FreeBSD  Release  11.0  Install  Guide

Home______________________________________________________________________

 

Inclusive Rule set Example

The following rule set is an example of how to code a very secure inclusive type of firewall. An inclusive firewall only allows services matching pass rules through and blocks all others by default. All firewalls have at the minimum two interfaces which have to have rules to allow the firewall to function.

All Unix flavored systems including FBSD are designed to use interface lo0 and IP address 127.0.0.1 for internal communication within the FBSD operating system. The firewall rules must contain rules to allow free, unmolested movement of these special internally used packets.

The interface which faces the public Internet is the one which you code your rules to authorize and control access out to the public Internet and access requests arriving from the public Internet. This can be your ‘user ppp’ tun0 interface or your NIC that is cabled to your DSL or cable modem.

In cases where one or more NIC's are cabled to private LANs (local area networks) behind the firewall, those interfaces must have a rule coded to allow free, unmolested movement of packets originating from those LAN interfaces.

The rules should be first organized into three major sections; all the free and unmolested interfaces, public interface outbound, and the public interface inbound.

The order of the rules in each of the public interface sections should be in order of the most used rules being placed before less often used rules with the last rule in the section being a block log all packets on that interface and direction.

The outbound section in the following rule set only contains ‘pass’ rules which contain selection values that uniquely identify the service that is authorized for public Internet access. All the rules have the ‘quick’, ‘on’, proto, port, and keep state option coded. The ‘proto tcp’ rules have the ‘flag’ option included to identify the session start request as the triggering packet to activate the stateful facility.

The inbound section has all the blocking of undesirable packets first for two different reasons. First, these things being blocked may be part of an otherwise valid packet which may be allowed in by the later authorized service rules. Second, by having a rule that explicitly blocks selected packets that I receive on an infrequent bases and don’t want to see in the log, this keeps them from being caught by the last rule in the section which blocks and logs all packets which have fallen through the rules. The last rule in the section which blocks and logs all packets is how you create the legal evidence needed to prosecute the people who are attacking your system.

Another thing you should take note of is there is no response returned for any of the undesirable stuff; their packets just get dropped and vanish. This way the attackers have no knowledge if their packets have reached your system. The less the attackers can learn about your system the more secure it is.

The following rule set is a complete, very secure ‘inclusive’ type of firewall rule set that I have used on my system. You cannot go wrong using this rule set for your own. Just comment out any pass rules for services to don’t want to authorize.

If you see messages in your log that you want to stop seeing just add a block rule in the inbound section.

You have to change the ‘dc0’ interface name in the symbolic name to the interface name of the NIC that connects your system to the public Internet. For ‘user ppp’ it would be ‘tun0’.

Add the following statements to /etc/pf.conf

################################################################
# define defaults and macros
#################################################################

oif = "dc0"                 # oif is the macro name for the
                            # NIC facing the public internet

#lif = "xl0"                # lif is the macro name for the NIC facing
                            # the Local area network if you have one

dns1 = "{69.22.11.5, 69.22.11.6}" # my ISP's Domain name server IP address

dhcp = "69.22.11.7"         # my ISP's DHCP server IP address

ob_state = "flags S/SA modulate state"     # outbound

ib_state = "flags S/SA synproxy state"     # inbound

#################################################################
# define run time global defaults
#################################################################

set block-policy drop       # Sets the default block behavior to
                            # packet is silently dropped

set state-policy if-bound   # states are bound to the interface
                            # they're created on

set loginterface $oif       # gather statistics on this interface

scrub out on $oif all random-id
scrub reassemble tcp

#################################################################
# define Nat if you have LAN
#################################################################

#nat on $oif from $lif to any -> ($oif)

#nat on $oif from 10.0.10.0/29 to any -> ($oif)

#pass quick on $lif all      # No restrictions on LAN Interface

pass quick on lo0 all       # No restrictions on Loopback Interface


#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# $dsn1 must be the IP address of your ISP’s DNS.
# Get the IP addresses from /etc/resolv.conf file
pass out quick on $oif proto tcp from any to $dns1 port 53 $ob_state
pass out quick on $oif proto udp from any to $dns1 port 53 keep state

# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for ‘user ppp’ type connection to the
# public Internet, so you can delete this whole group.
pass out quick on $oif proto udp from any to $dhcp port 67 keep state

# Allow out non-secure standard www function
pass out quick on $oif proto tcp from any to any port 80 $ob_state

# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from any to any port 443 $ob_state

# Allow out send $ get email function
pass out quick on $oif proto tcp from any to any port 110 $ob_state
pass out quick on $oif proto tcp from any to any port 25 $ob_state

# Allow out Time
pass out quick on $oif proto tcp from any to any port 37 $ob_state

# Allow out nntp news
pass out quick on $oif proto tcp from any to any port 119 $ob_state


# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on $oif proto tcp from any to any port 22 $ob_state

# Allow out non-secure Telnet (ID/PW passed as clear text)
pass out quick on $oif proto tcp from any to any port 23 $ob_state

# Allow out FBSD svn function
pass out quick on $oif proto tcp from any to any port 3690 $ob_state

# Allow out ping to public Internet
pass out quick on $oif inet proto icmp from any to any icmp-type 8 keep state

# Allow out whois PC to public Internet
pass out quick on $oif proto tcp from any to any port 43 $ob_state

# Allow out non-secure (ID/PW passed as clear text)
# active FTP in responce to remote FTP client
pass out quick on $oif proto tcp from any port 20 to any $ob_state

# Allow out non-secure (ID/PW passed as clear text)
# active FTP for gateway & LAN users
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on $oif proto tcp from any to any port 21 $ob_state

# Block and log everything that’s trying to get out.
# This rule enforces the block all by default logic.
block out log quick on $oif all

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on $oif from 192.168.0.0/16 to any  #RFC 1918 private IP
block in quick on $oif from 172.16.0.0/12 to any   #RFC 1918 private IP
block in quick on $oif from 10.0.0.0/8 to any      #RFC 1918 private IP
block in quick on $oif from 127.0.0.0/8 to any     #loopback
block in quick on $oif from 0.0.0.0/8 to any       #loopback
block in quick on $oif from 169.254.0.0/16 to any  #DHCP auto-config
block in quick on $oif from 192.0.2.0/24 to any    #reserved for doc's
block in quick on $oif from 204.152.64.0/23 to any #Sun cluster connect
block in quick on $oif from 224.0.0.0/3 to any     #Class D $ E multicast


# Block public pings
block in quick on $oif inet proto icmp all icmp-type 8

# Block ident
block in quick on $oif proto tcp from any to any port 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log quick on $oif proto tcp from any to any port 137
block in log quick on $oif proto udp from any to any port 137
block in log quick on $oif proto tcp from any to any port 138
block in log quick on $oif proto udp from any to any port 138
block in log quick on $oif proto tcp from any to any port 139
block in log quick on $oif proto udp from any to any port 139
block in log quick on $oif proto tcp from any to any port 81
block in log quick on $oif proto udp from any to any port 81

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP’s DHCP server as it’s the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# ‘user ppp’ type connection to the public Internet.
# This is the same IP address you
# used in the outbound section.
pass in quick on $oif proto udp from $dhcp to any port 68 keep state

# Allow in standard www function because I have apache server
pass in quick on $oif proto tcp from any to any port 80 $ib_state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on $oif proto tcp from any to any port 22 $ib_state

# Allow in non-secure Telnet session from public Internet labeled
# non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample rule if you do not have telnet server enabled.
#pass in quick on $oif proto tcp from any to any port 23 $ib_state

# Allow in non-secure (ID/PW passed as clear text)
# active FTP from remote client
pass in quick on $oif proto tcp from any to any port 21 $ib_state

# Allow in non-secure (ID/PW passed as clear text)
# responce to active FTP for gateway & LAN users
pass in quick on dc0 proto tcp from any port 20 to any $ib_state

# Block and log all remaining traffic coming into the firewall.
# This rule enforces the block all by default logic.
block in log quick on $oif all
################### End of rules file ##############################

 

Previous Page                                        Next Page         

This FreeBSD Install Guide is an public domain HOW-TO. This content may be reproduced, in any form or by any means, and used by all without permission in writing from the author.