Joe,
We are preparing to implement a new firewall for our network and we
are looking for the best rule sets to configure. Can anyone
provide a list of a few that would be the best. We have looked at
denying access to the firewall except... and we have looked at
rlogin commands as well.
For a deeper understanding, I'd suggest a book such as Chapman & Zwicky's
"Building Internet Firewalls", and taking a look at some of the papers in
the CERT archive. There are links to the papers I've personally found
helpful at <http://rlz.ne.mediaone.net/linux>.
If you want a starting point, the following rules are based on Chapman &
Zwicky, the CERT papers, and 15 years experience in Unix operating system
development (which means I was exposed, but it wasn't central to my work).
They are written for Linux, ipfw version 4. I hope they are meaningful to
you, as you are using a "checkpoint" firewall, and I have no idea of what
the interface looks like to you.
These aren't the rules for enabling services. They are just a collection
of protection and failsafe types of rules, to give you an idea of what you
might want to consider. This is a cut and paste of a piece of a firewall
example I publish on my web site for home Linux users. It uses a deny-by-
default policy in both directions.
Bob Ziegler
# ----------------------------------------------------------------------------
EXTERNAL_INTERFACE="eth0" # whichever you use
IPADDR=<your IP address>
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
MULTICAST="240.0.0.0/3"
BROADCAST_0="0.0.0.0"
BROADCAST_1="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
RESTRICTED_PORTS="2049" # (TCP/UDP) NFS
RESTRICTED_OPENWINDOWS="2000" # (TCP) openwindows
# X Windows port allocation begins at 6000 and increments
# for each additional server running.
RESTRICTED_XWINDOWS="6000:6001" # (TCP) X windows
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be to or from the external address.
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -S $IPADDR
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -D $IPADDR
# Refuse packets claiming to be to or from a Class A private network
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -S $CLASS_A
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -D $CLASS_A
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -S $CLASS_A
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -D $CLASS_A
# Refuse packets claiming to be to or from a Class B private network
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -S $CLASS_B
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -D $CLASS_B
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -S $CLASS_B
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -D $CLASS_B
# Refuse packets claiming to be to or from a Class C private network
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -S $CLASS_C
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -D $CLASS_C
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -S $CLASS_C
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -D $CLASS_C
# Refuse packets claiming to be to or from the loopback interface
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -S $LOOPBACK
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -D $LOOPBACK
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -S $LOOPBACK
ipfwadm -O -a reject -o -W $EXTERNAL_INTERFACE -D $LOOPBACK
# Refuse broadcast address SOURCE packets
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -S $BROADCAST_1
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -D $BROADCAST_0
# Refuse multicast/anycast/broadcast addresses (in.h) (NET-3-HOWTO)
ipfwadm -I -a deny -o -W $EXTERNAL_INTERFACE -S $MULTICAST
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: Echo_Reply
# 3: Dest_Unreachable, Network_Unavailable, Service_Unavailable, etc.
# 4: Source_Quench
# 5: Redirect
# 8: Echo_Request
# 11: Time_Exceeded
# 12: Parameter_Problem
ipfwadm -I -a accept -P icmp -W $EXTERNAL_INTERFACE \
-S $ANYWHERE 0 3 4 11 12 -D $IPADDR
ipfwadm -I -a accept -P icmp -W $EXTERNAL_INTERFACE \
-S <my_service_provider> 8 -D $IPADDR
ipfwadm -O -a accept -P icmp -W $EXTERNAL_INTERFACE \
-S $IPADDR 0 -D <my_service_provider>
ipfwadm -O -a accept -P icmp -W $EXTERNAL_INTERFACE \
-S $IPADDR 3 4 8 12 -D $ANYWHERE
ipfwadm -O -a accept -P icmp -W $EXTERNAL_INTERFACE \
-S $IPADDR 11 -D <my_service_provider>
# ----------------------------------------------------------------------------
# The following rules are redundant in this type of firewall
# because none of the following ports are open.
# They are included as a safety precaution.
# None of these services should be available on the internet.
# They were designed for intranet use and represent serious
# holes if available outside of the LAN.
# reserved link sunrpc exec login shell printer uucp
ipfwadm -O -a reject -P tcp -W $EXTERNAL_INTERFACE \
-S $IPADDR \
-D $ANYWHERE 0 87 111 512 513 514 515 540
# reserved link sunrpc exec login shell printer uucp
ipfwadm -O -a reject -P tcp -W $EXTERNAL_INTERFACE \
-S $IPADDR 0 87 111 512 513 514 515 540 \
-D $ANYWHERE
# reserved dhcp tftp sunrpc snmp snmp-trap biff who syslog route mountd
ipfwadm -O -a reject -P udp -W $EXTERNAL_INTERFACE \
-S $IPADDR \
-D $ANYWHERE 0 68 69 111 161 162
ipfwadm -O -a reject -P udp -W $EXTERNAL_INTERFACE \
-S $IPADDR 0 67 69 111 161 162 \
-D $ANYWHERE
ipfwadm -O -a reject -P udp -W $EXTERNAL_INTERFACE \
-S $IPADDR 512 513 514 520 521 635 \
-D $ANYWHERE
ipfwadm -O -a reject -P udp -W $EXTERNAL_INTERFACE \
-S $IPADDR \
-D $ANYWHERE 512 513 514 520 521 635
# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# Deny access to the NFS, openwindows and X windows unpriveleged ports
ipfwadm -I -a deny -o -P tcp -y -W $EXTERNAL_INTERFACE \
-D $IPADDR $RESTRICTED_PORTS
ipfwadm -I -a deny -o -P tcp -y -W $EXTERNAL_INTERFACE \
-D $IPADDR $RESTRICTED_OPENWINDOWS
ipfwadm -I -a deny -o -P tcp -y -W $EXTERNAL_INTERFACE \
-D $IPADDR $RESTRICTED_XWINDOWS
# SOCKS: incoming connection
ipfwadm -I -a deny -P tcp -y -W $EXTERNAL_INTERFACE \
-S $ANYWHERE \
-D $IPADDR 1080
# Disallow outgoing traffic to protect yourself from mistakes.
# openwindows: establishing a connection
ipfwadm -O -a reject -P tcp -y -W $EXTERNAL_INTERFACE \
-S $IPADDR \
-D $ANYWHERE $RESTRICTED_OPENWINDOWS
# Xwindows: establishing a connection
ipfwadm -O -a reject -P tcp -y -W $EXTERNAL_INTERFACE \
-S $IPADDR \
-D $ANYWHERE $RESTRICTED_XWINDOWS
# SOCKS: establishing a connection
ipfwadm -O -a reject -P tcp -y -W $EXTERNAL_INTERFACE \
-S $IPADDR \
-D $ANYWHERE 1080
# ----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
ipfwadm -I -a deny -o -P udp -W $EXTERNAL_INTERFACE \
-D $IPADDR $RESTRICTED_PORTS
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipfwadm -I -a accept -o -P udp -W $EXTERNAL_INTERFACE \
-S 24.128.0.0/16 32769:65535 \
-D $IPADDR 33434:33523
ipfwadm -I -a deny -o -P udp -W $EXTERNAL_INTERFACE \
-S $ANYWHERE 32769:65535 \
-D $IPADDR 33434:33523
........................................................................
Home Page .................. <http://rlz.ne.mediaone.net>
Resume ..................... <http://rlz.ne.mediaone.net/resume.html>
Linux LAN & Firewall Paper . <http://rlz.ne.mediaone.net/linux/faq>
Linux Firewall Design Tool . <http://rlz.ne.mediaone.net/linux/firewall>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
