netbsd-users: ipfilter rules

Subject: ipfilter rules
To: netbsd <netbsd-users@netbsd.org>
From: Young, Julian <Julian.Young@nl.compuware.com>
List: netbsd-users
Date: 05/07/2002 15:40:43
Could some one take a look at this rule set and tell me if looks sane and
safe. many thanx


#-------------------------------------------------------
#                 /etc/ipf.conf
#
#    le0 is the external interface   address a.b.c.d/32
#    le1 is the internal interface   address w.x.y.z/32
#------------------------------------------------------- 

#-------------------------------------------------------
#                        START
#-------------------------------------------------------
# 
#  *Nasty* packets we don't want to allow near us at all!
#  short packets which are packets fragmented too short to be real.

    block in log quick all with short

    block all on all # Default Catch All

#  since more and larger packets ar inbount w will process them first

       
    block in  on le0   head 99   
    
    block out on le0 proto udp  head 105
    block out on le0 proto tcp  head 205
    block out on le0 proto icmp head 305
    

         
#-------------------------------------------------------
#            Group 99 (Inbound IP Addres filtering)
#-------------------------------------------------------   
# Localhost packets.
# packets going in/out of network interfaces that aren't on the loopback
# interface should *NOT* exist.

   block in log quick from 127.0.0.0/8 to any group 99
   block in log quick from any to 127.0.0.0/8 group 99
   block in log quick from 127.0.0.0/8 to any group 99
   block in log quick from any to 127.0.0.0/8 group 99


# Invalid Internet packets.
# Deny reserved addresses.

   block in log quick from 10.0.0.0/8     to any group 99
   block in log quick from 192.168.0.0/16 to any group 99
   block in log quick from 172.16.0.0/12  to any group 99



# Anti-Spoofing
# block in log quick from a.b.c.d/24 to any group 99
# PPP connection to ISP, address a.b.c.d/32

#     block in log quick from a.b.c.d/24 to any group 99
 

# Now Back on track

   block in  on le0 proto udp  head 100
   block in  on le0 proto tcp  head 200
   block in  on le0 proto icmp head 300
   

#-------------------------------------------------------
#            Group 100 (UDP in on le0 # external)
#-------------------------------------------------------   

# Return ICMP error packets for invalid UDP packets
    
    block return-icmp(net-unr) in log proto udp all  group 100

#   Why ?
#   block return-icmp-as-dest(port-unr) in log quick on le0 proto udp from
any to w.x.y.z/32 port = 111  group 100   

#  Why are we passing in DNS Requests ? (from restrictive example)
# Allow outgoing DNS requests (no named on firewall)
#
pass in quick proto udp from any to any port = 53 keep state group 202
#
# If we were running named on the firewall and all internal hosts talked to
# it, we'd use the following:
#
#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group
202
#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep
state


#-------------------------------------------------------
#            Group 105 (UDP out on le0 # external)
#-------------------------------------------------------    

    block out proto udp all head 205 group 105
    
# Let internal network have full access but only tcp/ip not MS

    pass out quick on le0 proto udp from 192.168.0.0/24 to any  flags S
keep state group 105
   



#-------------------------------------------------------
#            Group 200 (TCP in on le0 # external)
#-------------------------------------------------------    

block in log all flags S/SA head 201 group 200 #proto tcp 

#-------------------------------------------------------
# Throw off casual snoopers.
     block return-rst in log from any to w.x.y.z/32 port = ftp   group 200
#proto tcp  # FTP 
     block return-rst in log from any to w.x.y.z/32 port = 22    group 200
#proto tcp  # ??
     block return-rst in log from any to w.x.y.z/32 port = 23    group 200
#proto tcp  # Telnet
     block return-rst in log from any to w.x.y.z/32 port = 53    group 200
#proto tcp  # DNS (tpc/udp)
     block return-rst in log from any to w.x.y.z/32 port = 443   group 200
#proto tcp  # Encripted Web Trafic
     block return-rst in log from any to w.x.y.z/32 port = 445   group 200
#proto tcp  # Server Message Block) protocol  Win2k
     block return-rst in log from any to w.x.y.z/32 port = 515   group 200
#proto tcp  # Print Spooler
     block return-rst in log from any to w.x.y.z/32 port = 1234  group 200
#proto tcp  # Notorius Exploit port
     block return-rst in log from any to w.x.y.z/32 port = 1245  group 200
#proto tcp  # Notorius Exploit port
     block return-rst in log from any to w.x.y.z/32 port = smtp  group 200
#proto tcp  # SMTP # 25
     block return-rst in log from any to w.x.y.z/32 port = www   group 200
#proto tcp  # WWW  # 80

#    block return-rst in log from any  to w.x.y.z/32             group 200
#Loads of logging  #proto tcp 


# Return RST packets for invalid SYN packets to help the other end close
    
    block return-rst in log proto tcp from any to any flags S/SA  
    
#-------------------------------------------------------
#            Group 201 (TCP in S/SA on le0 # external)
#-------------------------------------------------------    

#
# Uncomment Allow outgoing FTP from any internal host to any external FTP
server.
#
    pass in quick on le0 from any to any        port = ftp keep state
group 201 # proto tcp 
    pass in quick on le0 from any to any        port = ftp-data keep state
group 201 # proto tcp 
    pass in quick on le0 from any               port = ftp-data to any port
> 1023 keep state    group 201 # proto tcp 
#   pass in quick on le0 from any to w.x.y.z/32 port = smtp  flags S  keep
state                 group 201 # proto tcp 
#   pass in quick on le0 from any to w.x.y.z/32 port = www flags S  keep
state                   group 201 # proto tcp 
#   pass in quick on le0 from any to w.x.y.z/32 port = www flags S  keep
state                   group 201 # proto tcp 
    

#-------------------------------------------------------
#            Group 205(TCP out on le0 # external)
#-------------------------------------------------------    

    
# Let internal network have full access but only tcp/ip not MS
    pass out quick on le0 proto tcp  from 192.168.0.0/24 to any flags S keep
state group 205
    

#-------------------------------------------------------
#            Group 300 (ICMP)
#-------------------------------------------------------    
#-------------------------------------------------------
# Uncomment to allow other to ping/trace us
#   pass in quick on le0 proto icmp from any to w.x.y.z/32 icmp-type 0
group 300 # ping
#   pass in quick on le0 proto icmp from any to w.x.y.z/32 icmp-type 11
group 300 # Traceroute
# Otherwise, block all icmp.
    block in log quick on le0 proto icmp all group 300


#-------------------------------------------------------
#            Group 305 (ICMP out on le0 # external)
#-------------------------------------------------------    

       
# Let internal network have full access but only ICMP not MS
   
    pass out quick on le0 proto icmp    from 192.168.0.0/24 to any  keep
state group 305
    

#-------------------------------------------------------
#                ***  END ***
#-------------------------------------------------------    

    
    

J

-- 
Julian Young (Julian.young@nl.compuware.com) 
Software Engineer  - Compuware Europe B.V.
Hoogooddreef 5. PO Box 12933 1100 AX  Amsterdam The Netherlands
Tel +31 (020) 3116302 Mobile +31 (06) 288 43652
_______________________________________________________________
Computers are useless. They can only give you answers.
   -- Pablo Picasso




            

-----Original Message-----
From: Axel Scheepers [mailto:axel@axel.truedestiny.net]
Sent: Sunday, May 05, 2002 3:24 PM
To: Shyam Kumar Mangayil
Cc: netbsd
Subject: Re: automatically having -rwxrwxr-- permissions on file upload
or creation


Hi Shyam,

On Sun, May 05, 2002 at 09:41:29AM +0100, Shyam Kumar Mangayil wrote:
> To: netbsd <netbsd-users@netbsd.org>
> 
> 
> How can I automatically have -rwxrwxr-- permissions on file upload or
creation ?
> 
> I tried all values for umask , but because default file permissions are
666
> 
> umask would not help.
> 
> Regards,
> 
> Shyam

What program do you use to transfer files? When you use samba you can
specify
excatly what you want in smb.conf using the creation mask option:
[share]
  comment = test share
  path = /tmp
  browseable = yes
  create mask = 0770
  directory mask = 0770

Whenever you use unix standard tools like ftp/ssh you'll have to stick to
umask AFAIK; a umask value of 7 would come closest to this; files will
be -rw-rw--- and directories drwxrwx---

You can still execute your exe files from a windows share, if you're worried
about that.
 
> 
> 
> 
> ----------------------------(*)-X-(*)----------------------------
> 
>                     Knowledge is Power
> 
> -----------------------------------------------------------------
> 
> 
> 
> ---------------------------------
> Do You Yahoo!?
> Get personalised at My Yahoo!.

Gr,
-- 
Axel Scheepers
UNIX System Administrator

email: axel@axel.truedestiny.net
       a.scheepers@iae.nl
http://axel.truedestiny.net/~axel
------------------------------------------
Help me, I'm a prisoner in a Fortune cookie file!
------------------------------------------


-- 
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.