MY EYES!!! make it stop bleeding!!!
On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote:
> Hi,
>
> I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy
> Who installed it left our company some months ago.
> I spent some years far from iptables, now i have to migrate this firewall to
> PF.
> THere are some 'special' features on this firewall, i need some documentation
> or help about implementing this features at new firewall ( PF ).
>
> This is the iptables scripts:
>
> #!/bin/bash
> FW=/sbin/iptables
> LOAD=/sbin/modprobe
> #__________________________________________________________________________
>
> # Carregando Modulo do IPTABLES
> . /etc/rc.d/init.d/prodata/fw_modulos
>
> # Carregando Variaveis
> . /etc/rc.d/init.d/prodata/fw_variaveis
>
> if [ $KERNEL = "sim" ]
> then . /etc/rc.d/init.d/prodata/fw_kernel
> fi
>
> #___________________________________________________________________________
> # Cria politicas de LOGs
> #___________________________________________________________________________
>
> if [ $LOGS = "sim" ]
> then . /etc/rc.d/init.d/prodata/fw_politicas
> fi
>
> Normal rules here
> #################################################################### EOF
>
>
>
> /etc/rc.d/init.d/prodata/fw_modulos
> #$LOAD nfnetlink
>
> $LOAD ip_conntrack
> $LOAD ip_conntrack_ftp
> #$LOAD ip_conntrack_pptp ##
> #$LOAD ip_conntrack_netlink ##
> #$LOAD ip_conntrack_tftp ##
>
> #$LOAD ip_nat
> $LOAD ip_nat_ftp
> $LOAD ip_gre
> #$LOAD ip_nat_pptp ##
> #$LOAD ip_nat_tftp ##
> $LOAD ip_queue ##
> $LOAD ip_tables
>
> $LOAD iptable_filter
> $LOAD iptable_nat
> $LOAD iptable_mangle
>
> $LOAD ipt_helper
> $LOAD ipt_LOG
> $LOAD ipt_limit
> $LOAD ipt_state
> #$LOAD ipt_layer7 ##
> $LOAD ipt_MASQUERADE
> $LOAD ipt_multiport
> #$LOAD ipt_string
> $LOAD ipt_tcpmss
> $LOAD ipt_TCPMSS
> ######################################################### EOF
>
>
> /etc/rc.d/init.d/prodata/fw_kernel
> #___________________________________________________________________________
> # Protecao do KERNEL
> #___________________________________________________________________________
> #Enable forwarding in kernel
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> #Disabling IP Spoofing attacks.
> if [ $IPSEC = "sim" ]
> then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f
> done
> else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f
> done
> fi
>
> #Don't respond to broadcast pings (Smurf-Amplifier-Protection)
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> #Block source routing
> echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> #Kill timestamps
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
>
> #Enable SYN Cookies
> #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> #Kill redirects
> echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> #Enable bad error message protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> #Log martians (packets with impossible addresses)
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>
> #Set out local port range
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
>
> #Reduce DoS'ing ability by reducing timeouts
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
> ################################################################### EOF
>
>
>
> /etc/rc.d/init.d/prodata/fw_politicas
> #___________________________________________________________________________
> # LOG - Politica de Negacao de frames
> #___________________________________________________________________________
>
> LOGLIMIT="2/s"
> LOGLIMITBURST="10"
> # Overall Limit for TCP-SYN-Flood detection
> TCPSYNLIMIT="5/s"
> # Burst Limit for TCP-SYN-Flood detection
> TCPSYNLIMITBURST="10"
> # Overall Limit for Ping-Flood-Detection
> PINGLIMIT="5/s"
> # Burst Limit for Ping-Flood-Detection
> PINGLIMITBURST="1"
>
> $FW -N LOG_DROP
> $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
> -j LOG --log-prefix "fp=TCP:1 a=DROP "
> $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
> -j LOG --log-prefix "fp=UDP:2 a=DROP "
> $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
> $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
> $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
> -j LOG --log-prefix "fp=VPN:4 a=DROP "
> $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
> LOG --log-prefix "fp=FRAGMENT:5 a=DROP "
> $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
> "fp=NEW nao SYN: "
> $FW -A LOG_DROP -j DROP
>
> #___________________________________________________________________________
> # LOG - Politica de Liberacao de frames
> #___________________________________________________________________________
>
> $FW -N LOG_OK
> $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG
> --log-level 3 --log-prefix "fp=LOG_OK:3 a=ACCEPT "
> $FW -A LOG_OK -j ACCEPT
>
> #___________________________________________________________________________
> # LOG - Politica de Negacao TCP-SYN-Flood
> #___________________________________________________________________________
>
> $FW -N LSYNFLOOD
> $FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
> LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
> $FW -A LSYNFLOOD -j DROP
>
> #___________________________________________________________________________
> # TCP - Politica para Aceitar conexoes TCP verificando SYN-Floods
> #___________________________________________________________________________
>
> $FW -N TCPACCEPT
> $FW -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst
> $TCPSYNLIMITBURST -j ACCEPT
> $FW -A TCPACCEPT -p tcp -m state --state ESTABLISHED,RELATED --syn -m limit
> --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
> $FW -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
> $FW -A TCPACCEPT -p tcp ! --syn -j ACCEPT
>
> #___________________________________________________________________________
> # SMB - Rejeita frames SMB (Netbios)
> #___________________________________________________________________________
>
> $FW -N SMB
> $FW -A SMB -p tcp --dport 137 -j DROP
> $FW -A SMB -p tcp --dport 138 -j DROP
> $FW -A SMB -p tcp --dport 139 -j DROP
> $FW -A SMB -p tcp --dport 445 -j DROP
> $FW -A SMB -p udp --dport 137 -j DROP
> $FW -A SMB -p udp --dport 138 -j DROP
> $FW -A SMB -p udp --dport 139 -j DROP
> $FW -A SMB -p udp --dport 445 -j DROP
>
> $FW -A SMB -p tcp --sport 137 -j DROP
> $FW -A SMB -p tcp --sport 138 -j DROP
> $FW -A SMB -p tcp --sport 139 -j DROP
> $FW -A SMB -p tcp --sport 445 -j DROP
> $FW -A SMB -p udp --sport 137 -j DROP
> $FW -A SMB -p udp --sport 138 -j DROP
> $FW -A SMB -p udp --sport 139 -j DROP
> $FW -A SMB -p udp --sport 445 -j DROP
>
>
> #___________________________________________________________________________
> # ICMP/TRACEROUTE (IN)
> #___________________________________________________________________________
>
> #Logging of possible Ping-Floods
>
> $FW -N LPINGFLOOD
> $FW -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j
> LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
> $FW -A LPINGFLOOD -j DROP
>
> #___________________________________________________________________________
>
> $FW -N ICMPINBOUND
>
> #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be
> logged/dropped
> $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit
> $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
> $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
>
> #Block ICMP-Redirects (Should already be catched by sysctl-options, if
> enabled)
> $FW -A ICMPINBOUND -p icmp --icmp-type redirect -j LOG_DROP
>
> #Block ICMP-Timestamp (Should already be catched by sysctl-options, if
> enabled)
> $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP
> $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP
>
> #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
> $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP
> $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP
>
> #Allow all other ICMP in
> $FW -A ICMPINBOUND -p icmp -j ACCEPT
>
>
> #___________________________________________________________________________
> # ICMP/TRACEROUTE (OUT)
> #___________________________________________________________________________
>
>
> $FW -N ICMPOUTBOUND
>
> #Block ICMP-Redirects (Should already be catched by sysctl-options, if
> enabled)
> $FW -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOG_DROP
>
> #Block ICMP-TTL-Expired
> #MS Traceroute (MS uses ICMP instead of UDp for tracert)
> $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOG_DROP
> $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j
> LOG_DROP
>
> #Block ICMP-Parameter-Problem
> $FW -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOG_DROP
>
> #Block ICMP-Timestamp (Should already be catched by sysctl-options, if
> enabled)
> $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP
> $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP
>
> #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
> $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP
> $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP
>
> ##Accept all other ICMP going out
> $FW -A ICMPOUTBOUND -p icmp -j ACCEPT
>
>
> #___________________________________________________________________________
> # PING Server - Libera ICMP
> #___________________________________________________________________________
>
> $FW -N icmp_packets
> $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
> $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>
> #___________________________________________________________________________
> # PING Client - Libera ICMP
> #___________________________________________________________________________
>
> $FW -N icmp_ping
> $FW -A icmp_ping -p ICMP --icmp-type 8 -j ACCEPT
> $FW -A icmp_ping -p ICMP --icmp-type 11 -j ACCEPT
