os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Cleanup sample ruleset.

Browse source 
Move stuff that applies to all firewalls to Concepts section.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-22 02:43:03 +00:00
parent 3bc7d33b1d
commit be4fc36d5e
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44024
1 changed files with 93 additions and 199 deletions

292
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -170,6 +170,15 @@
selection criteria to create rules which will pass or block
services.</para>
<para>To lookup unknown port numbers, refer to
<filename>/etc/services</filename>. Alternatively, visit <uri
xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
and do a port number lookup to find the purpose of a
particular port number.</para>
<para>Check out this link for port numbers used by Trojans <uri
xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
<para>A firewall ruleset can be either
<quote>exclusive</quote> or <quote>inclusive</quote>. An
exclusive firewall allows all traffic through except for the
@ -1699,7 +1708,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
</sect2>
<sect2>
<title><application>IPF</application> Rulesets</title>
<title><application>IPF</application> Rule Syntax</title>
<indexterm>
<primary><application>IPFILTER</application></primary>
@ -1988,198 +1997,98 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
</sect2>
<sect2>
<!-- XXX: This section needs a rewrite -->
<title>Example Ruleset</title>
<title>Inclusive Ruleset Example</title>
<para>This section demonstrates how to create an example ruleset
which only allows services matching
<literal>pass</literal> rules and blocks all others.</para>
<para>The following ruleset is an example of an inclusive type
of firewall which only allows services matching
<literal>pass</literal> rules and blocks all others by
default. Network firewalls intended to protect other machines
should have at least two interfaces, and are generally
configured to trust the <acronym>LAN</acronym> and to not
trust the public Internet. Alternatively, a host based
firewall might be configured to protect only the system it is
running on, and is appropriate for servers on an untrusted
network or a desktop system not protected by firewall on the
network.</para>
<para>&os; uses interface <filename>lo0</filename> and IP
<para>&os; uses the loopback interface (<filename>lo0</filename>) and the <acronym>IP</acronym>
address <systemitem class="ipaddress">127.0.0.1</systemitem>
for internal communication within the operating system. The
firewall rules must contain rules to allow free movement of
these internally used packets.</para>
for internal communication. The
firewall ruleset must contain rules to allow free movement of
these internally used packets:</para>
<para>The interface which faces the public Internet is the one
specified in the rules that authorize and control access of
the outbound and inbound connections.</para>
<programlisting># no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all</programlisting>
<para>In cases where one or more NICs are cabled to private
network segments, those interfaces may require rules to allow
packets originating from those LAN interfaces transit to each
other or to the Internet.</para>
<para>The public interface connected to the Internet is used to
authorize and control access of
all outbound and inbound connections. If one or more interfaces are cabled to private
networks, those internal interfaces may require rules to allow
packets originating from the <acronym>LAN</acronym> to flow between the internal networks
or to the interface attached to the Internet. The ruleset should be organized into three major
sections: any trusted internal interfaces, outbound connections through the public
interface, and inbound connections through the public interface.</para>
<para>The rules should be organized into three major
sections: the trusted interfaces, then the public
interface outbound, and lastly, the public untrusted interface
inbound.</para>
<para>These two rules allow all traffic to pass through a trusted
<acronym>LAN</acronym> interface named <filename>xl0</filename>:</para>
<para>The rules in each of the public interface sections should
<programlisting># no restrictions on inside LAN interface for private network
pass out quick on xl0 all
pass in quick on xl0 all</programlisting>
<para>The rules for the public interface's outbound and inbound sections should
have the most frequently matched rules placed before less
commonly matched rules, with the last rule in the section
blocking and logging all packets on that interface and
blocking and logging all packets for that interface and
direction.</para>
<para>The outbound section in the following ruleset only
contains <literal>pass</literal> rules which uniquely identify
the services that are authorized for public Internet access.
All the rules use <literal>quick</literal>,
<literal>on</literal>, <literal>proto</literal>,
<literal>port</literal>, and <literal>keep state</literal>.
The <literal>proto tcp</literal> rules include
<literal>flag</literal> to identify the session start request
as the triggering packet to activate the stateful
facility.</para>
<para>This set of rules defines the outbound section of the
public interface named <filename>dc0</filename>.
These rules keep state and identify
the specific services that internal systems are authorized for public Internet access.
All the rules use <literal>quick</literal> and specify the
appropriate port numbers and, where applicable, destination
addresses.</para>
<para>The inbound section blocks undesirable packets first, for
two different reasons. The first is that malicious packets
may be partial matches for legitimate traffic. These packets
have to be discarded rather than allowed, based on their
partial matches against the <literal>allow</literal> rules.
The second reason is that known and uninteresting rejects may
be blocked silently, rather than being logged by the last rule
in the section.</para>
<programlisting># interface facing Internet (outbound)
# Matches session start requests originating from or behind the
# firewall, destined for the Internet.
<para>The ruleset should ensure that there is no response
returned for any undesirable traffic. Invalid packets should
be silently dropped so that the attacker has no knowledge if
the packets reached the system. Rules that include a
<literal>log first</literal> option, will only log the event
the first time they are triggered. This option is included in
the sample <literal>nmap OS fingerprint</literal> rule. The
<package>security/nmap</package> utility is
commonly used by attackers who attempt to identify the
operating system of the server.</para>
<para>Any time there are logged messages on a rule with
the <literal>log first</literal> option,
<command>ipfstat -hio</command> should be executed
to evaluate how many times the rule has been matched. A
large number of matches usually indicates that the system is
being flooded or is under attack.</para>
<para>To lookup unknown port numbers, refer to
<filename>/etc/services</filename>. Alternatively, visit <uri
xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
and do a port number lookup to find the purpose of a
particular port number.</para>
<para>Check out this link for port numbers used by Trojans <uri
xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
<para>The following ruleset creates an
<literal>inclusive</literal> firewall ruleset which can be
easily customized by commenting out
<literal>pass</literal> rules for services that should not
be authorized.</para>
<para>To avoid logging unwanted messages, add a
<literal>block</literal> rule in the inbound section.</para>
<para>Change the <filename>dc0</filename> interface name in
every rule to the interface name that connects the system to
the public Internet.</para>
<para>The following statements were added to
<filename>/etc/ipf.rules</filename>:</para>
<programlisting>#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#################################################################
#pass out quick on xl0 all
#pass in quick on xl0 all
#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
# Interface facing Public Internet (Outbound Section)
# Match session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state
# Allow outbound access to public DNS servers.
# Replace x.x.x. with address listed in /etc/resolv.conf.
# Repeat for each DNS server.
pass out quick on dc0 proto tcp from any to x.x.x. port = 53 flags S keep state
pass out quick on dc0 proto udp from any to xxx port = 53 keep state
# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for 'user ppp' type connection to the
# public Internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule &amp; delete first rule
# Allow access to ISP's specified DHCP server for cable or DSL networks.
# Use the first rule, then check log for the IP address of DHCP server.
# Then, uncomment the second rule, replace z.z.z.z with the IP address,
# and comment out the first rule
pass out log quick on dc0 proto udp from any to any port = 67 keep state
#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state
# Allow out non-secure standard www function
# Allow HTTP and HTTPS
pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow out secure www function https over TLS SSL
pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state
# Allow out send &amp; get email function
# Allow email
pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state
# Allow out Time
# Allow NTP
pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state
# Allow out nntp news
pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state
# Allow out gateway &amp; LAN users' non-secure FTP ( both passive &amp; active modes)
# This function uses the IP<acronym>NAT</acronym> built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
# Allow FTP
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements)
# This function is using SSH (secure shell)
# Allow SSH
pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Allow out insecure Telnet
pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow out FreeBSD CVSup
pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state
# Allow out ping to public Internet
# Allow ping
pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
# Allow out whois from LAN to public Internet
pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state
# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule implements the default block
block out log first quick on dc0 all
#################################################################
# Interface facing Public Internet (Inbound Section)
# Match packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################
# Block and log everything else
block out log first quick on dc0 all</programlisting>
<para>This example of the rules in the inbound section of the
public interface blocks all undesirable packets first.
This reduces the number of packets that are
logged by the last rule.</para>
<programlisting># interface facing Internet (inbound)
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP
@ -2191,67 +2100,52 @@ block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs
block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on dc0 from 224.0.0.0/3 to any #Class D &amp; E multicast
##### Block a bunch of different nasty things. ############
# That I do not want to see in the log
# Block frags
# Block fragments and too short tcp packets
block in quick on dc0 all with frags
# Block short tcp packets
block in quick on dc0 proto tcp all with short
# block source routed packets
block in quick on dc0 all with opt lsrr
block in quick on dc0 all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
# Block OS fingerprint attempts and log first occurrence
block in log first quick on dc0 proto tcp from any to any flags FUP
# Block anything with special options
block in quick on dc0 all with ipopts
# Block public pings
# Block public pings and ident
block in quick on dc0 proto icmp all icmp-type 8
# Block ident
block in quick on dc0 proto tcp from any to any port = 113
# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
# Block incoming Netbios services
block in log first quick on dc0 proto tcp/udp from any to any port = 137
block in log first quick on dc0 proto tcp/udp from any to any port = 138
block in log first quick on dc0 proto tcp/udp from any to any port = 139
block in log first quick on dc0 proto tcp/udp from any to any port = 81
block in log first quick on dc0 proto tcp/udp from any to any port = 81</programlisting>
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it is the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# 'user ppp' type connection to the public Internet.
# This is the same IP address you captured and
# used in the outbound section.
<para>Any time there are logged messages on a rule with
the <literal>log first</literal> option, run
<command>ipfstat -hio</command>
to evaluate how many times the rule has been matched. A
large number of matches may indicate that the system is
under attack.</para>
<para>The rest of the rules in the inbound section define which
connections are allowed to be initiated from the Internet.
The last rule denies all connections which were not explicitly
allowed by previous rules in this section.</para>
<programlisting>
# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
# the same IP address used in the outbound section.
pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state
# Allow in standard www function because I have apache server
pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow public connections to specified internal web server
pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence avoids filling up disk with Denial of Service logs.
# This rule implements the default block.
block in log first quick on dc0 all
################### End of rules file #####################################</programlisting>
# Block and log only first occurrence of all remaining traffic.
block in log first quick on dc0 all</programlisting>
</sect2>
<sect2 xml:id="firewalls-ipf-rules-script">