nastaveni firewallu

Dan Lukes dan at obluda.cz
Tue Jul 8 11:19:21 CEST 2008


Jaroslav Votruba wrote:
> #bezpecny zavedeni IPFW
> #ipfw -f flush && ipfw add 61000 allow all from any to any

	Kdyz uz jsme u tohohle - pokud pri startu systemu jednou spustis

ipfw add 61000 set 31 allow all from any to any

	mas tam to pravidlo naporad. Takovehle pravidlo flush neodstrani.

	Ale mam jeste jeden oblibeny "bezpecny" zpusob zmeny firewallu. Misto 
fluh das na zacatek:

${fwcmd} delete set 1
${fwcmd} set move 0 to 1
${fwcmd} set enable 1 disable 0
${fwcmd} delete set 0

a uplne na konec
${fwcmd} set enable 0 disable 1
${fwcmd} delete set 1

	Tim nemas firewall aktivni behem jeho naplnovani a tudiz v mezistavech 
- nybrz ho cely naplnis novymi pravidly a pak na ne atomicky switchnes.

> BSD funguje jako brana pro vnitrni sit, bezi na nem posta ,samba a web a 
> vse musi byt dostupne jak zevnitr , tak i zvenci.

> Jde mi spise o to, jestli jsem neprehodil nejake pravidlo, pripadne 
> jestli neco nejde napsat jednoduseji.

	No, jestli ocekavas velke toky, je vhodne mit pravidel co nejmene a ty, 
ktera matchnou nejvice paketu pak co nejvys.

	Jestli velke toky neocekavas, tak je to vice-mene jedno. I kdyz, nikdy 
nevis, kdy prijde nejaky utok.

	Takze budu predpokladat, ze velke toky cekas.

> Dan bude urcite propagovat prednastavene reseni, ja bych si to stejne 
> radsi sesmolil sam

	U firewallu a bezpecnosti obecne obvykle ne. To jsou natolik 
individualni veci, ze se to casto ani neda ...

> #zde nastavte venkovni rozhrani a masku .   oif="xl0"    #sitovka
> omask="255.255.255.252"    #maska
> oip="89.31.47.158"    #ip adresa sitovky
> 
> 
> #zde nastavte vnitrni rozhrani a masku .   iif="re0"    #sitovka
> inet="192.168.0.0"    #sit
> imask="255.255.255.0"    #maska
> iip="192.168.0.1"    #ip adresa sitovky
> 
> 
> #zde nastavte VPN rozhrani a masku .   vif="tap0"    #sitovka
> vnet="10.0.1.0"    #sit
> vmask="255.255.255.0"    #maska
> vip="10.0.1.1"    #ip adresa sitovky
> 
> 
> # Stop spoofing.
> ${fwcmd} 10 deny all from ${inet}:${imask} to any in via ${oif}

Uplne vypustit, nahradit nastavenim sysctl
net.inet.ip.check_interface=1

Misto toho bys mel zabranit odchodu paketu s nepatricnymi adresami do 
vnejsi site (utocnik muze byt i vevnitr):

${fwcmd} 10 unreach filter-prohib all from not $oip to any out xmit ${oif}

> # Stop RFC1918 nets on the outside interface.
> ${fwcmd} 30 deny all from any to 10.0.0.0/8 via ${oif}
> ${fwcmd} 40 deny all from any to 172.16.0.0/12 via ${oif}
> ${fwcmd} 50 deny all from any to 192.168.0.0/16 via ${oif}
> # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
> # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
> # on the outside interface.
> ${fwcmd} 60 deny all from any to 0.0.0.0/8 via ${oif}
> ${fwcmd} 70 deny all from any to 169.254.0.0/16 via ${oif}
> ${fwcmd} 80 deny all from any to 192.0.2.0/24 via ${oif}
> ${fwcmd} 90 deny all from any to 224.0.0.0/4 via ${oif}
> ${fwcmd} 100 deny all from any to 240.0.0.0/4 via ${oif}

Udelat z toho vseho jedno pravidlo (to 10.0.0.0/8,172.16.0.0/12,...), 
zmenit deny za unreach filter-prohib

> # Povoleni ftp a ssh
> ${fwcmd} 200 allow tcp from any to any 21  # ftp
> ${fwcmd} 210 allow tcp from any to any 22  # ssh
> ${fwcmd} 330 allow tcp from any to any 143  # imaps
> ${fwcmd} 340 allow tcp from any to any 993
> ${fwcmd} 350 allow tcp from any to any 110 # pop3s
> ${fwcmd} 360 allow tcp from any to any 995
> ${fwcmd} 500 allow tcp from any to any 80
> ${fwcmd} 510 allow tcp from any to any 443

	Sloucit do jednoho pravidla.

	Misto # pis komentar za // - takto zapsany komentar si ipfw pamatuje a 
ve vypisu (ipfw l) je uvidis.

> # Allow TCP through if setup succeeded.
> ${fwcmd} 700 allow tcp from any to any established

	Pokud je tam tohle, pak je to typicky kandidat na pravidlo co nejvic 
nahore. Nejlepe hned za divert. Naprostou vetsinu pravidel totiz vyresi 
ono - a kdyz bude nahore, udela to brzo.

> ${fwcmd} 800 allow udp from any to any 137 via ${iif}
> ${fwcmd} 810 allow udp from any to any 138 via ${iif}
> ${fwcmd} 820 allow tcp from any to any 139 via ${iif}
> ${fwcmd} 830 allow udp from any to any 445 via ${iif}

	Sloucit.

> ${fwcmd} 840 reset tcp from any to ${oip} 113 setup in via ${oif}
> ${fwcmd} 850 reset tcp from any to ${oip} 139 setup in via ${oif}
> ${fwcmd} 860 reset tcp from any to ${oip} 389 setup in via ${oif}
> ${fwcmd} 870 reset tcp from any to ${oip} 445 setup in via ${oif}

	Sloucit. Ja osobne bych nepouzil 'reset' ale unreach filter-prohib

> # blokuj podvodne UDP broadcast protocols bez logovani
> ${fwcmd} 900 deny udp from any 137 to any in via ${oif}
> ${fwcmd} 920 deny udp from any 138 to any in via ${oif}
> ${fwcmd} 930 deny udp from any 513 to any in via ${oif}
> ${fwcmd} 940 deny udp from any 525 to any in via ${oif}

	Sloucit

	Obecne nemam rad "tiche" firewally, tedy akci 'deny'. Schopny utocnik 
dokaze pritomnost firewallu detekovat tak jako tak, neschopny ho bude 
jen tezko prekonavat i kdyz o nem bude vedet. Takze je prakticky jedno, 
ze se o nem vi.

	Zato se ale proklejes az budes hledat neprochazi nejaka komunikace. 
Nebo te prokleje nekdo jiny. Situace, kdy pri konkretni komunikaci z 
bodu A do bodu B se pakety kdesi po ceste tise ztraceji a nikdo nevi kde 
je neprijemna, obtizne odstranitelna a obvykle naprosto zbytecna.

						Dan



More information about the Users-l mailing list