FreeBSD  Release  11.0  Install  Guide

Home______________________________________________________________________

 

Stateful Rule Set

The following non-NATed rule set is an example of how to code a very secure ‘inclusive’ type of firewall. An inclusive firewall only allows services matching pass rules through and blocks all others by default. All firewalls have at the minimum two interfaces which have to have rules to allow the firewall to function.

All Unix flavored systems including FBSD are designed to use interface lo0 and IP address 127.0.0.1 for internal communication with in the FBSD operating system. The firewall rules must contain rules to allow free, unmolested movement of these special internally used packets.

The interface which faces the public Internet is the one which you code your rules to authorize and control access out to the public Internet and access requests arriving from the public Internet. This can be your ‘user ppp’ tun0 interface or your NIC that is cabled to your DSL or cable modem.

In cases where one or more NICs are cabled to private LANs (local area networks) behind the firewall, those interfaces must have rules coded to allow free unmolested movement of packets originating from those LAN interfaces.

The rules should be first organized into three major sections: all the free unmolested interfaces, public interface outbound, and the public interface inbound.

The order of the rules in each of the public interface sections should be in order of the most used rules being placed before less often used rules with the last rule in the section being a block log all packets on that interface and direction.

The outbound section in the following rule set only contains ‘allow’ rules which contain selection values that uniquely identify the service that is authorized for public Internet access. All the rules have the proto, port, in/out, via and keep state options coded. The ‘proto tcp’ rules have the ‘setup’ option included to identify the start session request as the trigger packet to be posted to the keep state stateful table.

The inbound section has all the blocking of undesirable packets first for two different reasons. First is these things being blocked may be part of an otherwise valid packet which may be allowed in by the later authorized service rules. The second reason is that by having a rule that explicitly blocks selected packets that I receive on an infrequent bases and don’t want to see in the log, this keeps them from being caught by the last rule in the section which blocks and logs all packets which have fallen through the rules. The last rule in the section which blocks and logs all packets is how you create the legal evidence needed to prosecute the people who are attacking your system.

Another thing you should take note of is there is no response returned for any of the undesirable stuff; the packets just get dropped and vanish. This way the attackers have no knowledge if their packets have reached your system. The less the attackers can learn about your system the more secure it is.

 

Example Inclusive Rule Set

The following non-NATed rule set is a complete, very secure ‘inclusive’ type of firewall rule set that I have used on my system. You cannot go wrong using this rule set for you own. Just comment out any pass rules for services you don’t want.

If you see messages in your log that you want to stop seeing, just add a deny rule in the inbound section.

You have to change the ‘dc0’ interface name in every rule to the interface name of the NIC that connects your system to the public Internet. For ‘user ppp’ it would be ‘tun0’.

You will see the pattern in the usage of these rules.

All statements that are a request to start a session to the public Internet use keep-state.

All the authorized services that originate from the public Internet have the limit option to stop flooding.

All rules use in or out to clarify direction.

All rules use via interface name to specify the interface the packet is traveling over.

Add the following statements to /etc/ipfw.rules

################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0"     # public interface name of Nic card
                        # facing the public Internet

#################################################################
# No restrictions on Inside Lan Interface for private network
# Not needed unless you have Lan.
# Change xl0 to your Lan Nic card interface name
#################################################################
#$cmd 00005 allow all from any to any via xl0

#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
#################################################################
$cmd 00015 check-state

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP’s DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow out access to my ISP's DHCP server for cable/DSL configurations.
# This rule is not needed for ‘user ppp’ connection to the public Internet.
# so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow out FBSD (make install & svn) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root

# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state

# Allow out nntp news (IE: news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state

# deny and log everything else that’s trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif  #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to anyin via $pif     #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to anyin via $pif          #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to anyin via $pif        #loopback
$cmd 00304 deny all from 0.0.0.0/8 to anyin via $pif            #loopback
$cmd 00305 deny all from 169.254.0.0/16 to anyin via $pif   #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to anyin via $pif       #reserved for doc's
$cmd 00307 deny all from 204.152.64.0/23 to anyin via $pif  #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to anyin via $pif         #Class D & E multicast

# Deny public pings
$cmd 00310 deny icmp from any to anyin via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137in via $pif
$cmd 00321 deny tcp from any to any 138in via $pif
$cmd 00322 deny tcp from any to any 139in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP’s DHCP server as it’s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for ‘user ppp’ type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2

# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################

 

Previous Page                                          Next Page          

This FreeBSD Install Guide is an public domain HOW-TO. This content may be reproduced, in any form or by any means, and used by all without permission in writing from the author.