSUP function
pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep state

# Allow out ping to public Internet
pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state

# Allow out whois for LAN PC to public Internet
pass out quick on xl0 proto tcp from any to any port = 43 flags S keep state

# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on xl0 all
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in quick on xl0 from 127.0.0.0/8 to any #loopback
block in quick on xl0 from 0.0.0.0/8 to any #loopback
block in quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config
block in quick on xl0 from 192.0.2.0/24 to any #reserved for docs
block in quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I do not want to see in the log

# Block frags
block in quick on xl0 all with frags

# Block short tcp packets
block in quick on xl0 proto tcp all with short

# block source routed packets
block in quick on xl0 all with opt lsrr
block in quick on xl0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on xl0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on xl0 all with ipopts

# Block public pings
block in quick on xl0 proto icmp all icmp-type 8

# Block ident
block in quick on xl0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on xl0 proto tcp/udp from any to any port = 137
block in log first quick on xl0 proto tcp/udp from any to any port = 138
block in log first quick on xl0 proto tcp/udp from any to any port = 139
block in log first quick on xl0 proto tcp/udp from any to any port = 81

# Allow in standard www function because I have apache server
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on xl0 proto tcp from any to any port = 2112 flags S keep state
pass in quick on xl0 proto tcp from any to any port = 21 flags S keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on xl0 all
################### End of rules file #####################################

Thank you in advance.

Capt_Caveman · 10-07-2005, 12:37 AM

Moved: This thread is more suitable in the BSD forum and has been moved accordingly to help your thread/question get the exposure it deserves.

lord-fu · 10-07-2005, 08:31 AM

Thank you.

lord-fu · 10-08-2005, 12:48 AM

Just wondering if someone is gonna be able to help me with this?I would really like to get my machine firewalled.
Thank you.

alred · 10-08-2005, 02:45 AM

you may try these ::

to insert this rule into that www section of ::
# Allow in standard www function because I have apache server

pass out quick on xl0 proto tcp from 192.168.1.1 to any port = 80 flags S keep state

to insert this rule into that non-secure FTP section of ::

# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.

pass in quick on xl0 proto tcp from any port = 20 to 192.168.1.1 flags S keep state

may or may not works in your case ...

lord-fu · 10-08-2005, 03:49 AM

alred,
thank you for your reply. I reconfigured my file with your help. I also seemed to have been blocking my LAN from the server with this line :< .
block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP
I dont know why I never saw that before, guess thats what I get for cut and paste with minimal configuration.
Now though vsftpd is hanging at listing the dir. This is with PASV enabled or not through the client. Any ideas?
Thank You

alred · 10-08-2005, 05:45 AM

i havent try vsftpd , but is it using ssl ?? maybe the ssl port number problem ...

lord-fu · 10-08-2005, 12:36 PM

alred,
I am not to sure about the ssl, but I can say that I do not remember reading anywhere that there had to be any other ports available or about ssl. I did have ssl available on my last version of Apache, however would ftp run ssl? I will keep digging away. Anyone else have any ideas?
Thanks again alred.

halo14 · 10-08-2005, 02:32 PM

I have been spending the past week preparing to build a very good firewall with OpenBSD anf PF... which is far better in my understanding.. and also available for FreeBSD...

In reading through all the documentation, it states that all packets are evaluated against all rules in the set, in order from top to bottom. The last one rule to match the packet is the 'winner' and determines whether it is allowed or blocked.

With that in mind, you may want to check on the order of your rules... i.e. - the final rule you have is "block in log first on xl0 all" .... this is basically saying that anything that doesn't match the previous entries with the 'quick' keyword in them is going to be blocked... I guess what I'm trying say is that you should closely evaluate the order of your rules... maybe checkl out PF.. I haven't even begun the ruleset for my OpenBSD router/firewall yet, I've just been reading the full OpenBSD pf-faq PDF file, and all of the pf related man pages... I am beginning understand it.. (i think) more and more... but I guess I'll find that out when I get the actual box in place... I hope that helps a little..

Good Luck

lord-fu · 10-08-2005, 04:29 PM

Thank you I will surely evaluate.

lord-fu · 10-09-2005, 11:00 PM

Sorry to repost this thread but hopefully this will help someone.
/etc/vsftpd.conf needs the options max high and max low (man vsftpd.conf for further info)
Added a rule to ipf.rules
pass in quick proto tcp from any to 192.168.1.1 port 15000 >< 20000 flags S keep state

hope that helps someone in the future I know I needed help.

Capt_Caveman · 10-10-2005, 08:04 AM

No worries, thanks for giving us an update with the solution.