linux security - Jun 1998 - Re: Linux and IPFWADM

On Tue, 16 Jun 1998, Avery Pennarun wrote:
> Here is the script I use on my home IP masquerade system.  It is designed
> to deny everything except what is specifically allowed in some of the
> definitions near the top.  Note that there is one fatal problem -- the
> input firewall is changed to allow incoming data back to ports 1024
> through 65535, because any of those might have been used to create an
> _outgoing_ connection (and thus might have data been sent back to them).
> NFS servers might run on one of these high port numbers, so watch out.
I do the following:

1) To make the script more readable, use variables:

ME="a.b.c.d/32"
HI="1024:65535"
ANY="0.0.0.0/0"

2) Use "-y -o" options to log all connection attempts (ie. SYN bit
set) to
syslog (you need verbose firewall logging compiled into the kernel), and
accept the packets in both directions for these connections.

2a) Example of a bi-directional service

# SMTP mail traffic
/bin/echo -n "SMTP/"
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} ${HI} -D ${ANY} 25 -y -o
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} ${HI} -D ${ANY} 25
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} 25 -D ${ME} ${HI}
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 25 -y -o
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 25
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} 25 -D ${ANY} ${HI}

2b) A tricky one - FTP

# Incoming FTP
/bin/echo -n "FTPin/"
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 20:21 -y -o
/sbin/ipfwadm -I -a accept -P tcp -S ${ANY} ${HI} -D ${ME} 20:21
/sbin/ipfwadm -O -a accept -P tcp -S ${ME} 20:21 -D ${ANY} ${HI}

3) Drop everything else - note, the ''without logging'' section
only applies
if you ever set your interface(s) into promiscuous mode... it''s wise
not
to log packets to/from elsewhere, otherwise the machine load hits the
roof, and the log file expands rapidly... I found out the hard way. ;)

# Deny everything else
# with logging... (target = me)
/sbin/ipfwadm -I -a deny -S 0/0 -D ${ME} -o
/sbin/ipfwadm -O -a deny -S ${ME} -D 0/0 -o
# without logging... (target != me)
/sbin/ipfwadm -I -a deny -S 0/0 -D 0/0
/sbin/ipfwadm -O -a deny -S 0/0 -D 0/0

Hope that''s of some help - oh, one thing - if you decide to use
logging,
make sure the logfile is on another partition somewhere, in case someone
floods your box to try and fill up the disk!  Logging is worth the effort
- I''ve detected port scans and other such nasties this way.


Ian.

--
Ian Marsh
mushypea@dominion.net.uk                                   ... Email
http://www.etchq.demon.co.uk/                              ... WWW
http://www.dominion.net.uk/ telnet://dominion.net.uk:2468/ ... Dominion
http://www.alpha4.com/      telnet://alpha4.com:3214/      ... MBa4