diff --git a/handbook/firewalls.sgml b/handbook/firewalls.sgml index 2bbf124233..2028d8822a 100644 --- a/handbook/firewalls.sgml +++ b/handbook/firewalls.sgml @@ -1,9 +1,9 @@ - + Firewalls -

Contributed by &a.gpalmer;.4th of October 1995 +

Contributed by &a.gpalmer; and &a.alex;. Firewalls are an area of increasing interest for people who are connected to the Internet, and are even finding applications on @@ -96,7 +96,7 @@ can be set up so that you can limit which users can talk to which destination machine. Again, what facilities are available depends largely on what proxy software you choose. -What does IPFW allow me to do? +What does IPFW allow me to do?

IPFW, the software supplied with FreeBSD, is a packet filtering and accounting system which resides in the kernel, and has a @@ -117,7 +117,7 @@ incoming and outgoing connections. This is a special case of the more general use of IPFW, and the same commands and techniques should be used in this situation. -Enabling IPFW on FreeBSD +Enabling IPFW on FreeBSD

As the main part of the IPFW system lives in the kernel, you will need to add one or more options to your kernel configuration @@ -137,35 +137,57 @@ packets through syslogd(8). Without this option, even if you specify that packets should be logged in the filter rules, nothing will happen. -syslogd(8) on a per entry basis. +You may wish to use this option in hostile environments in which +you want to log firewall activity, but do not want to be open to +a denial of serivce attack via syslog flooding. + +

When a chain entry reaches the packet limit specified, logging +is turned off for that particular entry. To resume logging, you +will need to reset the associated counter using the ipfw(8) +utility: + + +ipfw zero 4500 + + +Where 4500 is the chain entry you wish to continue logging. -Configuring IPFW +Previous versions of FreeBSD contained an IPFIREWALL_ACCT +option. This is now obsolete as the firewall code automatically +includes accounting facilities. + +Configuring IPFW

The configuration of the IPFW software is done through the ipfw(8) utility. The syntax for this command looks quite complicated, but it is relatively simple once you understand its structure. -

There are currently two different command line formats for the -utility, depending on what you are doing. The first form is used when -adding/deleting entries from the firewall or accounting chains, or -when clearing the counters for an entry on the accounting chain. The -second form is used for more general actions, such as flushing the -rule chains, listing the rule chains or setting the default policy. +

There are currently four different command categories used by the +utility: addition/deletion, listing, flushing, and clearing. +Addition/deletion is used to build the rules that control how packets +are accepted, rejected, and logged. Listing is used to examine the +contents of your rule set (otherwise known as the chain) and packet +counters (accounting). Flushing is used to remove all entries from +the chain. Clearing is used to zero out one or more accounting +entries. -Altering the IPFW rules +Altering the IPFW rules

The syntax for this form of the command is: -ipfw [-n] command action protocol addresses +ipfw [-N] command [index] action +protocol addresses [options]

There is one valid flag when using this form of the command: - The command given can be shortened to the shortest unique @@ -173,69 +195,39 @@ form. The valid commands are: - -If no command is given, it will default addfirewall or -addaccounting depending on the arguments given. +Previous versions of IPFW used separate firewall and +accounting entries. The present version provides packet accounting +with each firewall entry. -

Currently, the firewall support in the kernel applies a set of -weights to the rule being added. This means that the rules will -not be evaluated in the order that they are given to the -system. The weighting system is designed so that rules which are very -specific are evaluated first, and rules which cover very large ranges -are evaluated last. In other words, a rule which applies to a specific -port on a specific host will have a higher priority than a rule which -applies to that same port, but on a range of hosts, or that host on a -range of ports. +

If an index value is supplied, it used to place the entry +at a specific point in the chain. Otherwise, the entry is placed at +the end of the chain at an index 100 greater than the last chain +entry (this does not include the default policy, rule 65535, deny). -

The weighting system is not perfect, however, and can lead to -problems. The best way to see what order it has put your rules in is -to use the list command, as that command lists the rules in -the order that they are evaluated, not the order that they were fed to -the system. - -

The actions available depend on which rule chain the -entry is destined for. For the firewall chain, valid -actions are: +Valid actions are: -reject, but also log the packet details. +deny, but also log the packet details. +accept. - - - -For the accounting chain, valid actions are: - - - - @@ -254,30 +246,22 @@ The protocols which can be specified are:

The address specification is: -[from <address/mask>[port]] [to - <address/mask>[port]] [via <interface>] +from <address/mask>[port] to + <address/mask>[port&rsqb [via <interface>]

You can only specify port in conjunction with -protocols which support ports (UDP, TCP and SYN). - -

The order of the from, to, and -via keywords is unimportant. Any of them can be omitted, -in which case a default entry for that keyword will be supplied which -matches everything. +protocols which support ports (UDP and TCP).

The via is optional and may specify the IP address or domain name of a local IP interface, or an interface name (e.g. -ed0) to match only packets coming through this interface. The -keyword via can be substituted by on, for -readability reasons. +ed0) to match only packets coming through this interface. +Interface unit numbers can be specified with an optional wildcard. +For example, ppp* would match all kernel PPP interfaces.

The syntax used to specify an <address/mask> is: @@ -310,14 +294,50 @@ to specify either a single port or a list of ports, or port:port -to specify a range of ports. The name of a service (from -/etc/services) can be used instead of a numeric port value. +to specify a range of ports. -Listing/flushing the IPFW rules +

The options available are: + + + +spec/Matches if the IP header contains the +comma separated list of options specified in spec. The +supported list of IP options are: ssrr (strict source route), +lsrr (loose source route), rr (record packet route), +and ts (timestamp). The absence of a particular option may +be denoted with a leading '!'. + +flags/Matches if the TCP header contains +the comma separated list of flags. The supported flags +are fin, syn, rst, psh, ack, +and urg. The absence of a particular flag may be indicated +by a leading '!'. + +types/Matches if the ICMP type is present in +the list types. The list may be specified as any combination +of ranges and/or individual types separated by commas. Commonly used +ICMP types are: 0 echo reply (ping reply), 5 +redirect, and 8 echo request (ping request). + + + +Listing the IPFW rules

The syntax for this form of the command is: -ipfw [-ans] command [argument] +ipfw [-atN] l

There are three valid flags when using this form of the command: @@ -325,56 +345,39 @@ ipfw [-ans] command [argument] -s. +way to see accounting counters. -ipfw(8) utility. --a -to see accounting counters. The short form listing is incompatible -with the input syntax used by the ipfw(8) utility. + -The command given can be shortened to the shortest unique -form. The valid commands are: +Flushing the IPFW rules - +

The syntax for flushing the chain is: + +ipfw flush + --s flag is -given, the format is compatible with the command line syntax. +

This causes all entries in the firewall chain to be removed except +the fixed default policy enforced by the kernel (index 65535). Use +caution when flushing rules, the default deny policy will leave your +system cut off from the network until allow entries are added to the +chain. -Clearing the IPFW packet counters -The syntax for clearing one or more packet counters is: + +ipfw zero [index] + - - -The list and flush commands may optionally be passed -an argument to specify which chain to flush. Valid arguments are: - - - - - -

The policy command can be given one of two arguments: - - - - - -As usual, the arguments can be shortened to the shortest unique form -(in this case, the first letter). +

When used without an index argument, all packet counters +are cleared. If an index is supplied, the clearing operation +only affects a specific chain entry. Example commands for ipfw @@ -383,7 +386,7 @@ As usual, the arguments can be shortened to the shortest unique form nice.people.org by being forwarded by the router: -ipfw addf deny tcp from evil.hacker.org to nice.people.org telnet +ipfw add deny tcp from evil.hacker.org to nice.people.org 23

The next example denies and logs any TCP traffic from the entire @@ -391,7 +394,7 @@ ipfw addf deny tcp from evil.hacker.org to nice.people.org telnet machine (any port). -ipfw addf ldeny tcp from evil.hacker.org/24 to nice.people.org +ipfw add deny log tcp from evil.hacker.org/24 to nice.people.org If you do not want people sending X sessions to your internal network @@ -399,23 +402,27 @@ If you do not want people sending X sessions to your internal network filtering: -ipfw addf deny syn to my.org/28 6000 +ipfw add deny setup from any to my.org/28 6000 To allow access to the SUP server on sup.FreeBSD.ORG, use the following command: -ipfw addf accept syn to sup.FreeBSD.ORG supfilesrv +ipfw addf accept syn to sup.FreeBSD.ORG 871 To see the accounting records: -ipfw -sa list accounting +ipfw -a list or in the short form -ipfw -sa l a +ipfw -a l + +You can also see the last time a chain entry was matched with + +ipfw -at l Building a packet filtering firewall @@ -479,10 +486,11 @@ want to allow from the inside. Some general rules are: where most of the security sensitive services are, like finger, SMTP (mail) and telnet. - Block incoming SYN connections to ports between 1001 and 1024 -(this will allow internal users to rsh/rlogin to the outside). If you -do not want to allow rsh/rlogin connections from the inside to the -outside, then extend the above suggestion to cover ports 1-1024. + Block incoming SYN (setup) connections to ports +between 1001 and 1024 (this will allow internal users to rsh/rlogin to +the outside). If you do not want to allow rsh/rlogin connections from +the inside to the outside, then extend the above suggestion to cover +ports 1-1024. Block all incoming UDP traffic. There are very few useful services that travel over UDP, and what useful traffic there is @@ -509,16 +517,6 @@ normally fall outside the 1-1024 range specified above. -

Of course, if you want to make sure that no un-authorized traffic -gets through the firewall, change the default policy to ``deny''. This -will mean that any traffic which is allowed through has to be -specified explicitly in an ``accept'' or ``allow'' filter rule. Which -ports you allow through is again something that you will have to -decide for yourself. If you do set the default policy to be deny, you -will probably want to install proxy servers, as no traffic will be -able to get OUT either unless you allow TCP SYN connections going form -the inside out. -

As I said above, these are only guidelines. You will have to decide what filter rules you want to use on your firewall yourself. I cannot accept ANY responsibility if someone breaks into