Firewall

Tyman Vladimir vladimir.tyman at i.cz
Thu Feb 26 01:56:01 CET 2004
Previous message: OpenSSH
Next message: OpenSSH
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Večeřa Antonín wrote:
>>Ipfilter (ipf/ipnat) je plne stavovy filter a pokud prechazite od 
>>nestavoveho (napr. stare nestavove ipfw) tak to chce zmenit pohled na 
>>vec. Muzete mit ke stavove filtraci vyhrady, ale faktem je ze urcite 
>>veci s nestavovym filtrem proste nejdou udelat vubec. Ohledne 
>>toho co tu 
>>padlo o vetsi nachylnosti proti DoSu ve stavovem filtru je to nazor, 
>>ktery nikomu nevyvracim, ale osobne bych to neprecenoval. Nic vam 
>>nebrani napsat si i ve stavovem filtru (ipf) staticka pravidla, ktera 
>>zamezi provozu, ktery nechcete stejne jako u nestavoveho filtru, ale 
>>navic pomoci stavovych pravidel mate moznost si privrit 
>>zbytek a vyrazne 
>>tim zvysit jeho bezpecnost.
> 
> 
> Zeptam se takto - je neco spatneho (z hlediska bezpecnosti)
> na takto definovanem firewallu:    (xl0 - Intenet, xl1 - privatni sit)
> 
> -----------------
> block in quick on xl0 all head 1
Pokud date quick pak si myslim, ze tady filter skonci, chcete to tak?
> pass in quick proto icmp from any to 111.222.111.222/32 icmp-type echo group 1
> pass in quick proto tcp from any to 111.222.111.222/32 port = http group 1
> block return-icmp(port-unr) in quick proto udp from any to 111.222.111.222/32 group 1
> block return-rst in quick proto tcp from any to 111.222.111.222/32 group 1
> 
> pass in quick on xl1 all head 2
Proc quick pak tady filter skonci, chcete to tak?
> pass in quick proto icmp from any to 192.168.0.2/32 icmp-type echo group 2
> pass in quick proto udp from any to 192.168.0.2/32 port = domain group 2
> pass in quick proto udp from any to 192.168.0.2/32 port = dhcps group 2
> pass in quick proto tcp from any to 192.168.0.2/32 port = ssh group 2
> block return-icmp(port-unr) in quick proto udp from any to 192.168.0.2/32 group 2
> block return-rst in quick proto tcp from any to 192.168.0.2/32 group 2
> 
Zablokoval bych vse na vstupu a dal na zacatek.
block out  on xl0 all head 3
block out  on xl1 all head 4
> pass out quick on lo0 all
> pass out quick proto udp from 192.168.0.2/32 port = domain to any
> pass out quick proto udp from 192.168.0.2/32 port = dhcpc to any
Tyhle dve pravidla jsou tady jaksi navic (pokud nemate v jadre aby 
ipfilter defaultne blokoval IPFILTER_DEFAULT_BLOCK, coz asi nemate, kdyz 
vam tady chybi out pravidlo pro ssh povolene dovnitr) protoze vystup 
blokovany nemate.
> pass out quick proto icmp all icmp-type echo keep state                         
> pass out quick proto udp all keep state keep frags
> pass out quick proto tcp all flags S keep state keep frags
> -----------------
> 

Pokud je to tak, jak si myslim, ze je - tedy, ze pro "quick" pravidlo, 
ktere matchuje ipfilter konci s prochazenim dalsich pravidel tak si 
musite znovu rozmyslet jak filter napsat.

Obecne: nejdriv zablokujte vse (in, out), protoze ipfilter je defaultne 
otevreny a teprve pak povolujte. Plus bych ty blokovaci radky umistil na 
zacatek pravidel protoze se prochazi sekvencne. Dal bych do blokovacich 
pravidel (s quick) pridal "log" abyste ty pakety co budete blokovat take 
logoval a tedy videl.

Napr. nejak takto by mohl zacinat vas ipf.rules:

##################################
#
# Blokovaci pravidla
#
##################################
#
# Nerealne kratke pakety a pakety obsahujici IP options
#
block in log quick all with ipopts
block in log quick all with short
#
# Interface xl0 externi - blokuj vse dovnitr
#
block in log on xl0 all head 100
block in log proto tcp all flags S head 101 group 100
block in log proto udp all head 102 group 100
block in log proto icmp all head 103 group 100
#
# Interface xl0 externi - blokuj vse ven
#
block out log on xl0 all head 150
block out log proto tcp all flags S head 151 group 150
block out log proto udp all head 152 group 150
block out log proto icmp all head 153 group 150
#
# Interface xl1 interni - blokuj vse dovnitr
#
block in log on xl1 all head 200
block in log proto tcp all flags S head 201 group 200
block in log proto udp all head 202 group 200
block in log proto icmp all head 203 group 200
#
# Interface xl1 interni - blokuj vse ven
#
block out log on fxp1 all head 250
block out log proto tcp all flags S head 251 group 250
block out log proto udp all head 252 group 250
block out log proto icmp all head 253 group 250
#################################
#
# Propousteci pravidla
#
#################################
#
# povolit loopback adresy pres loopback interface a jinak zakazat
#
pass in quick on lo0 all
pass out quick on lo0 all
#
# Interface xl0 externi
#
....
....

Tady si doplnte prislusna propousteci pravidla.
Jako v te reklame na ebanku "to uz doopravdy musite" udelat sam :-)
Vyuzijte pro ne s vyhodou jiz nadefinovane skupiny (100-253).


VT
Previous message: OpenSSH
Next message: OpenSSH
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users-l mailing list