Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Create a set of stronger firewall rules' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create a set of stronger firewall rules
Authored by: TigerKR on Sep 08, '03 10:27:47AM

Here's the firewall.conf:

<code>#IPFW Ruleset 09/08/2003


#################################################
## Flush all rules
#################################################
flush

#################################################
## Allow loopback
#################################################
add allow ip from any to any via lo*

#################################################
## Divert traffic to natd for IP sharing
#################################################
add divert natd ip from any to any via en0

#################################################
## Deny not local IP ranges in
## Deny not local IP range out
#################################################
#add deny ip from any to not *local IP range* in recv en0
add deny ip from not *local IP range* to any out xmit en0

#################################################
## Deny spoofing IP ranges in
## Deny spoofing IP range out
#################################################
add deny ip from 192.168.0.0/16 to any in recv en0
add deny ip from 172.16.0.0/12 to any in recv en0
add deny ip from 10.0.0.0/8 to any in recv en0
add deny ip from 127.0.0.0/8 to any in recv en0
add deny ip from 0.0.0.0/8 to any in recv en0
add deny ip from 169.254.0.0/16 to any in recv en0
add deny ip from 192.0.2.0/24 to any in recv en0
add deny ip from 204.152.64.0/23 to any in recv en0
add deny ip from 224.0.0.0/3 to any in recv en0
add deny ip from any to 192.168.0.0/16 out xmit en0
add deny ip from any to 172.16.0.0/12 out xmit en0
add deny ip from any to 10.0.0.0/8 out xmit en0
add deny ip from any to 127.0.0.0/8 out xmit en0
add deny ip from any to 0.0.0.0/8 out xmit en0
add deny ip from any to 169.254.0.0/16 out xmit en0
add deny ip from any to 192.0.2.0/24 out xmit en0
add deny ip from any to 204.152.64.0/23 out xmit en0
add deny ip from any to 224.0.0.0/3 out xmit en0

#################################################
## Allow DHCP
#################################################
add allow udp from *ISP DHCP server* 67 to any 68 in recv en0
#add allow udp from any 67 to 255.255.255.255 68 in recv en0

#################################################
## Allow DNS
#################################################
#add allow udp from *ISP DNS server* 53 to any in recv en0
#add allow udp from *ISP DNS server* 53 to any in recv en0
add allow tcp from any to any 53 in recv en0
add allow tcp from any 53 to any out xmit en0
add allow udp from any to any 53 in recv en0
add allow udp from any 53 to any out xmit en0

#################################################
## Reset AUTH traffic
#################################################
add reset tcp from any to any 113 in recv en0

#################################################
## Allow SSH
#################################################
add allow tcp from any to any 22 in recv en0
add allow tcp from any 22 to any out xmit en0

#################################################
## Allow FTP
#################################################
add allow tcp from any to any 20-21 in recv en0
add allow tcp from any 20-21 to any out xmit en0

#################################################
## Allow ARD
#################################################
add allow udp from any to any 3283 in recv en0
add allow udp from any 3283 to any out xmit en0

#################################################
## Allow AIM
#################################################
add allow udp from any to any 5190 in recv en0
add allow udp from any 5190 to any out xmit en0

#################################################
## Allow icmp (destination unreachable, source quench,
## time exceeded, parameter problem)
## Deny other icmp
## Deny source routed packets
#################################################
add allow icmp from any to any via en0 icmptype 0,3,4,8,11,12
add deny icmp from any to any via en0
add unreach host ip from any to any via en0 ipopt ssrr,lsrr

#################################################
## Allow udp fragments
#################################################
add allow udp from any to any via en0 frag

#################################################
## Allow anything from the state table
## Deny established not from the state table
#################################################
add check-state
#add deny log tcp from any to any in recv en0 established

#################################################
## Allow outbound packets and add to state table
#################################################
add allow tcp from any to any out xmit en0 setup keep-state
add allow ip from any to any out xmit en0 keep-state

#################################################
## Allow local traffic
#################################################
add allow ip from any to any via en1

#################################################
## Deny everything else
#################################################
#add deny log ip from any to any
</code>

en0 = WAN NIC
en1 = LAN NIC
lo* = Loopback

*local IP range* *ISP DHCP server* *ISP DNS server* are all actual IP addresses in the real file.

Ok, but when I do an 'ipfw show' the check-state rule isn't getting any use. Also, I had to comment out 'add deny log tcp from any to any in recv en0 established' and 'add deny log ip from any to any' in order to get anything to work from a LAN client.

How come check-state isn't being used? Both keep-state rules are being used...

Your help is most appreciated, thank you in advance.



[ Reply to This | # ]
Create a set of stronger firewall rules
Authored by: WAW401 on Sep 08, '03 05:01:16PM

One thing to note, every packet is examined against these rules (at least until a matching rule is found). So the longer the ruleset, the more processing involved.



[ Reply to This | # ]
Create a set of stronger firewall rules
Authored by: TigerKR on Sep 09, '03 11:20:22PM

I figured out why the

add deny log tcp from any to any in recv en0 established

wasn't working. I needed to keep-state traffic on en1 as well as en0.

Also, I've tweaked the list order so that the more common rules are hit sooner (the sooner a rule is hit, the less CPU goes into the process) without compromising security. I still have kinks to work out and improvements to make.

You can view the updated firewall.conf file here:

http://www.tigerkr.com/ars/firewall09_09.conf



[ Reply to This | # ]
we have a winner
Authored by: TigerKR on Sep 11, '03 04:32:34AM

This firewall.conf is a winner. Its been error tested and optimized for security, speed, and measured accessibility. I recommend that you also install Little Snitch on your LAN clients (that way, you're able to block attacks from outside, and within).

firewall.conf

I found that I was running out of dynamic rules, so I also had to alter the Firewall startup item created by brickhouse (which is located at /Library/StartupItems/Firewall/Firewall ) so that more dynamic rules could be accommodated. It now looks like this:

#!/bin/sh
# Firewall Boot Script
# Generated by BrickHouse
# Altered by TigerKR


#===========================================================
# Enable IP Sharing
#===========================================================
# Enable IP Forwarding in the kernel
/usr/sbin/sysctl -w net.inet.ip.forwarding=1

# Start the natd server
/usr/sbin/natd -f /etc/natd.conf

# Add additional gateway IP addresses and routes
/sbin/ifconfig en1 inet 192.168.0.1 netmask 255.255.255.0 alias up
/sbin/route add -host 192.168.0.1 -interface 127.0.0.1


#===========================================================
# Enable IP Firewall Logging
#===========================================================
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Put a limit on each rule's logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose_limit=500


#===========================================================
# Double the number of possible dynamic rules
#===========================================================
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_buckets=512
/usr/sbin/sysctl -w net.inet.ip.fw.dyn_max=2000


#===========================================================
# Process Firewall Rules File
#===========================================================
/sbin/ipfw -q /etc/firewall.conf


I hope that this is helpful for someone. It took a long time for me to find out what the everything was and what it did. And then there was the error checking and optimizing ;)



[ Reply to This | # ]