netbsd-help: Re: IPF Configuration

Subject: Re: IPF Configuration
To: Richard Ibbotson <richard@sheflug.co.uk>
From: None <netbsd@ns.purk.ee>
List: netbsd-help
Date: 10/22/2003 18:04:47
Hi,

I'm not sure but you blocking all 'icpm' packets with 'quick' keyword at the top
of rules?

block in quick proto icmp all
#Ipfilter should ignore that one though ;-)
pass in quick on ippp0 proto icmp from any to 192.168.1.0/24 icmp-type 0

Greetings



Tsiteerimine Richard Ibbotson <richard@sheflug.co.uk>:

> Hi
> 
> Seems like I'm asking the right question in the right place :)
> 
> I'm not too bad at iptables but found from experience that several 
> Linux boxes were hacked around me even though they were configured 
> properly.  So, a switch to BSD in some places revealed that it was 
> harder for whoever it was to break in.  Depending on where you put it 
> BSD can be better for some things.  I think we all know that ?
> 
> I'm afraid that my own understanding of IPF configuration isn't doing 
> too well.  Read the FAQ at Obfuscation.org and some others.  Can't 
> quite get it together.  Perhaps someone can point me in the right 
> direction with this ?  
> 
> The rules that you can see below are the rough hack that I've been 
> able to put together so far. I don't think it does what I want it to 
> do but some of it works probably.  I've got a dialup ISDN line to my 
> ISP which downloads e-mail and web pages as well as ftp (yes, I know 
> it stinks as a protocol) sometimes.  So, I need to send and receive 
> e-mail, web pages, and do some ftp with a bit of SSH sometimes for 
> remote servers that I run.  I need a paranoid approach to this. Past 
> attempts at being liberal resulted in hacked firewalls.   
> 
> Can anyone help to improve the rules below.  As I say, it's work in 
> progress which needs to improve.  
> 
> 
> pass out quick on lo0
> pass in quick on lo0
> block in all with frag
> block in quick proto icmp all
> block return-icmp in proto udp from any to any port > 5000
> #block return-icmp (port-unr) in proto udp from any to any port > 5000
> block in all with ipopts
> block in log on ippp0 proto tcp from any to 192.168.1.0/24 flags S/SA 
> block return-rst in quick proto tcp from any to any port = 113 flags 
> S/SA 
> block out log  on ippp0 proto tcp from 192.168.1.0/24 to any flags 
> SA/SA 
> #block in log quick on ippp0 proto tcp/udp from any to 192.168.1.0/24 
> #port 5999><
> #6010
> #block in log quick on ippp0 proto tcp/udp from any to 192.168.1.0/24 
> #port 22 >< 23
> #block in log quick on ippp0 proto tcp/udp from any to 192.168.1.0/24 
> #port 513 >< 514
> block in quick  on ippp0 from 0.0.0.0/7 to any
> block in log on ippp0 from 1.0.0.0/8 to any 
> block in log on ippp0 from 2.0.0.0/8 to any
> block in log on ippp0 from 5.0.0.0/8 to any
> block in log on ippp0 from 7.0.0.0/8 to any 
> block in log on ippp0 from 10.0.0.0/8 to any
> block in log on ippp0 from 23.0.0.0/8 to any
> block in log on ippp0 from 27.0.0.0/8 to any
> block in log on ippp0 from 31.0.0.0/8 to any
> block in log on ippp0 from 37.0.0.0/8 to any
> block in log on ippp0 from 39.0.0.0/8 to any
> block in log on ippp0 from 41.0.0.0/8 to any
> block in log on ippp0 from 42.0.0.0/8 to any
> block in log on ippp0 from 58.0.0.0/7 to any
> block in log on ippp0 from 60.0.0.0/8 to any
> block in log on ippp0 from 65.0.0.0/8 to any
> block in log on ippp0 from 66.0.0.0/8 to any
> block in log on ippp0 from 67.0.0.0/8 to any
> block in log on ippp0 from 68.0.0.0/8 to any
> block in log on ippp0 from 69.0.0.0/8 to any
> block in log on ippp0 from 70.0.0.0/0 to any
> block in log on ippp0 from 71.0.0.0/8 to any
> block in log on ippp0 from 72.0.0.0/8 to any
> block in log on ippp0 from 72.0.0.0/5 to any
> block in log on ippp0 from 73.0.0.0/8 to any
> block in log on ippp0 from 74.0.0.0/8 to any
> block in log on ippp0 from 75.0.0.0/8 to any
> block in log on ippp0 from 76.0.0.0/8 to any
> block in log on ippp0 from 77.0.0.0/8 to any
> block in log on ippp0 from 78.0.0.0/8 to any
> block in log on ippp0 from 79.0.0.0/8 to any
> block in log on ippp0 from 80.0.0.0/4 to any
> block in log on ippp0 from 82.0.0.0/7 to any
> block in log on ippp0 from 84.0.0.0/6 to any
> block in log on ippp0 from 88.0.0.0/5 to any
> block in log on ippp0 from 96.0.0.0/4 to any
> block in log on ippp0 from 112.0.0.0/8 to any
> block in log on ippp0 from 113.0.0.0/8 to any
> block in log on ippp0 from 114.0.0.0/8 to any
> block in log on ippp0 from 115.0.0.0/8 to any
> block in log on ippp0 from 116.0.0.0/8 to any
> block in log on ippp0 from 117.0.0.0/8 to any
> block in log on ippp0 from 118.0.0.0/8 to any
> block in log on ippp0 from 119.0.0.0/8 to any
> block in log on ippp0 from 120.0.0.0/8 to any
> block in log on ippp0 from 121.0.0.0/8 to any
> block in log on ippp0 from 122.0.0.0/8 to any
> block in log on ippp0 from 123.0.0.0/8 to any
> block in log on ippp0 from 124.0.0.0/8 to any
> block in log on ippp0 from 125.0.0.0/8 to any
> block in log on ippp0 from 126.0.0.0/8 to any
> block in log on ippp0 from 217.0.0.0/8 to any
> block in log on ippp0 from 218.0.0.0/8 to any
> block in quick on ippp0 from 219.0.0.0/8 to any
> #block in proto tcp from any to any port =  111
> pass in quick on ippp0 proto icmp from any to 192.168.1.0/24 icmp-type 
> 0
> pass in quick on ippp0 proto icmp from any to 192.168.1.0/24 icmp-type 
> 11
> block in log quick on ippp0 proto icmp from any to any
> pass in all
> #block out quick on ippp0 from 192.168.1.0/24 to any
> #block out quick on ippp0 from 192.168.1.0/24 to 0.0.0.0/7
> #block out quick on ippp0 from 192.168.1.0/24 to 2.0.0.0/8
> #pass out all 
> 
> 
> 
> 
> 
> 
> Richard
> 




---------------------------------------------
Powered By "NetBSD" http://www.netbsd.org/