NetBSD: IpFilter configuration for LAN and PPP0


This post does not intend to be a well implemented firewall for you. Only reflects my tests and my preliminary configuration for IpFilter. I don’t know much about firewalls or ipfilter in particular, so… use this at your own risk.

The problem:

I use my laptop on mobility. What is this?. The laptop used to be connected to several networks with DHCP and with a 3G modem using ppp0. So, the firewall solution has to be intelligent enough to know when the laptop is connected through ppp0 or the ethernet card (wm0).

The solution:

Two configurations: one for ‘wm0’ interface, and another one for ppp0. IpFilter read the rules from ‘/etc/ipf.conf’. When 3g modem is used, the ‘/etc/ppp/ip-up’ script overwrite the ‘/etc/ipf.conf’ whith the ‘ppp0’ version. When ethernet card is used the script ‘dhclient-exit-hooks’ (executed automatically by the dhclient daemon) overwrite the ‘/etc/ipf.conf’ with the ‘wm0’ rules configuration.

So I need the following files/scripts:

/etc/ipf.conf.wm0
/etc/ipf.conf.ppp0
/etc/dhclient-exit-hooks
/etc/ppp/ip-up
/etc/ppp/ip-down

I must say the ipfilter rules are based (in fact are almost the same) in the following article I found in the internet:


http://linux.amazingdev.com/blog/archives/000191.html

Let’s go with them.

/etc/ipf.conf.wm0


#http://linux.amazingdev.com/blog/archives/000191.html

#Note1: wm0 is the interface name of the Nic card connected to the
#public internet.  Replace it with your interface name.

#Note2: this rule set may allow functions out and in which you may
#not have or want, just comment out those statements or delete them
#from the file.

#Note3. If you want to run an FTP server on your system that is
#accessible from the public internet, you must add the following rules.
#Only active mode remote FTP is allowed as passive mode needs all the
#high value port numbers open and this is an major security risk.

# Allow out active FTP data channel
pass out quick on wm0 proto tcp from any to any port = 20 flags S keep state

# Allow in active FTP control channel
pass in quick on wm0 proto tcp from any to any port = 21 flags S keep state

#################################################################
# For testing only,  Bypasses the rest of the rules or just in or out
#pass in  log quick on wm0 all
#pass out log quick on wm0 all
#log out quick on wm0 all
#################################################################

#################################################################
# No restrictions on Inside Lan Interface for private network
# Replace wm0 with the nic interface name of your Lan
#################################################################

pass out quick on wm0 all
pass in  quick on wm0 all

#################################################################
# No restrictions on Loopback Interface
#################################################################

pass in  quick on lo0 all
pass out quick on lo0 all

#################################################################
# Interface facing Public internet  (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public internet.
#################################################################

# Allow out access to my ISP’s Domain name server.
# x.x.x.x must be the IP address of your ISP’s DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
#pass out quick on wm0 proto tcp from any to x.x.x.x port = 53 flags S keep state
#pass out quick on wm0 proto udp from any to x.x.x.x port = 53 keep state
pass out log quick on wm0 proto udp from any to any port = 53 keep state

# Allow out access to my ISP’s DHCP server for cable or DSL networks.
# This rule is not needed for ‘user ppp’ type connection to the
# public internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out quick on wm0 proto udp from any to any port = 67 keep state
#pass out quick on wm0 proto udp from any to x.x.x.x port = 67 keep state

# Allow out non-secure standard www function
pass out quick on wm0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure www function https over TLS SSL
pass out quick on wm0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on wm0 proto tcp from any to any port = 25  flags S keep state
pass out quick on wm0 proto tcp from any to any port = 110 flags S keep state
# Mail SSL
pass out quick on wm0 proto tcp from any to any port = 465  flags S keep state
pass out quick on wm0 proto tcp from any to any port = 995 flags S keep state
# Mail Polarhome
pass out quick on wm0 proto tcp from any to any port = 995 flags S keep state

# Allow out Time
pass out quick on wm0 proto tcp from any to any port = 37 flags S keep state

# Allow out nntp news
pass out quick on wm0 proto tcp from any to any port = 119 flags S keep state

# Allow out gateway & LAN users non-secure passive & active modes FTP
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on wm0 proto tcp from any to any port = 21 flags S keep state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH  (secure shell)
pass out quick on wm0 proto tcp from any to any port = 22 flags S keep state

# Allow out non-secure Telnet
#pass out quick on wm0 proto tcp from any to any port = 23 flags S keep state

# Allow out FBSD CVSUP function
pass out quick on wm0 proto tcp from any to any port = 5999 flags S keep state

# Allow out all icmp to public Internet
pass out quick on wm0 proto icmp from any to any keep state

# Allow out all ident to public Internet
#block out quick on wm0 proto tcp from any to any port = 113

# Allow out whois for LAN PC to public Internet
pass out quick on wm0 proto tcp from any to any port = 43 flags S keep state

# block ports that show on log and are ok to stop logging
# Deny tcp port 81 – hosts2 name server.  winme is doing this.
block out quick on wm0 proto tcp from any to any port = 81

# Block and log only the first occurrence of everything
# else that’s trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on wm0 all

#################################################################
# Interface facing Public internet  (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
#block in quick on wm0 from 192.168.0.0/16  to any  #RFC 1918 private IP
block in quick on wm0 from 172.16.0.0/12    to any  #RFC 1918 private IP
block in quick on wm0 from 10.0.0.0/8          to any  #RFC 1918 private IP
block in quick on wm0 from 127.0.0.0/8        to any  #loopback
block in quick on wm0 from 0.0.0.0/8           to any  #loopback
block in quick on wm0 from 169.254.0.0/16  to any  #DHCP auto-config
block in quick on wm0 from 192.0.2.0/24      to any  #reserved for doc’s
block in quick on wm0 from 204.152.64.0/23 to any  #Sun cluster interconnect
block in quick on wm0 from 224.0.0.0/3        to any  #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I don’t want to see in the log
# Block frags
block in quick on wm0 all with frags

# Block short tcp packets
block in quick on wm0 proto tcp all with short

# block source routed packets
block in quick on wm0 all with opt lsrr
block in quick on wm0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on wm0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on wm0 all with ipopts

# Block public pings
block in quick on wm0 proto icmp all icmp-type 8

# Block ident
block in quick on wm0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on wm0 proto tcp/udp from any to any port = 137
block in log first quick on wm0 proto tcp/udp from any to any port = 138
block in log first quick on wm0 proto tcp/udp from any to any port = 139
block in log first quick on wm0 proto tcp/udp from any to any port = 81

# Allow traffic in from ISP’s DHCP server. This rule must contain
# the IP address of your ISP’s DHCP server as it’s the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# ‘user ppp’ type connection to the public internet.
# This is the same IP address you captured and
# used in the outbound section.
#pass in quick on wm0 proto udp from x.x.x.x to any port = 68 keep state

# Allow in standard www function because I have apache server
#pass in quick on wm0 proto tcp from any to any port = 80 flags S keep state

# Allow in Transmission Torrent
pass in quick on wm0 proto tcp from any to any port = 51413 flags S keep state

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public internet
# as clear text.
# Delete this sample group if you do not have telnet server enabled.
pass in quick on wm0 proto tcp from any to any port = 23 flags S keep state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH  (secure shell)
#pass in quick on wm0 proto tcp from any to any port = 22 flags S keep state

# Allow in email SMTP  from public Internet if commercial user
pass in quick on wm0 proto tcp from any to any port = 25 flags S keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops an ‘denial of service’ attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on wm0 all

/etc/ipf.conf.ppp0


#http://linux.amazingdev.com/blog/archives/000191.html

#Note1: ppp0 is the interface name of the Nic card connected to the
#public internet.  Replace it with your interface name.

#Note2: this rule set may allow functions out and in which you may
#not have or want, just comment out those statements or delete them
#from the file.

#Note3. If you want to run an FTP server on your system that is
#accessible from the public internet, you must add the following rules.
#Only active mode remote FTP is allowed as passive mode needs all the
#high value port numbers open and this is an major security risk.

# Allow out active FTP data channel
pass out quick on ppp0 proto tcp from any to any port = 20 flags S keep state

# Allow in active FTP control channel
pass in quick on ppp0 proto tcp from any to any port = 21 flags S keep state

#################################################################
# For testing only,  Bypasses the rest of the rules or just in or out
#pass in  log quick on ppp0 all
#pass out log quick on ppp0 all
#log out quick on ppp0 all
#################################################################

#################################################################
# No restrictions on Inside Lan Interface for private network
# Replace wm0 with the nic interface name of your Lan
#################################################################

pass out quick on wm0 all
pass in  quick on wm0 all

#################################################################
# No restrictions on Loopback Interface
#################################################################

pass in  quick on lo0 all
pass out quick on lo0 all

#################################################################
# Interface facing Public internet  (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public internet.
#################################################################

# Allow out access to my ISP’s Domain name server.
# x.x.x.x must be the IP address of your ISP’s DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
#pass out quick on ppp0 proto tcp from any to x.x.x.x port = 53 flags S keep state
#pass out quick on ppp0 proto udp from any to x.x.x.x port = 53 keep state
pass out log quick on ppp0 proto udp from any to any port = 53 keep state

# Allow out access to my ISP’s DHCP server for cable or DSL networks.
# This rule is not needed for ‘user ppp’ type connection to the
# public internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out quick on ppp0 proto udp from any to any port = 67 keep state
#pass out quick on ppp0 proto udp from any to x.x.x.x port = 67 keep state

# Allow out non-secure standard www function
pass out quick on ppp0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure www function https over TLS SSL
pass out quick on ppp0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on ppp0 proto tcp from any to any port = 25  flags S keep state
pass out quick on ppp0 proto tcp from any to any port = 110 flags S keep state
# Mail SSL
pass out quick on ppp0 proto tcp from any to any port = 465  flags S keep state
pass out quick on ppp0 proto tcp from any to any port = 995 flags S keep state
# Mail Polarhome
pass out quick on ppp0 proto tcp from any to any port = 995 flags S keep state

# Allow out Time
pass out quick on ppp0 proto tcp from any to any port = 37 flags S keep state

# Allow out nntp news
pass out quick on ppp0 proto tcp from any to any port = 119 flags S keep state

# Allow out gateway & LAN users non-secure passive & active modes FTP
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
#pass out quick on ppp0 proto tcp from any to any port = 21 flags S keep state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH  (secure shell)
#pass out quick on ppp0 proto tcp from any to any port = 22 flags S keep state

# Allow out non-secure Telnet
#pass out quick on ppp0 proto tcp from any to any port = 23 flags S keep state

# Allow out FBSD CVSUP function
pass out quick on ppp0 proto tcp from any to any port = 5999 flags S keep state

# Allow out all icmp to public Internet
pass out quick on ppp0 proto icmp from any to any keep state

# Allow out all ident to public Internet
#block out quick on ppp0 proto tcp from any to any port = 113

# Allow out whois for LAN PC to public Internet
pass out quick on ppp0 proto tcp from any to any port = 43 flags S keep state

# block ports that show on log and are ok to stop logging
# Deny tcp port 81 – hosts2 name server.  winme is doing this.
block out quick on ppp0 proto tcp from any to any port = 81

# Block and log only the first occurrence of everything
# else that’s trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on ppp0 all

#################################################################
# Interface facing Public internet  (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on ppp0 from 192.168.0.0/16  to any  #RFC 1918 private IP
block in quick on ppp0 from 172.16.0.0/12    to any  #RFC 1918 private IP
block in quick on ppp0 from 10.0.0.0/8          to any  #RFC 1918 private IP
block in quick on ppp0 from 127.0.0.0/8        to any  #loopback
block in quick on ppp0 from 0.0.0.0/8           to any  #loopback
block in quick on ppp0 from 169.254.0.0/16  to any  #DHCP auto-config
block in quick on ppp0 from 192.0.2.0/24      to any  #reserved for doc’s
block in quick on ppp0 from 204.152.64.0/23 to any  #Sun cluster interconnect
block in quick on ppp0 from 224.0.0.0/3        to any  #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I don’t want to see in the log
# Block frags
block in quick on ppp0 all with frags

# Block short tcp packets
block in quick on ppp0 proto tcp all with short

# block source routed packets
block in quick on ppp0 all with opt lsrr
block in quick on ppp0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on ppp0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on ppp0 all with ipopts

# Block public pings
block in quick on ppp0 proto icmp all icmp-type 8

# Block ident
block in quick on ppp0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on ppp0 proto tcp/udp from any to any port = 137
block in log first quick on ppp0 proto tcp/udp from any to any port = 138
block in log first quick on ppp0 proto tcp/udp from any to any port = 139
block in log first quick on ppp0 proto tcp/udp from any to any port = 81

# Allow traffic in from ISP’s DHCP server. This rule must contain
# the IP address of your ISP’s DHCP server as it’s the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# ‘user ppp’ type connection to the public internet.
# This is the same IP address you captured and
# used in the outbound section.
#pass in quick on ppp0 proto udp from x.x.x.x to any port = 68 keep state

# Allow in standard www function because I have apache server
#pass in quick on ppp0 proto tcp from any to any port = 80 flags S keep state

# Allow in Transmission Torrent
pass in quick on ppp0 proto tcp from any to any port = 51413 flags S keep state

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public internet
# as clear text.
# Delete this sample group if you do not have telnet server enabled.
pass in quick on ppp0 proto tcp from any to any port = 23 flags S keep state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH  (secure shell)
#pass in quick on ppp0 proto tcp from any to any port = 22 flags S keep state

# Allow in email SMTP  from public Internet if commercial user
pass in quick on ppp0 proto tcp from any to any port = 25 flags S keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops an ‘denial of service’ attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on ppp0 all

/etc/dhclient-exit-hooks


#dhclient-exit-hooks
#
MYIP=`ifconfig wm0  | grep -E ‘inet.[0-9]’ | grep -v ‘127.0.0.1’ | awk ‘{ print $2}’`

echo “$reason” > /tmp/dhclient_reason
echo “$MYIP” > /tmp/myip

case “$reason” in
PREINIT)

    ;;
BOUND|RENEW|REBIND|REBOOT)

    #Start firewall
    rm /etc/ipf.conf
    ln -s /etc/ipf.conf.wm0 /etc/ipf.conf
    #/etc/rc.d/ipfilter onestop
    /etc/rc.d/ipfilter onestart
    ;;

EXPIRE|FAIL|RELEASE|STOP)

    ;;
esac

/etc/ppp/ip-up


#DNS
cp /etc/ppp/resolv.conf /etc/resolv.conf

#IpFilter
rm /etc/ipf.conf
ln -s /etc/ipf.conf.ppp0 /etc/ipf.conf
/etc/rc.d/ipfilter onestart

#Nat
/etc/rc.d/ipnat forcestart

/etc/ppp/ip-down


#Disable IpFilter
/etc/rc.d/ipfilter onestop

#Disable Nat
/etc/rc.d/ipnat forcestop

You can test your firewall is working with:

/usr/sbin/ipfstat -hion

About jjjesss

I'm a guy interested in technology, bsd fan and concerned about the world around.
This entry was posted in BSD, NetBSD, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s