Charles,
Here's the output --- thanks again:
#
#
# ipfilter.conf This file contains the functions that contain the firewall
# and ipfilter configuration. This is an example setup for
# IP masquearding
#
IPFILTER_CONF_VERSION=20010330
# set -x # Uncomment for script debug
IPCH="/sbin/ipchains --no-warnings"
IPMASQADM=/usr/sbin/ipmasqadm
# DONT change this!
LOCAL_NET=127.0.0.0/8
LOCAL_IP=127.0.0.1
# Some functions to handle Protocol IP Port tuples
echoProto () {
local IFS='_'
set -- $1
echo $1
}
echoIp () {
local IFS='_'
set -- $1
echo "$2"
}
echoPort () {
local IFS='_'
set -- $1
echo "$3"
}
echoIpPort () {
local IFS='_'
set -- $1
echo "$2 $3"
}
echoSrvIpPort () {
local IFS='_'
set -- $1
echo "$4 $5"
}
echoMrkMark () {
local IFS='_'
set -- $1
echo $1
}
echoMrkProto () {
local IFS='_'
set -- $1
echo $2
}
echoMrkIpPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoBpSrc () {
local IFS='_'
set -- $1
echo "$2"
}
echoBpDstPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoFwDstPort () {
local IFS='_'
set -- $1
echo "$2"
}
echoFwSrcIp () {
local IFS='_'
set -- $1
echo "$1"
}
# A function to filter out Martian source addresses
stopMartians () {
local LIST=$1
shift
# The source addresses listed here are conservatively
# invalid as they are either used as broadcast/multicast
# destation addresses, a special value in IP stacks, loopback
# networks and illegal/ambiguous Classed IP addressing networks.
#
# You can add your 'martian/invalid' source address blocks to the
# MARTIAN_NETS list in /etc/network.conf
# All ones, all zeroes
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 255.255.255.255 -d 0/0 -l $*
# Loop back addresses
$IPCH -A $LIST -j DENY -p all -s 127.0.0.0/8 -d 0/0 -l $*
# Multicast source addresses
$IPCH -A $LIST -j DENY -p all -s 224.0.0.0/4 -d 0/0 -l $*
# RFC 1918/1627/1597 blocks
$IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 172.16.0.0/12 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
# IANA reserved blocks (Martians from the gated restricted list
# - actually impossible/ambiguous classed networks)
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 128.0.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 191.255.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.0.0.0/24 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 223.255.255.0/24 -d 0/0 -l $*
# Class E address (experimental use)
$IPCH -A $LIST -j DENY -p all -s 240.0.0.0/4 -d 0/0 -l $*
# Addtions/other IANA reserved blocks
for NET in $MARTIAN_NETS; do
$IPCH -A $LIST -j DENY -p all -s $NET -d 0/0 -l $*
done; unset NET
}
# A function to block services that give trouble on an IFACE
standardBlock () {
local LIST=$1
shift
# Block SMB/Windows networking to protect Windows boxes and to stop
# Windows NT doing braindead things with mail, www, etc
# This also prevents Internet Explorer spraying user logins
# and passwords everywhere
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0
netbios-dgm:netbios-ssn $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-dgm $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 netbios-ns:netbios-dgm -d 0/0 $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 135 -d 0/0 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 netbios-ns:netbios-ssn -d 0/0 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 135 -d 0/0 $*
}
# A function to control SNMP access on a network
snmpBlock () {
local LIST=$1
local DEST_IP=$2
local SNMP_IP
shift 2
if [ "$SNMP_BLOCK" != "YES" -a "$SNMP_BLOCK" != "Yes" \
-a "$SNMP_BLOCK" != "yes" ] ; then
return 0
fi
for SNMP_IP in $SNMP_MANAGER_IPS; do
$IPCH -A $LIST -j ACCEPT -p udp -s $SNMP_IP -d $DEST_IP 161:162 $*
done; unset SNMP_IP
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d $DEST_IP 161:162 -l $*
}
# A function to build rule chains for checking the overlapping IP space
# when running a proxy-arp'd DMZ network
ipfilter_dmzChain () {
local CHAIN=$1
local SRC_DEST=$2
local DEST_RULE=$3
shift 3
case "$SRC_DEST" in
S*|s*)
SRC_DEST="-s"
;;
D*|d*)
SRC_DEST="-d"
;;
*)
echo "ipfilter_dmzChain: Invalid parameter: $SRC_DEST" >&2
SRC_DEST="-s"
;;
esac
# Create new chain
$IPCH -N $CHAIN
# Return to main ruleset if source is an expected external IP
for ADDR in $DMZ_EXT_ADDRS; do
$IPCH -A $CHAIN -j RETURN -p all $SRC_DEST $ADDR
done; unset ADDR
# Anything else is a DMZ IP
$IPCH -A $CHAIN -j $DEST_RULE -p all $*
}
# A function to mark packets for classification
ipfilter_fairq () {
[ -z "$CLS_FAIRQ" ] && return 0
# Create new chain
$IPCH -N fairq
# Populate chain
for CLS in $CLS_FAIRQ; do
$IPCH -A fairq -j RETURN -m `echoMrkMark $CLS` -p `echoMrkProto $CLS` \
-d `echoMrkIpPort $CLS` -b
done; unset CLS
return 0
}
# A function to flush the filters (for internal use)
ipfilter_flush () {
# Flush the filters out
$IPCH -F input # input firewall list
$IPCH -F output # output firewall list
$IPCH -F forward # forwarding firewall list
# Flush fairq chain!
[ -n "$CLS_FAIRQ" ] && qt $IPCH -F fairq && qt $IPCH -X fairq
if [ "$DMZ_SWITCH" = "PROXY" -o "$DMZ_SWITCH" = "Proxy" \
-o "$DMZ_SWITCH" = "proxy" ]; then
# Flush Proxy-Arp DMZ chains:
qt $IPCH -F dmzSpoof && qt $IPCH -X dmzSpoof
qt $IPCH -F dmzIn && qt $IPCH -X dmzIn
fi
# Flush portfw rules
[ "$IPPORTFW" ] && $IPMASQADM portfw -f
# Flush autofw rules
[ "$IPAUTOFW" ] && $IPMASQADM autofw -F
# Flush mfw rules
[ "$IPMFW" ] && $IPMASQADM mfw -F
}
# A function to set the filter default policies
ipfilter_policy () {
$IPCH -P input $1
$IPCH -P output $1
$IPCH -P forward $1
}
# A function to clear the filters
ipfilter_clear () {
# Flush the filters
ipfilter_flush
# Reset the default policy
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy ACCEPT
}
# A function to configure the filters for routing
ipfilter_router_cfg () {
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Set up Fair Queueing classifier lists
ipfilter_fairq
# Forwarding
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A forward -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A forward -j ACCEPT -p all -s 0/0 -d 0/0
# Incoming Stuff
# Do this here to control junk coming in - good for defending against flood
# attacks
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" =
"yes" ];
then
# Origin blocking
for SRC in $BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF
done; unset SRC
for SRC in $LOGGED_BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF -l
done; unset SRC
fi
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" =
"yes" ];
then
# Get rid of incoming Martians
stopMartians input -i $EXTERN_RIF
# Prevent RFC 1918/1627/1597 IP packets from coming in
$IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
$IPCH -A input -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i $EXTERN_RIF
$IPCH -A input -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i $EXTERN_RIF
# Allow icmp/BGP coming in on our link net
if [ -n "$LINK_NET" ]; then
$IPCH -A input -j ACCEPT -p icmp -s $LINK_NET -d 0/0 \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET -d $LINK_NET bgp \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET bgp \
-d $LINK_NET 1024:65535 ! -y -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET -d $LINK_NET egp \
# -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET egp \
# -d $LINK_NET 1024:65535 -i $EXTERN_RIF
fi
# Get rid of fake packets from our internal source addresses
for IP in $IP_BLOCKS; do
$IPCH -A input -j DENY -p all -s $IP -d 0/0 -i $EXTERN_RIF -l
done; unset IP
# Destination blocking
for DEST in $BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# SNMP control - Prevent SNMP access to our network
if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \
-o "$SNMP_BLOCK" = "yes" ] ; then
$IPCH -A input -j REJECT -p udp -s 0/0 -d 0/0 161:162 \
-i $EXTERN_RIF -l
fi
# Block SMB stuff on input interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock input -i $EXTERN_RIF
fi
# DNS control - only allow certain machines to do zone transfers
if [ -n "$DNS_IPS" ]; then
for IP in $DNS_IPS; do
$IPCH -A input -j ACCEPT -p tcp -d 0/0 domain -i $EXTERN_RIF
done; unset IP
$IPCH -A input -j REJECT -p tcp -d 0/0 domain -i $EXTERN_RIF -l
fi
fi
# Stop address spoofing - uncomment the next two lines if needed
# $IPCH -A input -j ACCEPT -p all -s $LOCAL_IP -d 0/0 -i lo
# stopMartians input
# Control SNMP access in network
snmpBlock input 0/0 -b
# On all other interfaces accept everything.
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A input -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" =
"yes" ]
then
# Stop outgoing RFC 1918/1627/1597 packets
$IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i $EXTERN_RIF
$IPCH -A output -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i $EXTERN_RIF
$IPCH -A output -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i $EXTERN_RIF
# Log and stop certain outgoing traffic
for DEST in $BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# Block SMB stuff on output interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock output -i $EXTERN_RIF
fi
# Control Outgoing Source addresses
for IP in $IP_BLOCKS; do
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A output -j ACCEPT -f -p all -s $IP -d 0/0 \
-i $EXTERN_RIF
fi
$IPCH -A output -j ACCEPT -p all -s $IP -d 0/0 -i $EXTERN_RIF
done; unset IP
$IPCH -A output -j DENY -p all -i $EXTERN_RIF -l
fi
#
# Server screening control.
#
for IF in $SERVER_RIFS; do
# localise variables
eval local BYPASS=\${"$IF"_BYPASS:-""}
eval local PORT_BLOCK=\${"$IF"_PORT_BLOCK:-""}
eval local LOGGED_PORT_BLOCK=\${"$IF"_LOGGED_PORT_BLOCK:-""}
eval local SMB_BLOCK=\${"$IF"_SMB_BLOCK:-""}
eval local HOST_BYPASS=\${"$IF"_HOST_BYPASS:-""}
eval local HOST_ACKPASS=\${"$IF"_HOST_ACKPASS:-""}
eval local HOST_BLOCK=\${"$IF"_HOST_BLOCK:-""}
# Block Martians
stopMartians output -i $IF
# Bypass for port blocks
for PASS in $BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS` -i $IF
done; unset PASS
# Port Blocks
for DEST in $PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF
done; unset DEST
for DEST in $LOGGED_PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF -l
done; unset DEST
# SMB blocking
if [ "$SMB_BLOCK" != "NO" -a "$SMB_BLOCK" != "No" \
-a "$SMB_BLOCK" != "no" ]; then
standardBlock output -i $IF
fi
#Host Bypassing
for PASS in $HOST_BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS` -i $IF
done; unset PASS
#Host Blocking
for DEST in $HOST_BLOCK; do
$IPCH -A output -j REJECT -p tcp -s 0/0 -d $DEST auth -i $IF
done; unset DEST
for PASS in $HOST_ACKPASS; do
$IPCH -A output -j ACCEPT -p tcp \
-s 0/0 -d $PASS 1024:65535 -i $IF ! -y
done; unset PASS
for DEST in $HOST_BLOCK; do
$IPCH -A output -j DENY -p all -s 0/0 -d $DEST -i $IF -l
done; unset DEST
# Otherwise, accept all output on this interface
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
# Handle fragmented packets
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0 -i $IF
done; unset IF
# On all other interfaces accept anything
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
# A function to configure the filters for firewalling
ipfilter_firewall_cfg () {
local ADDR
local DEST
local NET
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Set up Fair Queueing classifier lists
ipfilter_fairq
#
# Set up forwarding
#
# Set up masquerading timout values
$IPCH -M -S 14400 0 0
# Stop forwarding of ICMP redirects
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
# Handle masquerading denial - always valid because this controls access
# to DMZ from inside etc.
for PORT in $NOMASQ_DEST_BYPASS; do
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
for PORT in $NOMASQ_DEST; do
for NET in $INTERN_NET; do
$IPCH -A forward -j REJECT -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
# Connect DMZ to internet
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" -o "$DMZ_SWITCH" = "PROXY" \
-o "$DMZ_SWITCH" = "Proxy" -o "$DMZ_SWITCH" = "proxy" ]; then
# Masquerade internal network to DMZ network
for NET in $INTERN_NET; do
: $IPCH -A forward -j MASQ -p all -s $NET -d $DMZ_NET -i $DMZ_IF
done; unset NET
for DEST in $DMZ_CLOSED_DEST; do
$IPCH -A forward -j REJECT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
for DEST in $DMZ_OPEN_DEST; do
$IPCH -A forward -j ACCEPT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
if [ "$DMZ_HIGH_TCP_CONNECT" = "YES" \
-o "$DMZ_HIGH_TCP_CONNECT" = "Yes" \
-o "$DMZ_HIGH_TCP_CONNECT" = "yes" ]; then
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF
else
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF ! -y
fi
$IPCH -A forward -j ACCEPT -p icmp -s 0/0 -d $DMZ_NET -i $DMZ_IF
$IPCH -A forward -j ACCEPT -p tcp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p icmp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET domain \
-d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
fi
# Line below altered per instructions from Charles S.
# To permit inbound UDP services to Half-Life game servers in DMZ
# $IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
#Set up port forwards for internal services
for DEST in $INTERN_SERVERS; do
# Can't deal with PASV mode
$IPMASQADM portfw -a -P `echoProto $DEST` \
-L `echoIpPort $DEST` -R `echoSrvIpPort $DEST`
$IPCH -A forward -j MASQ -p `echoProto $DEST` \
-s `echoSrvIpPort $DEST`
done; unset DEST
if [ -n "$INTERN_FTP_SERVER" ] ; then
# Can't deal with PASV mode
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ftp -R $INTERN_FTP_SERVER ftp
fi
if [ -n "$INTERN_WWW_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP www -R $INTERN_WWW_SERVER www
fi
if [ -n "$INTERN_SMTP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP smtp -R $INTERN_SMTP_SERVER
smtp
fi
if [ -n "$INTERN_POP3_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP pop-3 -R $INTERN_WWW_SERVER
pop-3
fi
if [ -n "$INTERN_IMAP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP imap -R $INTERN_IMAP_SERVER
imap
fi
if [ -n "$INTERN_SSH_SERVER" ] ; then
if [ -n "$EXTERN_SSH_PORT" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_SSH_PORT \
-R $INTERN_SSH_SERVER ssh
else
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ssh \
-R $INTERN_SSH_SERVER ssh
fi
fi
# Masquerade internal network to world
if [ "$MASQ_SWITCH" = "YES" -o "$MASQ_SWITCH" = "Yes" \
-o "$MASQ_SWITCH" = "yes" ]; then
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d 0/0 -i $EXTERN_IF
done; unset NET
fi
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A forward -j DENY -p all -s 0/0 -d $DMZ_NET -i $DMZ_IF -l
fi
[ -r "$IPCH_FWD" ] && . $IPCH_FWD
$IPCH -A forward -j DENY -p all -s 0/0 -d 0/0 -l
#
# EXTERNAL INTERFACE
#
# Input filter
# Added by Charles Steinkuehler to provide a way to keep from filling the
logs
# with denyed packets that we know about and don't want to see anymore
for DEST in $SILENT_DENY; do
$IPCH -A input -j DENY -p `echoProto $DEST` \
-s `echoIp $DEST` \
-d 0/0 `echoPort $DEST` -i $EXTERN_IF
done; unset DEST
# Block ICMP redirects
$IPCH -A input -j DENY -p icmp --icmp-type redirect -l
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Spoofing prevention
stopMartians input -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A input -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF -l
done; unset NET
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j DENY -p all -s $DMZ_NET -d 0/0 -i $EXTERN_IF -l
fi
if [ "$DMZ_SWITCH" = "PROXY" -o "$DMZ_SWITCH" = "Proxy" \
-o "$DMZ_SWITCH" = "proxy" ]; then
ipfilter_dmzChain dmzSpoof Source DENY -l
# Call ruleset if source IP matches DMZ_NET specification
$IPCH -A input -j dmzSpoof -p all -s $DMZ_NET -d 0/0 -i $EXTERN_IF
fi
if [ "$EXTERN_DYNADDR" = "YES" -o "$EXTERN_DYNADDR" = "Yes" \
-o "$EXTERN_DYNADDR" = "yes" ]; then
# Spoof protection
if_setproc $EXTERN_IF rp_filter YES
# Kernel logging of martians on this interface
if_setproc $EXTERN_IF log_martians YES
local EX_IP=0/0
else
for ADDR in $EXTERN_IP; do
$IPCH -A input -j DENY -p all -s $ADDR -d 0/0 \
-i $EXTERN_IF -l
done; unset ADDR
local EX_IP=0/0
fi
# Turn off all traffic from net to internal IP numbers
$IPCH -A input -j REJECT -p all -s 0/0 -d $LOCAL_NET -i $EXTERN_IF -l
for NET in $INTERN_NET; do
$IPCH -A input -j REJECT -p all -s 0/0 -d $NET -i $EXTERN_IF -l
done; unset NET
# Stop Netbios shenanagans
standardBlock input -i $EXTERN_IF
# Bypass filters below for DMZ_NET access - port control done in forwarding
# firewall
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j ACCEPT -p all -s 0/0 -d $DMZ_NET -i $EXTERN_IF
fi
if [ "$DMZ_SWITCH" = "PROXY" -o "$DMZ_SWITCH" = "Proxy" \
-o "$DMZ_SWITCH" = "proxy" ]; then
ipfilter_dmzChain dmzIn Dest ACCEPT
# Call ruleset if destination IP matches DMZ_NET specification
$IPCH -A input -j dmzIn -p all -s 0/0 -d $DMZ_NET -i $EXTERN_IF
fi
# Generic Services
[ -r "$IPCH_IN" ] && . $IPCH_IN
# Open specified services to the world
for SERVICE in $EXTERN_PORTS; do
$IPCH -A input -j ACCEPT \
-p `echoProto $SERVICE` \
-s `echoIp $SERVICE` \
-d $EX_IP `echoPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# TCP
# Open specified TCP services to the world
for SERVICE in $EXTERN_TCP_PORTS; do
$IPCH -A input -j ACCEPT -p tcp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# auth - send a reject packet. You may want to to forward this to an
internal bo# x if using IRC. Here so that a rule above can override
$IPCH -A input -j REJECT -p tcp -s 0/0 -d 0/0 auth -i $EXTERN_IF
# NFS server protection
# $IPCH -A input -j DENY -p tcp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Accept all incoming TCP packets to the External interface on
non-priveleged
# ports
$IPCH -A input -j ACCEPT -p tcp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
#UDP
# SNMP control
snmpBlock input $EX_IP -i $EXTERN_IF
# Open specfied UDP services to the world
for SERVICE in $EXTERN_UDP_PORTS; do
$IPCH -A input -j ACCEPT -p udp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# Block NFS access
#$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Block all incoming DHCP/BOOTP queries - this bypasses the logging further
down
$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 bootps -i $EXTERN_IF
# Allow UDP masquerading for non-priviliged services Comment this out for
# higher security
$IPCH -A input -j ACCEPT -p udp -s 0/0 -d $EX_IP 1024:65535 -i $EXTERN_IF
#ICMP
# Uncomment the following to protect against ping bomb attacks on Windows
# $IPCH -A input -j DENY -p icmp -s 0/0 0 8 -d 0/0 -i $EXTERN_IF -l
$IPCH -A input -j ACCEPT -p icmp -s 0/0 -d $EX_IP -i $EXTERN_IF
# Allow OSPF through - this is for gated to work
$IPCH -A input -j ACCEPT -p 89 -s 0/0 -d 0/0 -i $EXTERN_IF
# Bottom line - DENY anything that does not match
$IPCH -A input -j DENY -p all -s 0/0 -d 0/0 -i $EXTERN_IF -l
#
# Global Incoming
#
# Global control on SNMP
snmpBlock input 0/0 -b
# Allow input on all other interfaces
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
#Guard against sending rubbish onto Internet
stopMartians output -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A output -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF
done; unset NET
# Stop Netbios
standardBlock output -i $EXTERN_IF
[ -r "$IPCH_OUT" ] && . $IPCH_OUT
# Allow output on all other interfaces
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Charles
Steinkuehler
Sent: Monday, June 25, 2001 1:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] Proxy ARP DMZ to Internal Forwarding
> Now that my system is FINALLY up and working at 95%, there is one thing
not
> behaving as expected. I have been looking thru my doc links, trying to
find
> a reference to this, and came up blank. I thought I had read somewhere
that
> the default behavior was to allow all traffic from Internal to DMZ ---
> useful for managing the servers that live there; but disallowing
> DMZ-initiated traffic back into the Internal network.
This is how things are supposed to work. The internal net to DMZ connection
is made by masquerading the internal net to the IP of the firewall, so
outbound stuff from the internal net to the DMZ is allowed, but the DMZ
systems cannot directly see the internal network.
> Here's what I am getting:
>
> Jun 25 06:42:16 cuinn kernel: Packet log: forward DENY eth1 PROTO=6
> 64.81.226.171:80 192.168.1.201:2539 L=48 S=0x00 I=1095 F=0x4000 T=63 (#41)
>
> For everything, including pings and UDP...
>
> Filters (I'm still no ace at reading this):
For whatever reason, there is no masquerade rule in the forward chain
hooking the internal net to the DMZ...there's just the 'global' masquerade
rule for the internet (on eth0). Post or e-mail your /etc/ipfilter.conf and
I'll take a look at it...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
