Home______________________________________________________________________
The following rule set is an example of how to code a very secure inclusive type of firewall. An inclusive firewall only allows services matching pass rules through and blocks all others by default. All firewalls have at the minimum two interfaces which have to have rules to allow the firewall to function.
All Unix flavored systems including FBSD are designed to use interface lo0 and IP address 127.0.0.1 for internal communication within the FBSD operating system. The firewall rules must contain rules to allow free, unmolested movement of these special internally used packets.
The interface which faces the public Internet is the one which you code your rules to authorize and control access out to the public Internet and access requests arriving from the public Internet. This can be your ‘user ppp’ tun0 interface or your NIC that is cabled to your DSL or cable modem.
In cases where one or more NIC's are cabled to private LANs (local area networks) behind the firewall, those interfaces must have a rule coded to allow free, unmolested movement of packets originating from those LAN interfaces.
The rules should be first organized into three major sections; all the free and unmolested interfaces, public interface outbound, and the public interface inbound.
The order of the rules in each of the public interface sections should be in order of the most used rules being placed before less often used rules with the last rule in the section being a block log all packets on that interface and direction.
The outbound section in the following rule set only contains ‘pass’ rules which contain selection values that uniquely identify the service that is authorized for public Internet access. All the rules have the ‘quick’, ‘on’, proto, port, and keep state option coded. The ‘proto tcp’ rules have the ‘flag’ option included to identify the session start request as the triggering packet to activate the stateful facility.
The inbound section has all the blocking of undesirable packets first for two different reasons. First, these things being blocked may be part of an otherwise valid packet which may be allowed in by the later authorized service rules. Second, by having a rule that explicitly blocks selected packets that I receive on an infrequent bases and don’t want to see in the log, this keeps them from being caught by the last rule in the section which blocks and logs all packets which have fallen through the rules. The last rule in the section which blocks and logs all packets is how you create the legal evidence needed to prosecute the people who are attacking your system.
Another thing you should take note of is there is no response returned for any of the undesirable stuff; their packets just get dropped and vanish. This way the attackers have no knowledge if their packets have reached your system. The less the attackers can learn about your system the more secure it is.
When you log packets with port numbers you do not recognize, go to http://www.securitystats.com/tools/portsearch.php and do a port number lookup to find what the purpose of that port number is.
Check out this link for port numbers used by Trojans http://www.simovits.com/trojans/trojans.html
The following rule set is a complete, very secure ‘inclusive’ type of firewall rule set that I have used on my system. You cannot go wrong using this rule set for your own. Just comment out any pass rules for services to don’t want to authorize.
If you see messages in your log that you want to stop seeing just add a block rule in the inbound section.
You have to change the ‘dc0’ interface name in the symbolic name to the interface name of the NIC that connects your system to the public Internet. For ‘user ppp’ it would be ‘tun0’.
Add the following statements to /etc/pf.conf
################################################################
# define defaults and macros
#################################################################
oif = "dc0"
# oif is the macro name for the
#
NIC facing the public internet
#lif = "xl0"
# lif is the macro name for the NIC facing
#
the Local area network if you have one
dns1 = "{69.22.11.5, 69.22.11.6}" # my ISP's Domain name server IP address
dhcp = "69.22.11.7" # my ISP's DHCP server IP address
ob_state = "flags S/SA modulate state" # outbound
ib_state = "flags S/SA synproxy state" # inbound
#################################################################
# define run time global defaults
#################################################################
set block-policy drop # Sets the default
block behavior to
# packet is silently dropped
set state-policy if-bound # states are bound to the interface
# they're created on
set loginterface $oif
# gather statistics on this interface
scrub out on $oif all random-id
scrub reassemble tcp
#################################################################
# define Nat if you have LAN
#################################################################
#nat on $oif from $lif to any -> ($oif)
#nat on $oif from 10.0.10.0/29 to any -> ($oif)
#pass quick on $lif all # No restrictions on LAN Interface
pass quick on lo0 all # No restrictions on Loopback Interface
______________________________________________________________________
This FreeBSD Installer Guide is an public domain HOW-TO. This content may be reproduced, in any form or by any means, and used by all without permission in writing from the author.