freebsd security - Apr 2003 - firewalling help/audit

Hi !

First of all, I am sorry if this is not the list for that, but I've been 
learning (a little bit...) a way to implement a freeBSD firewall.
So far I came up with a set of rules I would like to show you for commenting. 
I am sure there're a lot of errors and/or stupid rules (I am not sure the 
rules order is good for what I need) and I would be really pleased if one 
could have a look at it... otherwise, please ignore my mail (it is big !).
Basically, I have a 192.168.0.0/24 network connected to a gateway that has a 
dynamic IP. I would like the network and the gateway itself to do whatever 
they want and in the meantime filter everything from the outside except for 
specified services (http, ftp...) and share the internet connexion.
I understand it is a very basic configuration but I would like to be sure not 
to make any mistake.

Thanks a lot in advance.

Antoine

Here is my ruleset:

#!/bin/sh
# Firewall Command
fwcmd="/sbin/ipfw"

# Flush out the list before we begin.
${fwcmd} -f flush

# Stop spoofing
${fwcmd} add deny all from 192.168.0.0:255.255.255.0 to any in via tun0
### ${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via 
vr0 ### Disabled --> dynamic @ip

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
${fwcmd} add deny all from any to 192.168.0.0/16 via tun0
${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
${fwcmd} add deny all from 192.168.0.0/16 to any via tun0

# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
${fwcmd} add deny all from any to 240.0.0.0/4 via tun0
${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
${fwcmd} add deny all from 240.0.0.0/4 to any via tun0

# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

# Network Address Translation.
${fwcmd} add divert natd all from any to any via tun0

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
${fwcmd} add deny all from 192.168.0.0/16 to any via tun0

# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
${fwcmd} add deny all from 240.0.0.0/4 to any via tun0

# Allow firewall outbound for everything
${fwcmd} add pass all from any to any via vr0

# Stateful rules & allow everything from our net
${fwcmd} add check-state
${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any setup keep-state
${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any keep-state

# Deny suspicious packets
$fwcmd add deny log tcp from any to any in tcpflags syn,fin

# Allow some icmp
${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12

# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established

# Allow IP fragments to pass through ### --> should we deny this ?
${fwcmd} add pass all from any to any frag

# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
${fwcmd} add pass tcp from any to me in via tun0 20,21,22,25,53,80,110 setup
${fwcmd} add pass udp from any to me in via tun0 53

# Reject & log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via tun0 setup

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup

# Deny everything else
${fwcmd} add deny ip from any to any

I'm no ipfw guru, but you seem to have a bunch of duplicate
rules in the 2nd 1918 and draft-manning-dsua-03 sections. 


--- Antoine Jacoutot <ajacoutot@lphp.org> wrote:
> Hi !
> 
> First of all, I am sorry if this is not the list for that, but
> I've been 
> learning (a little bit...) a way to implement a freeBSD
> firewall.
> So far I came up with a set of rules I would like to show you
> for commenting. 
> I am sure there're a lot of errors and/or stupid rules (I am
> not sure the 
> rules order is good for what I need) and I would be really
> pleased if one 
> could have a look at it... otherwise, please ignore my mail
> (it is big !).
> Basically, I have a 192.168.0.0/24 network connected to a
> gateway that has a 
> dynamic IP. I would like the network and the gateway itself to
> do whatever 
> they want and in the meantime filter everything from the
> outside except for 
> specified services (http, ftp...) and share the internet
> connexion.
> I understand it is a very basic configuration but I would like
> to be sure not 
> to make any mistake.
> 
> Thanks a lot in advance.
> 
> Antoine
> 
> Here is my ruleset:
> 
> #!/bin/sh
> # Firewall Command
> fwcmd="/sbin/ipfw"
> 
> # Flush out the list before we begin.
> ${fwcmd} -f flush
> 
> # Stop spoofing
> ${fwcmd} add deny all from 192.168.0.0:255.255.255.0 to any in
> via tun0
> ### ${fwcmd} add deny all from ${outside_net}:${outside_mask}
> to any in via 
> vr0 ### Disabled --> dynamic @ip
> 
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
> ${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
> ${fwcmd} add deny all from any to 192.168.0.0/16 via tun0
> ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
> ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
> 
> # Stop draft-manning-dsua-03.txt nets
> ${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
> ${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
> ${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
> ${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
> ${fwcmd} add deny all from any to 240.0.0.0/4 via tun0
> ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
> ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
> ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
> 
> # Setup Loopback
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
> 
> # Network Address Translation.
> ${fwcmd} add divert natd all from any to any via tun0
> 
> # Stop RFC1918 nets on the outside interface
> ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
> ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
> ${fwcmd} add deny all from 10.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 172.16.0.0/12 to any via tun0
> ${fwcmd} add deny all from 192.168.0.0/16 to any via tun0
> 
> # Stop draft-manning-dsua-03.txt nets
> ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
> ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
> ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 0.0.0.0/8 to any via tun0
> ${fwcmd} add deny all from 169.254.0.0/16 to any via tun0
> ${fwcmd} add deny all from 192.0.2.0/24 to any via tun0
> ${fwcmd} add deny all from 224.0.0.0/4 to any via tun0
> ${fwcmd} add deny all from 240.0.0.0/4 to any via tun0
> 
> # Allow firewall outbound for everything
> ${fwcmd} add pass all from any to any via vr0
> 
> # Stateful rules & allow everything from our net
> ${fwcmd} add check-state
> ${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any
> setup keep-state
> ${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any
> keep-state
> 
> # Deny suspicious packets
> $fwcmd add deny log tcp from any to any in tcpflags syn,fin
> 
> # Allow some icmp
> ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12
> 
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
> 
> # Allow IP fragments to pass through ### --> should we deny
> this ?
> ${fwcmd} add pass all from any to any frag
> 
> # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
> ${fwcmd} add pass tcp from any to me in via tun0
> 20,21,22,25,53,80,110 setup
> ${fwcmd} add pass udp from any to me in via tun0 53
> 
> # Reject & log all setup of incoming connections from the
> outside
> ${fwcmd} add deny log tcp from any to any in via tun0 setup
> 
> # Allow setup of any other TCP connection
> ${fwcmd} add pass tcp from any to any setup
> 
> # Deny everything else
> ${fwcmd} add deny ip from any to any
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"


====-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

> Okay, good.  I suspect that the machines on the inside network will
> have trouble using UDP to the outside world, but you probably won't
> care.
Hi, thanks a lot to Lowell and Simon who helped me a lot cleaning and 
reconfiguring my firewall rulesets.
After some work, I came up with the much shorter following ruleset, I think 
this should work ok now.
I know that pop3 is not a secure protocol, but it is my first ruleset under 
FreeBSD and I would like to achieve this before securing the services 
themselves.
I will post this to -questions too, as someone recommended me.

Once again, thanks a lot.

Antoine

#!/bin/sh

# Firewall Command
fwcmd="/sbin/ipfw"

# Flush out the list before we begin.
${fwcmd} -f flush

# Network Address Translation
${fwcmd} add divert natd all from any to any via tun0

# Setup Loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

# Stop spoofing
${fwcmd} add deny all from 192.168.0.0/24 to any in via tun0
### The following rule is disabled since we have a dynamic @ip
#${fwcmd} add deny all from ${outside_net}:${outside_mask} to any in via vr0

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via tun0
${fwcmd} add deny all from any to 172.16.0.0/12 via tun0
${fwcmd} add deny all from any to 192.168.0.0/16 via tun0

# Stop draft-manning-dsua-03.txt nets
${fwcmd} add deny all from any to 0.0.0.0/8 via tun0
${fwcmd} add deny all from any to 169.254.0.0/16 via tun0
${fwcmd} add deny all from any to 192.0.2.0/24 via tun0
${fwcmd} add deny all from any to 224.0.0.0/4 via tun0
${fwcmd} add deny all from any to 240.0.0.0/4 via tun0

# From man 8 ipfw: allow only outbound TCP connections I've created
${fwcmd} add check-state
${fwcmd} add deny tcp from any to any in established
${fwcmd} add allow tcp from any to any out setup keep-state

# Allow firewall and local network to do everything
${fwcmd} add pass all from me to any
${fwcmd} add pass all from 192.168.0.0/24 to any

# Deny & log suspicious packets (like nmap scans)
$fwcmd add deny log tcp from any to any in tcpflags syn,fin

# Allow the following icmp: echo reply (0) destination unreachable (3)
# source quench (4) echo request (8) time-to-live exceeded (11)
# IP header bad (12)
${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag

# Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3
# find a way to allow FTP inbound
${fwcmd} add pass tcp from any to me 22,25,53,80,110 in via tun0 setup
${fwcmd} add pass udp from any to me 53 in via tun0

# Reject & log everything else
${fwcmd} add deny log ip from any to any