causalities
November 20th, 2003, 00:01
Hey all, i'm currently using FBSD 5.0 and I've just compiled ipfilter into my kernel. I'm still trying to get a hang of FBSD, and even tho i'm getting huge headaches over it, i believe once i've gotten the hang of it, it will serve me much better than a Windoze box. But meanwhile, sorry for being such a n00b. :oops:
My FBSD box is my router and i'm sharing my broadband with other computers on my network. Basically I'd like to be able to access mail (from my isp's pop), web browsing, icq, msn, irc, eyeball (video conferencing), kazaa (and other gnutellas), games (wc3 etc). So I'm guessing my firewall wont be "that" secure? Erm, if anyone has or knows of a ruleset already set up with most of this, it might save me some time? If not, this is what i have so far.
I've created the following two files /etc/ipf.rules : /etc/ipnat.rules. However, I'm not so sure they are working. I've run:
ipf -E #just in case it wasn't up#
ipf -Fa -f /etc/ipf.rules #as describe at http://www.obfuscation.org/ipf/ipf-howto.txt#.
ipnat -CF -f /etc/ipnat.rules #source same as above#
Next when I use ipfstat
the results dont show any packets being blocked. Even though ipf is running and the new ruleset was loaded.
Here are both my ipf.rules and ipnat.rules.
thanks in advance for anybody's help....
*********************ipf.rules*******************
################################################## ###############
# Outside Interface
################################################## ###############
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#
# If you wanted to do egress filtering...here's where you'd do it.
# You'd change the lines below so that rather than allowing out any
# arbitrary TCP connection, it would only allow out mail, pop3, and http
# connections (for example). So, the first line, below, would be
# replaced with:
# pass out quick on rl0 proto tcp from any to any port = 25 keep state
# pass out quick on rl0 proto tcp from any to any port = 110 keep state
# pass out quick on rl0 proto tcp from any to any port = 80 keep state
# ...and then do the same for the remaining lines so that you allow
# only specified protocols/ports 'out' of your network
#----------------------------------------------------------------
pass out quick on rl0 proto tcp from any to any keep state
pass out quick on rl0 proto udp from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state
block out quick on rl0 all
#WarCraft III rules
pass in quick on rl0 proto tcp from any to any port = 6112 flags S/SA keep state
pass out quick on rl0 proto tcp from any to any port = 6112 flags S/SA keep state
pass in quick on rl0 proto tcp from any to any port 6113 >< 6119 flags S/SA keep state
pass out quick on rl0 proto tcp from any to any port 6113 >< 6119 flags S/SA keep state
#-----------------------------------------------------------------------
# Block all inbound traffic from non-routable or reserved address spaces
#-----------------------------------------------------------------------
block in log quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in log quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP
#block in log quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in log quick on rl0 from 127.0.0.0/8 to any #loopback
block in log quick on rl0 from 0.0.0.0/8 to any #loopback
block in log quick on rl0 from 169.254.0.0/16 to any #DHCP auto-config
block in log quick on rl0 from 192.0.2.0/24 to any #reserved for doc's
block in log quick on rl0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on rl0 from 224.0.0.0/3 to any #Class D & E multicast
#----------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only.
#----------------------------------------------------------------
pass in quick on rl0 proto udp from X.X.X.X/32 to any port = 68 keep state
#----------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
block return-rst in log quick on rl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any to any
block in log quick on rl0 all
################################################## ###############
# Inside Interface
################################################## ###############
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on rl1 proto tcp from any to any keep state
pass out quick on rl1 proto udp from any to any keep state
pass out quick on rl1 proto icmp from any to any keep state
block out quick on rl1 all
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on rl1 proto tcp from any to any keep state
pass in quick on rl1 proto udp from any to any keep state
pass in quick on rl1 proto icmp from any to any keep state
block in quick on rl1 all
################################################## ###############
# Loopback Interface
################################################## ###############
#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
******************ipnat.rules below****************************
#--------------------------------------------------------------------
# Do 'normal' IP address translation. This line will take all packets
# going out on your external NIC (ed0) that have a source address coming
# from your internal network (192.168.1.0), and translate it to whatever
# IP address your external NIC happens to have at that time
#--------------------------------------------------------------------
map ed0 192.168.0.0/24 -> 0/32
#--------------------------------------------------------------------
# If you have a system on your internal network that needs to be
# 'reachable' by external systems on the internet, you'll need a rule
# similar to the one below. This one takes all inbound http traffic
# (TCP port 80) that hits the firewall's external interface (ed0) and
# redirects it to port 80 on the 192.168.1.50 system on the internal network.
# Simply uncomment the rule, change the IP address and port number so that
# it does what you need. Remember that you have to enable the corresponding
# inbound filter in your /etc/ipf.rules file, too.
#--------------------------------------------------------------------
# rdr ed0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp
rdr ed0 0.0.0.0/0 port 6112 -> 192.168.0.5 port 6112
rdr ed0 0.0.0.0/0 port 6113 -> 192.168.0.5 port 6113
rdr ed0 0.0.0.0/0 port 6114 -> 192.168.0.5 port 6114
rdr ed0 0.0.0.0/0 port 6115 -> 192.168.0.5 port 6115
rdr ed0 0.0.0.0/0 port 6116 -> 192.168.0.5 port 6116
rdr ed0 0.0.0.0/0 port 6117 -> 192.168.0.5 port 6117
rdr ed0 0.0.0.0/0 port 6118 -> 192.168.0.5 port 6118
rdr ed0 0.0.0.0/0 port 6119 -> 192.168.0.5 port 6119
My FBSD box is my router and i'm sharing my broadband with other computers on my network. Basically I'd like to be able to access mail (from my isp's pop), web browsing, icq, msn, irc, eyeball (video conferencing), kazaa (and other gnutellas), games (wc3 etc). So I'm guessing my firewall wont be "that" secure? Erm, if anyone has or knows of a ruleset already set up with most of this, it might save me some time? If not, this is what i have so far.
I've created the following two files /etc/ipf.rules : /etc/ipnat.rules. However, I'm not so sure they are working. I've run:
ipf -E #just in case it wasn't up#
ipf -Fa -f /etc/ipf.rules #as describe at http://www.obfuscation.org/ipf/ipf-howto.txt#.
ipnat -CF -f /etc/ipnat.rules #source same as above#
Next when I use ipfstat
the results dont show any packets being blocked. Even though ipf is running and the new ruleset was loaded.
Here are both my ipf.rules and ipnat.rules.
thanks in advance for anybody's help....
*********************ipf.rules*******************
################################################## ###############
# Outside Interface
################################################## ###############
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#
# If you wanted to do egress filtering...here's where you'd do it.
# You'd change the lines below so that rather than allowing out any
# arbitrary TCP connection, it would only allow out mail, pop3, and http
# connections (for example). So, the first line, below, would be
# replaced with:
# pass out quick on rl0 proto tcp from any to any port = 25 keep state
# pass out quick on rl0 proto tcp from any to any port = 110 keep state
# pass out quick on rl0 proto tcp from any to any port = 80 keep state
# ...and then do the same for the remaining lines so that you allow
# only specified protocols/ports 'out' of your network
#----------------------------------------------------------------
pass out quick on rl0 proto tcp from any to any keep state
pass out quick on rl0 proto udp from any to any keep state
pass out quick on rl0 proto icmp from any to any keep state
block out quick on rl0 all
#WarCraft III rules
pass in quick on rl0 proto tcp from any to any port = 6112 flags S/SA keep state
pass out quick on rl0 proto tcp from any to any port = 6112 flags S/SA keep state
pass in quick on rl0 proto tcp from any to any port 6113 >< 6119 flags S/SA keep state
pass out quick on rl0 proto tcp from any to any port 6113 >< 6119 flags S/SA keep state
#-----------------------------------------------------------------------
# Block all inbound traffic from non-routable or reserved address spaces
#-----------------------------------------------------------------------
block in log quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in log quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP
#block in log quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in log quick on rl0 from 127.0.0.0/8 to any #loopback
block in log quick on rl0 from 0.0.0.0/8 to any #loopback
block in log quick on rl0 from 169.254.0.0/16 to any #DHCP auto-config
block in log quick on rl0 from 192.0.2.0/24 to any #reserved for doc's
block in log quick on rl0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on rl0 from 224.0.0.0/3 to any #Class D & E multicast
#----------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only.
#----------------------------------------------------------------
pass in quick on rl0 proto udp from X.X.X.X/32 to any port = 68 keep state
#----------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
block return-rst in log quick on rl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any to any
block in log quick on rl0 all
################################################## ###############
# Inside Interface
################################################## ###############
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on rl1 proto tcp from any to any keep state
pass out quick on rl1 proto udp from any to any keep state
pass out quick on rl1 proto icmp from any to any keep state
block out quick on rl1 all
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on rl1 proto tcp from any to any keep state
pass in quick on rl1 proto udp from any to any keep state
pass in quick on rl1 proto icmp from any to any keep state
block in quick on rl1 all
################################################## ###############
# Loopback Interface
################################################## ###############
#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
******************ipnat.rules below****************************
#--------------------------------------------------------------------
# Do 'normal' IP address translation. This line will take all packets
# going out on your external NIC (ed0) that have a source address coming
# from your internal network (192.168.1.0), and translate it to whatever
# IP address your external NIC happens to have at that time
#--------------------------------------------------------------------
map ed0 192.168.0.0/24 -> 0/32
#--------------------------------------------------------------------
# If you have a system on your internal network that needs to be
# 'reachable' by external systems on the internet, you'll need a rule
# similar to the one below. This one takes all inbound http traffic
# (TCP port 80) that hits the firewall's external interface (ed0) and
# redirects it to port 80 on the 192.168.1.50 system on the internal network.
# Simply uncomment the rule, change the IP address and port number so that
# it does what you need. Remember that you have to enable the corresponding
# inbound filter in your /etc/ipf.rules file, too.
#--------------------------------------------------------------------
# rdr ed0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp
rdr ed0 0.0.0.0/0 port 6112 -> 192.168.0.5 port 6112
rdr ed0 0.0.0.0/0 port 6113 -> 192.168.0.5 port 6113
rdr ed0 0.0.0.0/0 port 6114 -> 192.168.0.5 port 6114
rdr ed0 0.0.0.0/0 port 6115 -> 192.168.0.5 port 6115
rdr ed0 0.0.0.0/0 port 6116 -> 192.168.0.5 port 6116
rdr ed0 0.0.0.0/0 port 6117 -> 192.168.0.5 port 6117
rdr ed0 0.0.0.0/0 port 6118 -> 192.168.0.5 port 6118
rdr ed0 0.0.0.0/0 port 6119 -> 192.168.0.5 port 6119