OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Redmond Militante (r-militante_at_northwestern.edu)
Date: Mon Feb 10 2003 - 18:22:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hi all
    i've been trying to set up an ipf/ipnat gateway machine, to protect an internal network of two machines: webserver and a mysql server. i've been having some problems.
    my gateway machine has two nics - an external and internal nic. the internal nic is hooked up to a switch. the switch is hooked up to client machines on the internal network

    /etc/rc.conf on the gateway
    -------
    ifconfig_lo0="inet 127.0.0.1"
    ifconfig_xl0="inet 129.x.x.35 netmask 255.255.255.0"
    network_interfaces="xl0 xl1 lo0"
    #aliasing herald's ip to the outside nic of gateway box
    ifconfig_xl0_alias0="inet 129.x.x.6 netmask 255.255.255.255"
    #inside nic of gateway box
    ifconfig_xl1="inet 192.168.1.1 netmask 255.255.255.0"
    ipfilter_enable="YES"
    ipfilter_flags=""
    ipfilter_rules="/etc/ipf.rules"
    ipmon_enable="YES"
    ipmon_flags="-Dsvn"
    ipnat_enable="YES"
    ipnat_rules="/etc/ipnat.rules"
    icmp_drop_redirects="YES"
    gateway_enable="YES"
    -------

    kernel on gateway compiled with
    -------
    options IPFILTER
    options IPFILTER_LOG
    options IPFILTER_DEFAULT_BLOCK
    -------

    /etc/ipf.rules on gateway
    -------#################################################################
    # Outside Interface
    #################################################################
     
    #----------------------------------------------------------------
    # Allow out all TCP, UDP, and ICMP traffic & keep state on it
    # so that it's allowed back in.
    #
    # If you wanted to do egress filtering...here's where you'd do it.
    # You'd change the lines below so that rather than allowing out any
    # arbitrary TCP connection, it would only allow out mail, pop3, and http
    # connections (for example). So, the first line, below, would be
    # replaced with:
    # pass out quick on xl0 proto tcp from any to any port = 25 keep state
    # pass out quick on xl0 proto tcp from any to any port = 110 keep state
    # pass out quick on xl0 proto tcp from any to any port = 80 keep state
    # ...and then do the same for the remaining lines so that you allow
    # only specified protocols/ports 'out' of your network
    #----------------------------------------------------------------
    pass out quick on xl0 proto tcp from any to any keep state
    pass out quick on xl0 proto udp from any to any keep state
    pass out quick on xl0 proto icmp from any to any keep state
    block out quick on xl0 all
     
    #-----------------------------------------------------------------------
    # Block all inbound traffic from non-routable or reserved address spaces
    #-----------------------------------------------------------------------
    block in log quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP
    block in log quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP
    block in log quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP
    block in log quick on xl0 from 127.0.0.0/8 to any #loopback
    block in log quick on xl0 from 0.0.0.0/8 to any #loopback
    block in log quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config
    block in log quick on xl0 from 192.0.2.0/24 to any #reserved for doc's
    block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect
    block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast
     
    #----------------------------------------------------------------
    # Allow bootp traffic in from your ISP's DHCP server only.
    #----------------------------------------------------------------
    pass in quick on xl0 proto udp from 129.105.49.1/32 to any port = 53 keep state
    pass in quick on xl0 proto udp from 129.105.49.10/32 to any port = 68 keep state
    #----------------------------------------------------------------
    # If you wanted to set up a web server or mail server on your box
    # (which is outside the scope of this howto), or allow another system
    # on the Internet to externally SSH into your firewall, you'd want to
    # uncomment the following lines and modify as appropriate. If you
    # have other services running that you need to allow external access
    # to, just add more lines using these as examples.
    #
    # If the services are on a box on your internal network (rather than
    # the firewall itself), you'll have to add both the filter listed below,
    # plus a redirect rule in your /etc/ipnat.rules file.
    # plus a redirect rule in your /etc/ipnat.rules file.
    #----------------------------------------------------------------
    #the following allows httpd traffic, smtp, sendmail, ftp and webmin traffic
    pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port = 80 flags S kee
    p state keep frags
     pass in quick on xl0 proto tcp from any to any port = 25 flags S keep state kee
    p frags
     pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state kee
    p frags
     pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port = 21 flags S ke
    ep state keep frags
     pass in quick on xl0 proto tcp from any to any port = 443 flags S keep state
     pass in quick on xl0 proto tcp from any to any port = 3306 flags S keep state
     pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port = 10000 flags S
     keep state keep frags
     pass in quick on xl0 proto tcp from any to 192.168.1.50/24 port > 1023 flags S
    keep state
     pass in quick on xl0 proto tcp from 129.x.x.32/24 to any keep state
     pass in quick on xl0 proto udp from 129.x.x.32/24 to any keep state

    #----------------------------------------------------------------
    # Block and log all remaining traffic coming into the firewall
    # - Block TCP with a RST (to make it appear as if the service
    # isn't listening)
    # - Block UDP with an ICMP Port Unreachable (to make it appear
    # as if the service isn't listening)
    # - Block all remaining traffic the good 'ol fashioned way
    #----------X.X.X.X------------------------------------------------------
    block return-rst in log quick on xl0 proto tcp from any to any
    block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any
    block in log quick on xl0 all
     
    #################################################################
    # Inside Interface
    #################################################################
     
    #----------------------------------------------------------------
    # Allow out all TCP, UDP, and ICMP traffic & keep state
    #----------------------------------------------------------------
    pass out quick on xl1 proto tcp from any to any keep state
    pass out quick on xl1 proto udp from any to any keep state
    pass out quick on xl1 proto icmp from any to any keep state
    block out quick on xl1 all
     
    #----------------------------------------------------------------
    # Allow in all TCP, UDP, and ICMP traffic & keep state
    #----------------------------------------------------------------
    pass in quick on xl1 proto tcp from any to any keep state
    pass in quick on xl1 proto udp from any to any keep state
    pass in quick on xl1 proto icmp from any to any keep state
    block in quick on xl1 all
     
    #################################################################
    # Loopback Interface
    #################################################################
     
    #----------------------------------------------------------------
    # Allow everything to/from your loopback interface so you
    # can ping yourself (e.g. ping localhost)
    #----------------------------------------------------------------
    pass in quick on lo0 all
    pass out quick on lo0 all

    /etc/ipnat.rules on gateway
    -------
    #--------------------------------------------------------------------
    # Do 'normal' IP address translation. This line will take all packets
    # going out on your external NIC (ed0) that have a source address coming
    # from your internal network (192.168.1.0), and translate it to whatever
    # IP address your external NIC happens to have at that time
    #--------------------------------------------------------------------
    map xl0 192.168.1.0/24 -> 0/32
    map xl0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp

    #--------------------------------------------------------------------
    # If you have a system on your internal network that needs to be
    # 'reachable' by external systems on the internet, you'll nexl a rule
    # similar to the one below. This one takes all inbound http traffic
    # (TCP port 80) that hits the firewall's external interface (xl0) and
    # rxlirects it to port 80 on the 192.168.1.50 system on the internal network.
    # Simply uncomment the rule, change the IP address and port number so that
    # it does what you nexl. Remember that you have to enable the corresponding
    # inbound filter in your /etc/ipf.rules file, too.
    #--------------------------------------------------------------------

    rdr xl0 0.0.0.0/0 port 21 -> 192.168.1.50 port 21 tcp
    rdr xl0 0.0.0.0/0 port 22 -> any port 22 tcp
    rdr xl0 0.0.0.0/0 port 25 -> any port 25 tcp
    rdr xl0 0.0.0.0/0 port 80 -> 192.168.1.50 port 80 tcp
    rdr xl0 0.0.0.0/0 port 10000 -> 192.168.1.50 port 10000 tcp
    rdr xl0 0.0.0.0/0 port > 1023 -> 192.168.1.50 port > 1023 tcp
    rdr xl0 0.0.0.0/0 port 3306 -> any port 3306 tcp
    rdr xl0 129.x.x.32/24 -> any tcp
    rdr xl0 129.x.x.32/24 -> any udp
    -------

    /etc/sysctl.conf on gateway
    -------
    et.inet.tcp.blackhole=2
    net.inet.udp.blackhole=1
    -------

    i've managed to get it nat'ing one machine so far, the webserver. the public ip of the webserver is aliased to the external nic on the gateway machine. httpd and ftp work ok behind the gateway box. i have many questions, however. the first being why - despite the firewall rules i have in place on the gateway, when i nmap the public ip of the webserver it shows me all sorts of ports being open. i can't make out from my gateway configuration where this is happening.

    any advice would be appreciated

    thanks
    redmond

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (FreeBSD)

    iD8DBQE+SEJgFNjun16SvHYRAmJaAKCCcrLqWW91RBotZB6JiJ5YMz9TJQCgnUlR
    E+RrlbKLFrEuVoeoIlK08UY=
    =AsND
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message