OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Carsten Menke (bootsy52gmx.net)
Date: Wed Dec 05 2001 - 19:51:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Jedi/Sector One wrote:
    >
    > On Mon, Dec 03, 2001 at 11:46:12PM +0100, Carsten Menke wrote:
    > > how to get
    > > ftp-proxy working with a strong ruleset (I mean a very restrictive,
    > > secure ruleset).
    >
    > If it can help, here's the ruleset of my nat gateway. Just change the two
    > lines below "Outgoing connections from the internal network" to only allow
    > some ports if you want your internal network to only access http and ftp.
    >
    Thanx for that one, I modified it a little bit and it works, I also
    decided to not to
    be too restrive about connections from the internal LAN to the firewall.
    (I had this,
    done before, so that only connections to the gateway are allowed, which
    actually go out).

    The crucial point was in fact that the ports > 49151 have to be open,
    and ftp-proxy does not
    create a state entry. Before, I assumed that ftp-proxy creates a state
    entry and simply opened
    21,20 and thought it would work. Funny also that it works, now also
    without ftp-proxy. It is sufficient
    to have the possibility to use ftp in passive mode, so that's why I
    don't open the ports > 49151 in.
    As far as I know browsers, do always passive mode, or at least on my
    machine.

    Thanx Jedi/Sector, and all who talked about that here for your input(s).

    Carsten

    So here is my working ruleset (Maybe anybody cares)

    ################ HEAD VARIABLES
    #############################################
    nic_int=xl1
    nic_ext=tun0
    open_ports="{ 21,22,25,80,110,119,443,6346,6347,49151 >< 65535 }"
    open_ports_udp="{ 53 }"
    # server_ports="{ 49151 >< 65535 }" # Here used for active ftp
    # server_ports_udp="{ }"
    internal_net="192.168.0.0/16"
    denied_ext_ips="{\
                      255.255.255.255/32,\
                      192.168.0.0/16,\
                      172.16.0.0/12,\
                      10.0.0.0/8,\
                      0.0.0.0\
                    }"
    ################## BEGIN RULESET
    ##############################################

    ################## Blocking Spoofed and Auth
    ##################################
    block in quick on $nic_ext from any to $denied_ext_ips
    block in quick on $nic_ext from $denied_ext_ips to any
    block out quick on $nic_ext from any to $denied_ext_ips
    block return-rst in proto tcp from any to $nic_ext port = 113
    ###############################################################################
    scrub in on { $nic_ext,$nic_int } all
    ################## LOOPBACK DEVICE
    ############################################
    pass in quick on lo0 all
    pass out quick on lo0 all
    ################## EXTERNAL NIC
    ###########################################################
    pass out quick on $nic_ext proto udp from $nic_ext to any port
    $open_ports_udp keep state
    pass out quick on $nic_ext proto tcp from $nic_ext to any port
    $open_ports flags S/SA keep state
    ################# SERVICES
    ################################################################
    # pass in quick on $nic_ext proto udp from any to $nic_ext port
    $server_ports_udp keep state
    # pass in quick on $nic_ext proto tcp from any to $nic_ext port
    $server_ports flags S/SA keep state
    ################## END
    ########################################################################
    block in log on $nic_ext all
    block out log on $nic_ext all 

    -- 
Registered Linux User #228992