Welcome to LITTLEWHITEDOG.COM
 Telling it like it is...    
Navigation
· Home
· Articles
· Chat
· Downloads
· Forum
· Journal
· Search
· Stories Archive
· Submit News
· Surveys
· Topics
· Web Links
· Your Account

Distributed Computing
· SETI Team News
· SETI Team Info
· Folding Team News
· Folding Team Info

Social Bookmark

del.icio.us

How To Install a Secure BSD System - Part 3





Author: soup4you2
Posted on: 9/21/2003
Discuss: In the forums



Firewall Configurations
It would take me all month to give you a good overview of how PF or IPFW works. I pretty much don’t have the time for that these days. So I’m just going to cover final stages of getting PF to work and include a decent sample rule set.

First lockdown the kernel. I’m assuming there should not be any further changed made to it.
($:~)=> vi /etc/rc.conf
Here’s the changes we're going to be making:
kern_securelevel_enable="YES"
kern_securelevel="1"
You might want to read up a little bit in the handbook to see which securelevel is right for you.
NOTE: When operating in kernel securelevel, the Xwindows system WILL NOT WORK! There I hope I save you some future frustrations.

Now let's enable the PF firewall with use of IPNAT
ipfilter_enable="YES"
ipnat_enable="YES"
ipfilter_rules="/etc/ipf.rules"
If you're using IPFW, you would use something like this:
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_quiet="NO"
firewall_logging="YES"
Now we will activate the Ip monitoring utility.
ipmon_enable="YES"
ipmon_flags="-Dvn /var/log/firewall.log"
So, any denied packets that come in, as long as in your rules you state to log, will be sent to /var/log/firewall.log. This is a good file to keep an eye on. You will be amazed at how many evil things try to make their way into your box.

Sample Firewall Rules
I’m only going to cover PF rule sets here. I also recommend you spend the time to learn IPFW and ultimately OpenBSD’s PF, which is just a crazy insane firewall that just dominates. For the demonstration of these rules, we will be using sis0 as our network card.
($:~)=> vi /etc/ipf.rules
# ============================================
# Here is a basic list of things we need to be able to access
# ============================================

pass out quick on sis0 proto udp from any to any port = 67 keep state
pass out quick on sis0 proto udp from any to any port = 68 keep state

#Allow web browsing
pass out quick on sis0 proto tcp from any to any port = 80 flags S keep frags keep state

#Allow email usage / pop3 / imap / smtp
pass out quick on sis0 proto tcp from any to any port = 110 flags S keep frags keep state
pass out quick on sis0 proto tcp from any to any port = 143 flags S keep frags keep state
pass out quick on sis0 proto tcp from any to any port = 25 flags S keep frags keep state

#Allow outgoing ssh
pass out quick on sis0 proto tcp from any to any port = 22 flags S keep frags keep state

#Allow DNS lookups
pass out quick on sis0 proto udp from any to any port = 53 keep state keep frags

#Allow CVSUP Access
pass out quick on sis0 proto tcp from any to any port = 5999 flags S keep state

#Allow access to Time Server
pass out quick on sis0 proto tcp from any to any port = 37 keep state
pass out quick on sis0 proto tcp from any to any port = 123 keep state

#Allow whois lookups
pass out quick on sis0 proto tcp from any to any port = 43 keep state

#Razor and spamassasin needs
pass out quick on sis0 proto tcp from any to any port = 2703 flags S keep state
pass out quick on sis0 proto tcp from any to 216.52.3.16 port < 3500 flags S keep state
pass out quick on sis0 proto tcp from any to 216.52.13.94 port < 3500 flags S keep state
pass out quick on sis0 proto tcp from any to 216.52.3.10 port < 3500 flags S keep state
pass out quick on sis0 proto tcp from any to 216.52.3.5 port < 3500 flags S keep state
pass out quick on sis0 proto tcp from any to 216.52.13.92 port < 3500 flags S keep state
pass out quick on sis0 proto tcp from any to 216.52.3.6 port < 3500 flags S keep state

#IRC
pass out quick on sis0 proto tcp from any to any port = 6667 keep state
pass out quick on sis0 proto tcp from any to any port = 6668 keep state
pass out quick on sis0 proto tcp from any to any port = 6669 keep state

# Other Random Things.

#IGMP
block out quick on sis0 proto igmp all

#ICMP
block out quick on sis0 proto icmp from any to any keep state

# EGRESS filtering
# Filter outbound packets directed to reserved networks
# Uncomment the first line to allow Multicast traffic.

block out quick on sis0 from !192.168.1.0/24 to any
block out quick on sis0 from any to 0.0.0.0/7
block out quick on sis0 from any to 2.0.0.0/8
block out quick on sis0 from any to 5.0.0.0/8
block out quick on sis0 from any to 10.0.0.0/8
block out quick on sis0 from any to 23.0.0.0/8
block out quick on sis0 from any to 27.0.0.0/8
block out quick on sis0 from any to 31.0.0.0/8
block out quick on sis0 from any to 69.0.0.0/8
block out quick on sis0 from any to 70.0.0.0/7
block out quick on sis0 from any to 72.0.0.0/5
block out quick on sis0 from any to 82.0.0.0/7
block out quick on sis0 from any to 84.0.0.0/6
block out quick on sis0 from any to 88.0.0.0/5
block out quick on sis0 from any to 96.0.0.0/3
block out quick on sis0 from any to 127.0.0.0/8
block out quick on sis0 from any to 128.0.0.0/16
block out quick on sis0 from any to 128.66.0.0/16
block out quick on sis0 from any to 169.254.0.0/16
block out quick on sis0 from any to 172.16.0.0/12
block out quick on sis0 from any to 191.255.0.0/16
block out quick on sis0 from any to 192.0.0.0/19
block out quick on sis0 from any to 192.0.48.0/20
block out quick on sis0 from any to 192.0.64.0/18
block out quick on sis0 from any to 192.0.128.0/17
block out quick on sis0 from any to 192.168.0.0/16
block out quick on sis0 from any to 197.0.0.0/8
block out quick on sis0 from any to 201.0.0.0/8
block out quick on sis0 from any to 204.152.64.0/23
block out quick on sis0 from any to 206.112.0.0/16
block out quick on sis0 from any to 224.0.0.0/3

#All The Rest
block out on sis0 all

# ===========================================
# What ports do i want allowed to be open
# ===========================================

#Allow bootp traffic in from your ISP's DHCP server only.
pass in quick on sis0 proto udp from any to any port = 68 keep state
pass in quick on sis0 proto udp from any to any port = 67 keep state

#Incomming SSH Access

pass in quick on sis0 proto tcp from STATION1 to SERVER port = 22 flags S keep frags keep state
pass in quick on sis0 proto tcp from 166.222.222.0/24 to SERVER port = 22 flags S keep frags keep state
pass in quick on sis0 proto tcp from STATION2 to SERVER port = 22 flags S keep frags keep state
OK, let me take a quick break to explain something here. We don’t want any computer on the internet to be able to try and gain SSH access to our box. So we are going to filter who can get in and who can't. So inside your /etc/hosts file, you declare a hostname to match an IP address, so we're saying that on port 22 (SSH) we will only allow hostname STATION1 to connect to SERVER (our box).
#SMTP/POP/IMAP
pass in quick on sis0 proto tcp from any to any port = 25 keep state
pass in quick on sis0 proto tcp from any to any port = 110 flags S keep frags keep state
pass in quick on sis0 proto tcp from any to any port = 143 keep state

#AMAVISD
block in quick on sis0 proto tcp from any to any port = 10024 keep state

#ICMP
block in quick on sis0 proto icmp from any to any keep state

#IGMP
block in quick on sis0 proto igmp all

#OTHER ODDITIES
block in quick on sis0 all with ipopts
block in quick on sis0 all with frag
block in quick on sis0 all with short
block return-rst in quick on sis0 proto tcp all flags FUP
block return-rst in quick on sis0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in quick on sis0 proto udp from any to any

## Now we are blocking packets that are too short to
## contain a complete header, or with source routing
## options (most-likely setted to bypass our firewall).

block in log quick on sis0 all with opt lsrr
block in log quick on sis0 all with opt ssrr

# Prevent spoof of bogus/non-routable addresses
# May seem like overkill since we already block everything,
# but we really want to make sure these networks never reaches us.

block in quick on sis0 from 0.0.0.0/7 to any
block in quick on sis0 from 2.0.0.0/8 to any
block in quick on sis0 from 5.0.0.0/8 to any
block in quick on sis0 from 10.0.0.0/8 to any
block in quick on sis0 from 23.0.0.0/8 to any
block in quick on sis0 from 27.0.0.0/8 to any
block in quick on sis0 from 31.0.0.0/8 to any
block in quick on sis0 from 69.0.0.0/8 to any
block in quick on sis0 from 70.0.0.0/7 to any
block in quick on sis0 from 72.0.0.0/5 to any
block in quick on sis0 from 82.0.0.0/7 to any
block in quick on sis0 from 84.0.0.0/6 to any
block in quick on sis0 from 88.0.0.0/5 to any
block in quick on sis0 from 96.0.0.0/3 to any
block in quick on sis0 from 127.0.0.0/8 to any
block in quick on sis0 from 128.0.0.0/16 to any
block in quick on sis0 from 128.66.0.0/16 to any
block in quick on sis0 from 169.254.0.0/16 to any
block in quick on sis0 from 172.16.0.0/12 to any
block in quick on sis0 from 191.255.0.0/16 to any
block in quick on sis0 from 192.0.0.0/19 to any
block in quick on sis0 from 192.0.48.0/20 to any
block in quick on sis0 from 192.0.64.0/18 to any
block in quick on sis0 from 192.0.128.0/17 to any
block in quick on sis0 from 192.168.0.0/16 to any
block in quick on sis0 from 197.0.0.0/8 to any
block in quick on sis0 from 201.0.0.0/8 to any
block in quick on sis0 from 204.152.64.0/23 to any
block in quick on sis0 from 224.0.0.0/3 to any

#ALL THE REST
block in log quick on sis0 all

# Loopback Interface
pass in quick on lo0 all
pass out quick on lo0 all
Save and exit. With a little bit of modifying you should have a decent set of rules there.


Closing Statements
Originally, I planned on making this document a lot more in-depth specifically towards IDS, setting up various other services. Then I got burned out and I just don’t feel like it anymore. This is my final article that I had written for bsdhound, and I hope you enjoy it. It’s been a great few years operating that site, and as I mentioned above, this is my gift back to you all for all the support and help you’ve given me throughout the years. I hope you enjoyed reading this and possibly learned a thing or two.

References Used: Daemonnews.org, Onlamp.com, Screamingelectron.org, BSDVault.net

Editors Note: This article was written by a long time-forum member of LWD. It was originally written and posted on his site, BSDHound, which has since been removed from service. Since that time, the article has been thoroughly updated, and reprinted here on LWD. Please let us know what you think of this article, by posting your comments in our forums.









Copyright © by LWD All Rights Reserved.

Published on: 2004-03-08 (11422 reads)

[ Go Back ]
Content ©


This site designed and hosted by littleblackdog.com
All product names throughout this site are trademarks or registered trademarks of their respective holders.
Copyright © 2000-2008, littleblackdog.com | All rights reserved | Please read our legal info
No portion of this site may be duplicated without specific permission from the site owner.

Web site engine code is Copyright © 2003 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.