netbsd-help: Re: ipf: how secure is this network?

Subject: Re: ipf: how secure is this network?
To: Heron Gallegos <gallegos@cgepi.uadec.mx>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-help
Date: 03/11/2001 15:38:34
On Sat, Mar 10, 2001 at 08:02:55PM -0600, Heron Gallegos wrote:
> Hello
> 
> I am using IPNAT/IPF in our network, it seems works fine
> but I am not sure because I am very very very new in IPF.
> It has been a lot of hard work for me to build ipf.conf
> and ipnat.conf, and I would like to hear comments about
> such files, specially if you detect security holes.
> 
> Thanks in advance
> 
> Heron Gallegos
> 
> LAN1 exposed a.b.c.0/26
> -------------------------------------------------------
>        |                |           |        |       |
> --------------- --------------- -------- ------- ----------
> | ex0 a.b.c.2 | | ex0 a.b.c.3 | |      | |     | | Router |-->
> |S1 squid box | | ipnat/ipf   | | DNS  | | WWW | | to     |
> |ex1 10.2.2.2 | |             | | mail | |     | | ISP    |
> --------------- |      S2     | |  S3  | | S4  | ----------
>        |        |             | |      | |     |
>        ---------|ex2 10.2.2.1 | -------- -------
>                 |             |     |        |
>                 |ex1 10.3.1.1 |     |        |
>                 ---------------     |        |
> LAN2 10.3.1.0/24        |           |        |
> -------------------------------------------------------

So S3 and S4 have direct access to LAN2, rigth ?
I wouldn't do this. If one of these boxes gets hacked, the bad guy gets
access to your private network at the same time.
I would rather connect them to S2, the same way S1 is connected, and
filter traffic from theses boxes to LAN2.

>                    -----------
> 
> a.b.c.0/26   Is our exposed LAN
> a.b.c.64/26  reserved for future use
> a.b.c.128/25 to map our hidden network
> 10.3.0.0/16  our hidden network
> 
> The 6 servers are NetBSD-1.5 i386 (PII/350, 128MB RAM)
> 
> S5 exports /usr/src and pkgsrc to S3, S4 and S6. I would like
> include S1 and S2 in the list.

Hum, not very good either; I wouldn't mount any NFS server from the private
network on exposed servers. Can't you move src and pkgsrc to S3 or S4,
and mount this to the internal servers instead ?

> 
> S2 runs ipnat/ipf:
> The file ipnat.conf:
> #!/usr/sbin/ipnat -f -
> #
> # ex0 - (external) network interface
> # ex1 - (internal) network interface
> # ex2 - (to squid) network interface
> #
> rdr ex1 0.0.0.0/0 port 80 -> 10.2.2.2 port 3128 tcp
> #
> map ex0 10.3.0.0/16 -> a.b.c.128/25 portmap tcp/udp 40000:50000
> map ex0 10.3.0.0/16 -> a.b.c.128/25
> map ex0 10.3.0.0/16 -> a.b.c.128/25 proxy port ftp ftp/tcp

Looks good.

> 
> The file ipf.conf:
> #!/sbin/ipf -f -
> #
> ################################################################
> #
> #	Interfase expuesta ENTRADA DE LA INTERNET al FIREWALL
> #	Exposed interfase from INTERNET to FIREWALL
> #
> block   in     quick on ex0 all					head  100
>   block in     quick on ex0 from 192.168.0.0/16     to any	group 100
>   block in     quick on ex0 from 172.16.0.0/12      to any	group 100
>   block in     quick on ex0 from 10.0.0.0/8         to any	group 100
>   block in     quick on ex0 from 127.0.0.0/8        to any	group 100
>   block in     quick on ex0 from 0.0.0.0/8          to any	group 100
>   block in     quick on ex0 from 169.254.0.0/16     to any	group 100
>   block in     quick on ex0 from 192.0.2.0/24       to any	group 100
>   block in     quick on ex0 from 204.152.64.0/23    to any	group 100
>   block in     quick on ex0 from 224.0.0.0/3        to any	group 100

I would add 127.0.0.0/8 to the list :)

>   block in log quick on ex0 from any to a.b.c.128/32		group 100
>   block in log quick on ex0 from any to a.b.c.255/32		group 100
>   pass  in           on ex0      all				group 100

I would be more restrictive here; you're allowing anything from the internet
to your NAT box. I would remplace the last line with
 pass  in  quick         on ex0 from any to  a.b.c.128/25 group 100
And then, if you need access to the internet for the NAT box itself:
 block in log quick on ex0 proto tcp from any to a.b.c.3/32 flags S/SA group 100
 pass in quick on ex0 proto tcp from any to a.b.c.3/32 group 100
This allows only outgoing TCP connections (can be done with keep-state
as well, but I'm not familiar with it :)
Setup your resolv.conf so that DNS lookups are done trough the internal
network.

> #
> ################################################################
> #
> #	Interfase expuesta SALIDA del FIREWALL a la INTERNET
> #	Exposed interfase from FIREWALL to INTERNET
> #
> block   out     quick on ex0 all				head  200
>   pass  out           on ex0 all				group 200

Ok, filter what's coming in, we don't really care what's going out :)

> #
> ################################################################
> #
> #	Interfase interna ENTRADA de la INTRANET al FIREWALL
> #	Internal interfase from INTRANET to FIREWALL
> #
> block   in quick on ex1 all							head  300
>   pass  in quick on ex1 proto tcp/udp from 10.3.0.0/16 to any keep state	group 300
>   block in       on ex1 all							group 300
> #
> ################################################################
> #
> #	Interfase interna SALIDA del FIREWALL a la INTRANET
> #	Internal interfase from FIREWALL to INTRANET
> #
> block   out quick on ex1 all						head  400 
>   block out quick on ex1 from 10.3.1.1/32 to 10.3.0.0/16 head 450	group 400
>   block out       on ex1 all						group 400
> #
> #	Subrutina 450 para acceso del firewall a la granja de servidores
> #	Subroutine 450 firewall needs some services from servers S5 and S6
> #	and squid server needs NFS (this doesn't works)
> #
>   pass  out quick on ex1 from 10.3.1.1/32 to 10.3.1.8/32		group 450
>   pass  out quick on ex1 from 10.3.1.1/32 to 10.3.1.9/32		group 450
> # pass  out quick on ex1 from 10.2.2.2/32 to 10.3.1.8/32		group 450
> #
> ########################################################################
> #
> #	Interfase de ENTRADA del SQUID al FIREWALL
> #	From squid server to firewall
> #
> block   in quick on ex2 all				head  500
>   pass  in       on ex2 proto tcp/udp all keep state	group 500
> #
> ########################################################################
> #
> #	Interfase de SALIDA del FIREWALL al SQUID
> #	From FIREWALL to SQUID
> #
> block   out    quick on ex2 all			head  600
>   pass  out          on ex2 all			group 600
> 
> End of file ipf.conf
> 
> In 1999 and 2000 our old ipf server (NetBSD-1.4.1) had the following
> lines in the file ipf.conf (2 NICs, no squid server and no head/group lines)
> and I need help in order to add it to ipf.conf... does anybody can tell me
> how can add it to the file?
> 
> ########################################################################
> #
> # pass  in     quick on ne0 proto icmp from any to 10.3.0.0/16 icmp-type 0
> # pass  in     quick on ne0 proto icmp from any to 10.3.0.0/16 icmp-type 11
> # block in log quick on ne0 proto icmp from any to any
> # block in log quick on ne0 proto tcp  from any to 10.3.0.0/16 port = 513
> # block in log quick on ne0 proto tcp  from any to 10.3.0.0/16 port = 514
> # block in log quick on ne0 proto tcp  from any to 10.3.0.0/16 port = 515
> #
> # block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 111
> # block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 161
> # block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 2049

Add theses to group 300, just after
block   in quick on ex1 all head 300
chaning ne0 to ex1 of course :)

--
Manuel Bouyer <bouyer@antioche.eu.org>
--