LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices



Reply
 
Search this Thread
Old 10-07-2005, 01:22 AM   #1
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Rep: Reputation: 30
ipf freeBSD firewall configuration


Hello,
I am trying to configure my ipf firewall , I pretty much copied and pasted all relevant lines from the bsd handbook to get myself a basic firewall that would allow a webserver,vsftpd, and ssh. When I load it I pretty much lock myself off from the world,.could someone offer any help?

OSIRIS# ifconfig
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:4ff:fe99:d054%xl0 prefixlen 64 scopeid 0x1
ether 00:50:04:99:d0:54
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active


##################################OSIRIS ipfilter rulesets#####################################


#################################################################
# No restrictions on loopback
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on xl0 proto tcp from any to 65.24.7.3 port = 53 flags S keep state
pass out quick on xl0 proto udp from any to 65.24.7.3 port = 53 keep state

# Allow out secure www function https over TLS SSL
pass out quick on xl0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on xl0 proto tcp from any to any port = 110 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 25 flags S keep state

# Allow out Time
pass out quick on xl0 proto tcp from any to any port = 37 flags S keep state

# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on xl0 proto tcp from any to any port = 21 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 20 flags S keep state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on xl0 proto tcp from any to any port = 2112 flags S keep state


# Allow out FBSD CVSUP function
pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep state

# Allow out ping to public Internet
pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state

# Allow out whois for LAN PC to public Internet
pass out quick on xl0 proto tcp from any to any port = 43 flags S keep state


# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on xl0 all
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in quick on xl0 from 127.0.0.0/8 to any #loopback
block in quick on xl0 from 0.0.0.0/8 to any #loopback
block in quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config
block in quick on xl0 from 192.0.2.0/24 to any #reserved for docs
block in quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I do not want to see in the log

# Block frags
block in quick on xl0 all with frags

# Block short tcp packets
block in quick on xl0 proto tcp all with short

# block source routed packets
block in quick on xl0 all with opt lsrr
block in quick on xl0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on xl0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on xl0 all with ipopts

# Block public pings
block in quick on xl0 proto icmp all icmp-type 8

# Block ident
block in quick on xl0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on xl0 proto tcp/udp from any to any port = 137
block in log first quick on xl0 proto tcp/udp from any to any port = 138
block in log first quick on xl0 proto tcp/udp from any to any port = 139
block in log first quick on xl0 proto tcp/udp from any to any port = 81



# Allow in standard www function because I have apache server
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on xl0 proto tcp from any to any port = 2112 flags S keep state
pass in quick on xl0 proto tcp from any to any port = 21 flags S keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on xl0 all
################### End of rules file #####################################



Thank you in advance.

Last edited by lord-fu; 10-07-2005 at 01:23 AM.
 
Old 10-07-2005, 01:37 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Moved: This thread is more suitable in the BSD forum and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 10-07-2005, 09:31 AM   #3
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Original Poster
Rep: Reputation: 30
Thank you.
 
Old 10-08-2005, 01:48 AM   #4
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Original Poster
Rep: Reputation: 30
Just wondering if someone is gonna be able to help me with this?I would really like to get my machine firewalled.
Thank you.
 
Old 10-08-2005, 03:45 AM   #5
alred
Member
 
Registered: Mar 2005
Location: singapore
Distribution: puppy and Ubuntu and ... erh ... redhat(sort of) :( ... + the venerable bsd and solaris ^_^
Posts: 658
Blog Entries: 8

Rep: Reputation: 31
you may try these ::

to insert this rule into that www section of ::
# Allow in standard www function because I have apache server

pass out quick on xl0 proto tcp from 192.168.1.1 to any port = 80 flags S keep state


to insert this rule into that non-secure FTP section of ::

# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.

pass in quick on xl0 proto tcp from any port = 20 to 192.168.1.1 flags S keep state




may or may not works in your case ...

Last edited by alred; 10-08-2005 at 03:49 AM.
 
Old 10-08-2005, 04:49 AM   #6
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Original Poster
Rep: Reputation: 30
alred,
thank you for your reply. I reconfigured my file with your help. I also seemed to have been blocking my LAN from the server with this line :< .
block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP
I dont know why I never saw that before, guess thats what I get for cut and paste with minimal configuration.
Now though vsftpd is hanging at listing the dir. This is with PASV enabled or not through the client. Any ideas?
Thank You


Last edited by lord-fu; 10-08-2005 at 04:51 AM.
 
Old 10-08-2005, 06:45 AM   #7
alred
Member
 
Registered: Mar 2005
Location: singapore
Distribution: puppy and Ubuntu and ... erh ... redhat(sort of) :( ... + the venerable bsd and solaris ^_^
Posts: 658
Blog Entries: 8

Rep: Reputation: 31
i havent try vsftpd , but is it using ssl ?? maybe the ssl port number problem ...
 
Old 10-08-2005, 01:36 PM   #8
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Original Poster
Rep: Reputation: 30
alred,
I am not to sure about the ssl, but I can say that I do not remember reading anywhere that there had to be any other ports available or about ssl. I did have ssl available on my last version of Apache, however would ftp run ssl? I will keep digging away. Anyone else have any ideas?
Thanks again alred.

Last edited by lord-fu; 10-08-2005 at 01:39 PM.
 
Old 10-08-2005, 03:32 PM   #9
halo14
Senior Member
 
Registered: Apr 2004
Location: Surprise, AZ
Distribution: Debian | CentOS | Arch
Posts: 1,103

Rep: Reputation: 45
I have been spending the past week preparing to build a very good firewall with OpenBSD anf PF... which is far better in my understanding.. and also available for FreeBSD...

In reading through all the documentation, it states that all packets are evaluated against all rules in the set, in order from top to bottom. The last one rule to match the packet is the 'winner' and determines whether it is allowed or blocked.

With that in mind, you may want to check on the order of your rules... i.e. - the final rule you have is "block in log first on xl0 all" .... this is basically saying that anything that doesn't match the previous entries with the 'quick' keyword in them is going to be blocked... I guess what I'm trying say is that you should closely evaluate the order of your rules... maybe checkl out PF.. I haven't even begun the ruleset for my OpenBSD router/firewall yet, I've just been reading the full OpenBSD pf-faq PDF file, and all of the pf related man pages... I am beginning understand it.. (i think) more and more... but I guess I'll find that out when I get the actual box in place... I hope that helps a little..

Good Luck
 
Old 10-08-2005, 05:29 PM   #10
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Original Poster
Rep: Reputation: 30
Thank you I will surely evaluate.
 
Old 10-10-2005, 12:00 AM   #11
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Original Poster
Rep: Reputation: 30
Sorry to repost this thread but hopefully this will help someone.
/etc/vsftpd.conf needs the options max high and max low (man vsftpd.conf for further info)
Added a rule to ipf.rules
pass in quick proto tcp from any to 192.168.1.1 port 15000 >< 20000 flags S keep state

hope that helps someone in the future I know I needed help.
 
Old 10-10-2005, 09:04 AM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
No worries, thanks for giving us an update with the solution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ipf/ipnat emule freebsd = the 1st flying computer sk8o *BSD 3 04-13-2008 07:20 PM
ipf and bind9 Fredstar *BSD 0 09-04-2005 10:52 PM
freebsd +firewall +newb mortal *BSD 7 11-08-2004 11:14 AM
freebsd firewall, second nic problem jedimastermopar *BSD 6 10-13-2004 11:42 PM
FreeBSD firewall and dynamic IP-address Mikessu *BSD 3 04-19-2004 11:33 AM


All times are GMT -5. The time now is 01:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration