Subject: Re: ipf: how secure is this network?
To: Heron Gallegos <gallegos@cgepi.uadec.mx>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-help
Date: 03/11/2001 15:38:34
On Sat, Mar 10, 2001 at 08:02:55PM -0600, Heron Gallegos wrote:
> Hello
>
> I am using IPNAT/IPF in our network, it seems works fine
> but I am not sure because I am very very very new in IPF.
> It has been a lot of hard work for me to build ipf.conf
> and ipnat.conf, and I would like to hear comments about
> such files, specially if you detect security holes.
>
> Thanks in advance
>
> Heron Gallegos
>
> LAN1 exposed a.b.c.0/26
> -------------------------------------------------------
> | | | | |
> --------------- --------------- -------- ------- ----------
> | ex0 a.b.c.2 | | ex0 a.b.c.3 | | | | | | Router |-->
> |S1 squid box | | ipnat/ipf | | DNS | | WWW | | to |
> |ex1 10.2.2.2 | | | | mail | | | | ISP |
> --------------- | S2 | | S3 | | S4 | ----------
> | | | | | | |
> ---------|ex2 10.2.2.1 | -------- -------
> | | | |
> |ex1 10.3.1.1 | | |
> --------------- | |
> LAN2 10.3.1.0/24 | | |
> -------------------------------------------------------
So S3 and S4 have direct access to LAN2, rigth ?
I wouldn't do this. If one of these boxes gets hacked, the bad guy gets
access to your private network at the same time.
I would rather connect them to S2, the same way S1 is connected, and
filter traffic from theses boxes to LAN2.
> -----------
>
> a.b.c.0/26 Is our exposed LAN
> a.b.c.64/26 reserved for future use
> a.b.c.128/25 to map our hidden network
> 10.3.0.0/16 our hidden network
>
> The 6 servers are NetBSD-1.5 i386 (PII/350, 128MB RAM)
>
> S5 exports /usr/src and pkgsrc to S3, S4 and S6. I would like
> include S1 and S2 in the list.
Hum, not very good either; I wouldn't mount any NFS server from the private
network on exposed servers. Can't you move src and pkgsrc to S3 or S4,
and mount this to the internal servers instead ?
>
> S2 runs ipnat/ipf:
> The file ipnat.conf:
> #!/usr/sbin/ipnat -f -
> #
> # ex0 - (external) network interface
> # ex1 - (internal) network interface
> # ex2 - (to squid) network interface
> #
> rdr ex1 0.0.0.0/0 port 80 -> 10.2.2.2 port 3128 tcp
> #
> map ex0 10.3.0.0/16 -> a.b.c.128/25 portmap tcp/udp 40000:50000
> map ex0 10.3.0.0/16 -> a.b.c.128/25
> map ex0 10.3.0.0/16 -> a.b.c.128/25 proxy port ftp ftp/tcp
Looks good.
>
> The file ipf.conf:
> #!/sbin/ipf -f -
> #
> ################################################################
> #
> # Interfase expuesta ENTRADA DE LA INTERNET al FIREWALL
> # Exposed interfase from INTERNET to FIREWALL
> #
> block in quick on ex0 all head 100
> block in quick on ex0 from 192.168.0.0/16 to any group 100
> block in quick on ex0 from 172.16.0.0/12 to any group 100
> block in quick on ex0 from 10.0.0.0/8 to any group 100
> block in quick on ex0 from 127.0.0.0/8 to any group 100
> block in quick on ex0 from 0.0.0.0/8 to any group 100
> block in quick on ex0 from 169.254.0.0/16 to any group 100
> block in quick on ex0 from 192.0.2.0/24 to any group 100
> block in quick on ex0 from 204.152.64.0/23 to any group 100
> block in quick on ex0 from 224.0.0.0/3 to any group 100
I would add 127.0.0.0/8 to the list :)
> block in log quick on ex0 from any to a.b.c.128/32 group 100
> block in log quick on ex0 from any to a.b.c.255/32 group 100
> pass in on ex0 all group 100
I would be more restrictive here; you're allowing anything from the internet
to your NAT box. I would remplace the last line with
pass in quick on ex0 from any to a.b.c.128/25 group 100
And then, if you need access to the internet for the NAT box itself:
block in log quick on ex0 proto tcp from any to a.b.c.3/32 flags S/SA group 100
pass in quick on ex0 proto tcp from any to a.b.c.3/32 group 100
This allows only outgoing TCP connections (can be done with keep-state
as well, but I'm not familiar with it :)
Setup your resolv.conf so that DNS lookups are done trough the internal
network.
> #
> ################################################################
> #
> # Interfase expuesta SALIDA del FIREWALL a la INTERNET
> # Exposed interfase from FIREWALL to INTERNET
> #
> block out quick on ex0 all head 200
> pass out on ex0 all group 200
Ok, filter what's coming in, we don't really care what's going out :)
> #
> ################################################################
> #
> # Interfase interna ENTRADA de la INTRANET al FIREWALL
> # Internal interfase from INTRANET to FIREWALL
> #
> block in quick on ex1 all head 300
> pass in quick on ex1 proto tcp/udp from 10.3.0.0/16 to any keep state group 300
> block in on ex1 all group 300
> #
> ################################################################
> #
> # Interfase interna SALIDA del FIREWALL a la INTRANET
> # Internal interfase from FIREWALL to INTRANET
> #
> block out quick on ex1 all head 400
> block out quick on ex1 from 10.3.1.1/32 to 10.3.0.0/16 head 450 group 400
> block out on ex1 all group 400
> #
> # Subrutina 450 para acceso del firewall a la granja de servidores
> # Subroutine 450 firewall needs some services from servers S5 and S6
> # and squid server needs NFS (this doesn't works)
> #
> pass out quick on ex1 from 10.3.1.1/32 to 10.3.1.8/32 group 450
> pass out quick on ex1 from 10.3.1.1/32 to 10.3.1.9/32 group 450
> # pass out quick on ex1 from 10.2.2.2/32 to 10.3.1.8/32 group 450
> #
> ########################################################################
> #
> # Interfase de ENTRADA del SQUID al FIREWALL
> # From squid server to firewall
> #
> block in quick on ex2 all head 500
> pass in on ex2 proto tcp/udp all keep state group 500
> #
> ########################################################################
> #
> # Interfase de SALIDA del FIREWALL al SQUID
> # From FIREWALL to SQUID
> #
> block out quick on ex2 all head 600
> pass out on ex2 all group 600
>
> End of file ipf.conf
>
> In 1999 and 2000 our old ipf server (NetBSD-1.4.1) had the following
> lines in the file ipf.conf (2 NICs, no squid server and no head/group lines)
> and I need help in order to add it to ipf.conf... does anybody can tell me
> how can add it to the file?
>
> ########################################################################
> #
> # pass in quick on ne0 proto icmp from any to 10.3.0.0/16 icmp-type 0
> # pass in quick on ne0 proto icmp from any to 10.3.0.0/16 icmp-type 11
> # block in log quick on ne0 proto icmp from any to any
> # block in log quick on ne0 proto tcp from any to 10.3.0.0/16 port = 513
> # block in log quick on ne0 proto tcp from any to 10.3.0.0/16 port = 514
> # block in log quick on ne0 proto tcp from any to 10.3.0.0/16 port = 515
> #
> # block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 111
> # block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 161
> # block in log quick on ne0 proto tcp/udp from any to 10.3.0.0/16 port = 2049
Add theses to group 300, just after
block in quick on ex1 all head 300
chaning ne0 to ex1 of course :)
--
Manuel Bouyer <bouyer@antioche.eu.org>
--