tech-net: ipf questions: "log last"? and dynamic ip and keep state.

Subject: ipf questions: "log last"? and dynamic ip and keep state.
To: None <tech-net@netbsd.org>
From: Nate Hill <vugdeox@freeshell.org>
List: tech-net
Date: 06/28/2003 18:19:31
--Boundary-00=_DKi/+xUNZKWQey6
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: clearsigned data
Content-Disposition: inline

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've recently begun building a firewall on my gateway and have a few=20
questions:

If I'm using a rule like so:

pass out log first quick on fxp0 proto tcp from 192.168.0.1 to 192.168.0.0/=
24=20
port =3D 22 flags S keep state group 1

is there any simple method for recording the "last" packet in the session? =
I=20
guess what I want to know (I'm too lazy to think very hard about this) is i=
f=20
I can log the beginning and end of all ssh sessions to the internal network=
=2E =20
Has anyone done something similar before?

Is there an easy method for filtering with a dynamic ip? I've got a pppoe0=
=20
interface which changes ip's every up/down and I want to add a rule that on=
ly=20
lets outgoing traffic from _ip_ out and only lets incoming traffic to _ip_=
=20
in.  Is there any easy way to do this?

=46inally, I noticed some strange behavior with "keep state" - at least it=
=20
seemed strange at first.  I started this firewall with the rule:

pass in quick on fxp0 from 192.168.0.0/24 to any keep state keep frags grou=
p 2

This seemed like an excellent rule to start with; it let internal boxen sen=
d=20
packets out and receive replies - I blocked everything else (except ssh).

Then, I ran into something strange when I was filtering on pppoe0 - none of=
=20
the internal traffic appeared.  In retrospect I understand this completely=
=20
but I'm wondering if starting state-tracking from my internal interface is =
a=20
good design.  Any ideas/suggestions?


Another thing: Here's my very fragile and premature rule-set - included jus=
t=20
so you could have fun laughing at me.  Please comment.

Hmmm, I'll attach it. Damn word wrapping.

=2D --=20
Nate Hill <vugdeox@freeshell.org>
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (NetBSD)

iD8DBQE+/iKK69yeq3Xq/RARAol+AKCtYXprDJRveS+Ev4Dfn6R56gynPwCfYrrH
XISgDaelvzSszzS59x+5FlY=3D
=3DQbU3
=2D----END PGP SIGNATURE-----

--Boundary-00=_DKi/+xUNZKWQey6
Content-Type: text/plain;
  charset="us-ascii";
  name="ipf.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="ipf.conf"

## INTERNAL-IF section
#NOTE - Block everything into internal-net except ssh, ping and replies to outbound requests (in-section).
block out quick on fxp0 all head 1
	
	#Let router and only router ssh to boxen on internal net (All ssh sessions are logged)
	pass out log first quick on fxp0 proto tcp from 192.168.0.1 to 192.168.0.0/24 port = 22 flags S keep state group 1
	
	#TEMP - allow pings and replies from router to internal net (VULN)
	pass out quick on fxp0 proto icmp from 192.168.0.1 to 192.168.0.0/24 icmp-type 8 keep state group 1

#Block everything to router except next (allow to router and sane tcp/udp)
#NOTE - we allow access to (and back) router and tcp/udp packets not going to private-nets through
#NOTE - logging everything that doesn't pass - this should find mis-behaving hosts (pinging, etc)
block in log first quick on fxp0 all head 2 
	
	#Make sure internal net can get to router since we don't let them get to any other 192.168 addr
	#NOTE - this rule is necessary because, we block all other packets to same sub-net
	pass in quick on fxp0 from 192.168.0.0/24 to 192.168.0.1 keep state group 2
	
	#TODO: Add rules that block packets going to "private" nets
	#These rules block packets going to private-nets (non-routable)
	#This is reasonable plus, it stop replies to spoofed requests; shouldn't get in anyways :(
	#NOTE - since only responses can get into intern-net this prevents us entirely from talking with bogus sub-nets
	block out quick on fxp0 from any to 192.168.0.0/16 group 2
	block out quick on fxp0 from any to 172.16.0.0/12 group 2
	block out quick on fxp0 from any to 10.0.0.0/8 group 2
	block out quick on fxp0 from any to 127.0.0.0/8 group 2
	block out quick on fxp0 from any to 0.0.0.0/8 group 2
	block out quick on fxp0 from any to 169.254.0.0/16 group 2
	block out quick on fxp0 from any to 192.0.2.0/24 group 2
	block out quick on fxp0 from any to 204.152.64.0/23 group 2
	block out quick on fxp0 from any to 224.0.0.0/3 group 2
	
	#Pass _all_ packets from internal net (for later nat-ing) and let replies back through
	#NOTE - although strange these packets bypass all other rules and don't show up in pppoe0 logs/rules
	# so, i have to do all blocking and logging on internal nat-ed traffic _here_
	pass in quick on fxp0 proto tcp from 192.168.0.0/24 to any keep state keep frags group 2
	pass in quick on fxp0 proto udp from 192.168.0.0/24 to any keep state keep frags group 2


#Testing rules here by allowing paths out of pppoe0 and logging everything else...
#NOTE - filtering here only affects local traffic in/out - internal traffic bypasses and must be filtered in "group 2"
block out quick on pppoe0 all head 3
	
	pass out quick on pppoe0 proto tcp from any to any keep state keep frags group 3
	pass out quick on pppoe0 proto udp from any to any keep state keep frags group 3
	pass out quick on pppoe0 proto icmp from any to any keep state group 3
	
	pass out log quick on pppoe0 all group 3

block in quick on pppoe0 all head 4
	
	pass in log first quick on pppoe0 proto tcp from any to any port = 80 flags S keep state keep frags group 4
        pass in log first quick on pppoe0 proto tcp from any to any port = 25 flags S keep state keep frags group 4
        pass in log first quick on pppoe0 proto tcp from any to any port = 22 flags S keep state keep frags group 4
        pass in log first quick on pppoe0 proto tcp from any to any port = 143 flags S keep state keep frags group 4
        pass in log first quick on pppoe0 proto tcp from any to any port = 110 flags S keep state keep frags group 4

	pass in log quick on pppoe0 all group 4
	
## Loopback section	
block out quick on lo0 all head 5
	
	# Allow packets out coming from loop-net
	pass out quick on lo0 from 127.0.0.0/8 to any 
	#Allow packets out from fxp0 addr (TODO - why do these go through lo0?)
	pass out quick on lo0 from 192.168.0.1 to any

block in quick on lo0 all head 6
	
	#Allow anything going to loop-net in (TODO - this can prob be refined)
	pass in quick on lo0 from any to 127.0.0.0/8
	#Allow anything going to fxp0 addr in (TODO - why do these go through lo0?)
	pass in quick on lo0 from any to 192.168.0.1


## Clean-up section
#NOTE - blocking all (everything important should get through) but, logging to find stray paths.
#TODO - finish ruleset and turn of logging (mabye).
block in log first quick all
block out log first quick all

--Boundary-00=_DKi/+xUNZKWQey6--