hallo leute,
in sachen freebsd bin ich absoluter neuling und habe mal ein problem meiner erstellten firewallregeln.
aber erstmal zum system.
ich benutze freebsd 5.2.1 release auf 900'er pIII mit 128mb ram und 2 net-interfaces.
-----netz_2--------------------router_2(fbsd)---------------netz_1----------router_1-----wan
(192.168.20.0) (192.168.20.1 & 192.168.10.2) (192.168.10.0) (192.168.10.1)
also, router_1 ist normaler dsl-router, mit dem alle clients ins wan gelangen sollen.
router_2 hat 2 interfaces und fungiert als gateway (gateway_enable=yes)
routing-daemons habe ich nirgens laufen. nur auf dem dsl-router (router_1) habe ich ne statische route zum netz_2 über 192.168.10.2 eingerichtet. das gesamte netz mit zugang zum wan und umgekehrt etc. funktioniert.
meine frage bezieht sich sich aber vielmehr auf die effizienz und wirksamkeit meiner erstellten regeln gegenüber angriffen, da ich ein absolut sicheres netz_2 (clients haben KEINE eigene firewall) benötige.
kann sich das mal bitte jemand anschauen, da ich aus den man-pages nicht schlau werde und das handbuch recht rudimentär ausgestattet ist, wenn es um die ipfw-regeln geht.
die hier dargestellten regeln funktionieren zwar, abe ich habe das gefühl da viele
regeln durch eine einzige ersetzt werden könnte. außerdem habe ich sie mehr oder weniger nur zusammenkopiert, da ich absolut kein plan habe.
relevanter abschnitt aus rc.firewall
[Rr][Oo][Uu][Tt][Ee][Rr])
#externes interface zum router_1
oif="rl0"
onet="192.168.10.0"
omask="255.255.255.0"
oip="192.168.10.2"
#internes interface
iif="em0"
inet="192.168.20.0"
imask="255.255.255.0"
iip="192.168.20.1"
router="192.168.10.1" #=router_1
homenet="192.168.20.1,192.168.20.2,192.168.20.255"
samba="137,138,139"
daemons="21......."
setup_loopback
##############################################################################
# abschnitt gesperrt #
##############################################################################
# Stop spoofing
${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add deny log ip from any to any not verrevpath in
${fwcmd} add deny log ip from any to any in via ${oif} not verrevpath
${fwcmd} add deny log ip from any to any in via ${iif} not verrevpath
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny log all from any to 192.168.0{0-19,21-255}.0/16 via ${oif}
# ${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif}
# ${fwcmd} add deny log all from any to 192.168.20.0/24 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
#verfolgen von packeten
${fwcmd} add check-state
#icmp erlauben
# ${fwcmd} add pass log icmp from any to any in recv ${oif} icmptype 3
# ${fwcmd} add pass log icmp from any to any in recv ${oif} icmptype 8
# ${fwcmd} add pass log icmp from any to any in recv ${iif} icmptype 3
# ${fwcmd} add pass log icmp from any to any in recv ${iif} icmptype 8
#samba nach außen sperren
${fwcmd} add deny log tcp from ${iip}:${imask} to ${onet}:${omask} 139, 445 setup
${fwcmd} add deny log udp from ${iip}:${imask} to ${onet}:${omask} 137, 138 setup
${fwcmd} add deny log tcp from ${iip}:${imask} to ${onet}:${omask} 139, 445 out xmit ${iif}
${fwcmd} add deny log udp from ${iip}:${imask} to ${onet}:${omask} 137, 138 out xmit ${iif}
${fwcmd} add deny log tcp from ${iip}:${imask} to ${onet}:${omask} 139, 445 in recv ${iif}
${fwcmd} add deny log udp from ${iip}:${imask} to ${onet}:${omask} 137, 138 in recv ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to ${iip}:${imask} 139, 445 setup
${fwcmd} add deny log udp from ${onet}:${omask} to ${iip}:${imask} 137, 138 setup
${fwcmd} add deny log tcp from ${onet}:${omask} to ${iip}:${imask} 139, 445 out xmit ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to ${iip}:${imask} 137, 138 out xmit ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to ${iip}:${imask} 139, 445 in recv ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to ${iip}:${imask} 137, 138 in recv ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to not ${iip}:${imask} 139, 445 setup
${fwcmd} add deny log udp from ${onet}:${omask} to not ${iip}:${imask} 137, 138 setup
${fwcmd} add deny log tcp from ${onet}:${omask} to not ${iip}:${imask} 139, 445 out xmit ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to not ${iip}:${imask} 137, 138 out xmit ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to not ${iip}:${imask} 139, 445 in recv ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to not ${iip}:${imask} 137, 138 in recv ${iif}
# Network Address Translation.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
# ${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.168.0{0-19,21-255}.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
##############################################################################
# abschnitt erlaubt #
##############################################################################
#${fwcmd} add pass ip from ${homenet} to ${ip} 137,138,139 via ${interface}
#${fwcmd} add pass ip from ${homenet} to ${iip}:${imask} 137,138,139 via ${iif}
#bestehende verbindungen erlauben
# ${fwcmd} add pass tcp from any to any established
${fwcmd} add pass tcp from any to any via ${oif} established
${fwcmd} add pass tcp from any to any via ${iif} established
#Allow setup of outgoing TCP connections only
# ${fwcmd} add pass tcp from ${ip} to any setup
#${fwcmd} add pass tcp from ${oip} to any keep-state out xmit ${oif} setup
${fwcmd} add pass tcp from ${iip} to any keep-state out xmit ${iif} setup
${fwcmd} add pass tcp from ${homenet} to any ${daemons} keep-state in via ${iif} setup
#samba nur im internen netz erlauben
${fwcmd} add pass ip from ${iip} to ${homenet} out via ${iif} src-port ${samba}
#${fwcmd} add pass ip from ${homenet} to ${ip} 137,138,139 via ${interface}
${fwcmd} add pass ip from ${homenet} to ${iip}:${imask} ${samba} in via ${iif}
# Allow IP fragments to pass through
# ${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
# ${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
# ${fwcmd} add pass tcp from any to ${oip} 53 setup
# ${fwcmd} add pass udp from any to ${oip} 53
# ${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
# ${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
# ${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
#${fwcmd} add pass udp from ${oip} to any 53 keep-state
${fwcmd} add pass udp from ${oip} to ${router} 53 keep-state
${fwcmd} add pass udp from ${homenet} to ${router} 53 keep-state in
${fwcmd} add pass udp from ${homenet} to ${router} 53 keep-state out
# Allow NTP queries out in the world
# ${fwcmd} add pass udp from ${oip} to any 123 keep-state
#reset an alle ident-packete
${fwcmd} add reset log tcp from any to any 113 in recv ${oif}
${fwcmd} add reset log tcp from any to any 113 in recv ${iif}
# Disallow setup of all other TCP connections
${fwcmd} add deny log all from any to any setup
${fwcmd} add deny log ip from any to any setup
${fwcmd} add deny log tcp from any to any setup
${fwcmd} add deny log udp from any to any setup
${fwcmd} add deny log all from any to any
${fwcmd} add deny log ip from any to any
${fwcmd} add deny log tcp from any to any
${fwcmd} add deny log udp from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
in sachen freebsd bin ich absoluter neuling und habe mal ein problem meiner erstellten firewallregeln.
aber erstmal zum system.
ich benutze freebsd 5.2.1 release auf 900'er pIII mit 128mb ram und 2 net-interfaces.
-----netz_2--------------------router_2(fbsd)---------------netz_1----------router_1-----wan
(192.168.20.0) (192.168.20.1 & 192.168.10.2) (192.168.10.0) (192.168.10.1)
also, router_1 ist normaler dsl-router, mit dem alle clients ins wan gelangen sollen.
router_2 hat 2 interfaces und fungiert als gateway (gateway_enable=yes)
routing-daemons habe ich nirgens laufen. nur auf dem dsl-router (router_1) habe ich ne statische route zum netz_2 über 192.168.10.2 eingerichtet. das gesamte netz mit zugang zum wan und umgekehrt etc. funktioniert.
meine frage bezieht sich sich aber vielmehr auf die effizienz und wirksamkeit meiner erstellten regeln gegenüber angriffen, da ich ein absolut sicheres netz_2 (clients haben KEINE eigene firewall) benötige.
kann sich das mal bitte jemand anschauen, da ich aus den man-pages nicht schlau werde und das handbuch recht rudimentär ausgestattet ist, wenn es um die ipfw-regeln geht.
die hier dargestellten regeln funktionieren zwar, abe ich habe das gefühl da viele
regeln durch eine einzige ersetzt werden könnte. außerdem habe ich sie mehr oder weniger nur zusammenkopiert, da ich absolut kein plan habe.
relevanter abschnitt aus rc.firewall
[Rr][Oo][Uu][Tt][Ee][Rr])
#externes interface zum router_1
oif="rl0"
onet="192.168.10.0"
omask="255.255.255.0"
oip="192.168.10.2"
#internes interface
iif="em0"
inet="192.168.20.0"
imask="255.255.255.0"
iip="192.168.20.1"
router="192.168.10.1" #=router_1
homenet="192.168.20.1,192.168.20.2,192.168.20.255"
samba="137,138,139"
daemons="21......."
setup_loopback
##############################################################################
# abschnitt gesperrt #
##############################################################################
# Stop spoofing
${fwcmd} add deny log all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny log all from ${onet}:${omask} to any in via ${iif}
${fwcmd} add deny log ip from any to any not verrevpath in
${fwcmd} add deny log ip from any to any in via ${oif} not verrevpath
${fwcmd} add deny log ip from any to any in via ${iif} not verrevpath
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny log all from any to 192.168.0{0-19,21-255}.0/16 via ${oif}
# ${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif}
# ${fwcmd} add deny log all from any to 192.168.20.0/24 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif}
#verfolgen von packeten
${fwcmd} add check-state
#icmp erlauben
# ${fwcmd} add pass log icmp from any to any in recv ${oif} icmptype 3
# ${fwcmd} add pass log icmp from any to any in recv ${oif} icmptype 8
# ${fwcmd} add pass log icmp from any to any in recv ${iif} icmptype 3
# ${fwcmd} add pass log icmp from any to any in recv ${iif} icmptype 8
#samba nach außen sperren
${fwcmd} add deny log tcp from ${iip}:${imask} to ${onet}:${omask} 139, 445 setup
${fwcmd} add deny log udp from ${iip}:${imask} to ${onet}:${omask} 137, 138 setup
${fwcmd} add deny log tcp from ${iip}:${imask} to ${onet}:${omask} 139, 445 out xmit ${iif}
${fwcmd} add deny log udp from ${iip}:${imask} to ${onet}:${omask} 137, 138 out xmit ${iif}
${fwcmd} add deny log tcp from ${iip}:${imask} to ${onet}:${omask} 139, 445 in recv ${iif}
${fwcmd} add deny log udp from ${iip}:${imask} to ${onet}:${omask} 137, 138 in recv ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to ${iip}:${imask} 139, 445 setup
${fwcmd} add deny log udp from ${onet}:${omask} to ${iip}:${imask} 137, 138 setup
${fwcmd} add deny log tcp from ${onet}:${omask} to ${iip}:${imask} 139, 445 out xmit ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to ${iip}:${imask} 137, 138 out xmit ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to ${iip}:${imask} 139, 445 in recv ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to ${iip}:${imask} 137, 138 in recv ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to not ${iip}:${imask} 139, 445 setup
${fwcmd} add deny log udp from ${onet}:${omask} to not ${iip}:${imask} 137, 138 setup
${fwcmd} add deny log tcp from ${onet}:${omask} to not ${iip}:${imask} 139, 445 out xmit ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to not ${iip}:${imask} 137, 138 out xmit ${iif}
${fwcmd} add deny log tcp from ${onet}:${omask} to not ${iip}:${imask} 139, 445 in recv ${iif}
${fwcmd} add deny log udp from ${onet}:${omask} to not ${iip}:${imask} 137, 138 in recv ${iif}
# Network Address Translation.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif}
# ${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.168.0{0-19,21-255}.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif}
##############################################################################
# abschnitt erlaubt #
##############################################################################
#${fwcmd} add pass ip from ${homenet} to ${ip} 137,138,139 via ${interface}
#${fwcmd} add pass ip from ${homenet} to ${iip}:${imask} 137,138,139 via ${iif}
#bestehende verbindungen erlauben
# ${fwcmd} add pass tcp from any to any established
${fwcmd} add pass tcp from any to any via ${oif} established
${fwcmd} add pass tcp from any to any via ${iif} established
#Allow setup of outgoing TCP connections only
# ${fwcmd} add pass tcp from ${ip} to any setup
#${fwcmd} add pass tcp from ${oip} to any keep-state out xmit ${oif} setup
${fwcmd} add pass tcp from ${iip} to any keep-state out xmit ${iif} setup
${fwcmd} add pass tcp from ${homenet} to any ${daemons} keep-state in via ${iif} setup
#samba nur im internen netz erlauben
${fwcmd} add pass ip from ${iip} to ${homenet} out via ${iif} src-port ${samba}
#${fwcmd} add pass ip from ${homenet} to ${ip} 137,138,139 via ${interface}
${fwcmd} add pass ip from ${homenet} to ${iip}:${imask} ${samba} in via ${iif}
# Allow IP fragments to pass through
# ${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
# ${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
# ${fwcmd} add pass tcp from any to ${oip} 53 setup
# ${fwcmd} add pass udp from any to ${oip} 53
# ${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
# ${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
# ${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
#${fwcmd} add pass udp from ${oip} to any 53 keep-state
${fwcmd} add pass udp from ${oip} to ${router} 53 keep-state
${fwcmd} add pass udp from ${homenet} to ${router} 53 keep-state in
${fwcmd} add pass udp from ${homenet} to ${router} 53 keep-state out
# Allow NTP queries out in the world
# ${fwcmd} add pass udp from ${oip} to any 123 keep-state
#reset an alle ident-packete
${fwcmd} add reset log tcp from any to any 113 in recv ${oif}
${fwcmd} add reset log tcp from any to any 113 in recv ${iif}
# Disallow setup of all other TCP connections
${fwcmd} add deny log all from any to any setup
${fwcmd} add deny log ip from any to any setup
${fwcmd} add deny log tcp from any to any setup
${fwcmd} add deny log udp from any to any setup
${fwcmd} add deny log all from any to any
${fwcmd} add deny log ip from any to any
${fwcmd} add deny log tcp from any to any
${fwcmd} add deny log udp from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;