Subject: ipf: how secure is this network?
To: None <netbsd-help@netbsd.org>
From: Heron Gallegos <gallegos@cgepi.uadec.mx>
List: netbsd-help
Date: 03/10/2001 20:02:55
Hello
I am using IPNAT/IPF in our network, it seems works fine
but I am not sure because I am very very very new in IPF.
It has been a lot of hard work for me to build ipf.conf
and ipnat.conf, and I would like to hear comments about
such files, specially if you detect security holes.
Thanks in advance
Heron Gallegos
LAN1 exposed a.b.c.0/26
-------------------------------------------------------
| | | | |
--------------- --------------- -------- ------- ----------
| ex0 a.b.c.2 | | ex0 a.b.c.3 | | | | | | Router |-->
|S1 squid box | | ipnat/ipf | | DNS | | WWW | | to |
|ex1 10.2.2.2 | | | | mail | | | | ISP |
--------------- | S2 | | S3 | | S4 | ----------
| | | | | | |
---------|ex2 10.2.2.1 | -------- -------
| | | |
|ex1 10.3.1.1 | | |
--------------- | |
LAN2 10.3.1.0/24 | | |
-------------------------------------------------------
| | |
--------- -------- -----------
| NFS | | IMAP | | Layer 3 |---->LAN3 10.3.2.0
| mysql | | S6 | | switch |
| S5 | -------- | routing |---->LAN4 10.3.3.0
--------- | |
| |---->more LANs
-----------
a.b.c.0/26 Is our exposed LAN
a.b.c.64/26 reserved for future use
a.b.c.128/25 to map our hidden network
10.3.0.0/16 our hidden network
The 6 servers are NetBSD-1.5 i386 (PII/350, 128MB RAM)
S5 exports /usr/src and pkgsrc to S3, S4 and S6. I would like
include S1 and S2 in the list.
S2 runs ipnat/ipf:
The file ipnat.conf:
#!/usr/sbin/ipnat -f -
#
# ex0 - (external) network interface
# ex1 - (internal) network interface
# ex2 - (to squid) network interface
#
rdr ex1 0.0.0.0/0 port 80 -> 10.2.2.2 port 3128 tcp
#
map ex0 10.3.0.0/16 -> a.b.c.128/25 portmap tcp/udp 40000:50000
map ex0 10.3.0.0/16 -> a.b.c.128/25
map ex0 10.3.0.0/16 -> a.b.c.128/25 proxy port ftp ftp/tcp
The file ipf.conf:
#!/sbin/ipf -f -
#
################################################################
#
# Interfase expuesta ENTRADA DE LA INTERNET al FIREWALL
# Exposed interfase from INTERNET to FIREWALL
#
block in quick on ex0 all head 100
block in quick on ex0 from 192.168.0.0/16 to any group 100
block in quick on ex0 from 172.16.0.0/12 to any group 100
block in quick on ex0 from 10.0.0.0/8 to any group 100
block in quick on ex0 from 127.0.0.0/8 to any group 100
block in quick on ex0 from 0.0.0.0/8 to any group 100
block in quick on ex0 from 169.254.0.0/16 to any group 100
block in quick on ex0 from 192.0.2.0/24 to any group 100
block in quick on ex0 from 204.152.64.0/23 to any group 100
block in quick on ex0 from 224.0.0.0/3 to any group 100
block in log quick on ex0 from any to a.b.c.128/32 group 100
block in log quick on ex0 from any to a.b.c.255/32 group 100
pass in on ex0 all group 100
#
################################################################
#
# Interfase expuesta SALIDA del FIREWALL a la INTERNET
# Exposed interfase from FIREWALL to INTERNET
#
block out quick on ex0 all head 200
pass out on ex0 all group 200
#
################################################################
#
# Interfase interna ENTRADA de la INTRANET al FIREWALL
# Internal interfase from INTRANET to FIREWALL
#
block in quick on ex1 all head 300
pass in quick on ex1 proto tcp/udp from 10.3.0.0/16 to any keep state group 300
block in on ex1 all group 300
#
################################################################
#
# Interfase interna SALIDA del FIREWALL a la INTRANET
# Internal interfase from FIREWALL to INTRANET
#
block out quick on ex1 all head 400
block out quick on ex1 from 10.3.1.1/32 to 10.3.0.0/16 head 450 group 400
block out on ex1 all group 400
#
# Subrutina 450 para acceso del firewall a la granja de servidores
# Subroutine 450 firewall needs some services from servers S5 and S6
# and squid server needs NFS (this doesn't works)
#
pass out quick on ex1 from 10.3.1.1/32 to 10.3.1.8/32 group 450
pass out quick on ex1 from 10.3.1.1/32 to 10.3.1.9/32 group 450
# pass out quick on ex1 from 10.2.2.2/32 to 10.3.1.8/32 group 450
#
########################################################################
#
# Interfase de ENTRADA del SQUID al FIREWALL
# From squid server to firewall
#
block in quick on ex2 all head 500
pass in on ex2 proto tcp/udp all keep state group 500
#
########################################################################
#
# Interfase de SALIDA del FIREWALL al SQUID
# From FIREWALL to SQUID
#
block out quick on ex2 all head 600
pass out on ex2 all group 600
End of file ipf.conf
In 1999 and 2000 our old ipf server (NetBSD-1.4.1) had the following
lines in the file ipf.conf (2 NICs, no squid server and no head/group lines)
and I need help in order to add it to ipf.conf... does anybody can tell me
how can add it to the file?
########################################################################
#
# pass in quick on ne0 proto icmp from any to 10.3.0.0/16 icmp-type 0
# pass in quick on ne0 proto icmp from any to 10.3.0.0/16 icmp-type 11
# block in log quick on ne0 proto icmp from any to any
# block in log quick on ne0 proto tcp from any to 10.3.0.0/16 port = 513
# block in log quick on ne0 proto tcp from any to 10.3.0.0/16 port = 514
# block in log quick on ne0 proto tcp from any to 10.3.0.0/16 port = 515
#
# block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 111
# block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 161
# block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 2049