Nmap Announce mailing list archives
Re: Linux ipfwadm howto
From: Lorenzo Cavallaro <sullivan () seclab com>
Date: Wed, 30 Dec 1998 15:04:17 +0100
Good Afternoon to all :) I'd like to do only a few 'fix' and comment about Lamont's HOWTO. This is all IMHO, so I don't wanna offende anybody :) On Tue, Dec 29, 1998 at 10:29:41AM -0800, Lamont Granquist wrote:
I wrote the following howto on hardening your linux system with ipfwadm. It seems relevant to post it here, since these measures are an attempt to block things like nmap. I'd be interested both in comments on how to make this better, and in discussion of how nmap might adapt to this kind of thing (for example using ftp-data as a source port might not be a bad idea...).
This will be logged also by tcplogd (Really known Hobbit's FTP Bounce Attack) imho. [snip]
To use ipfwadm, you need to have your kernel compiled with CONFIG_IP_FIREWALL and CONFIG_IP_FIREWALL_VERBOSE turned on. While you're at it turn on CONFIG_IP_ALWAYS_DEFRAG for kicks, and turn off CONFIG_IP_FORWARD. CONFIG_IP_ALWAYS_DEFRAG is necessary for dual-homed bastion hosts in a firewall but is not necessary (?) for our
It's a good thing to turn on CONFIG_ALWAYS_DEFRAG, expecially on a firewall host. This (as explained in the docs) will allow the tcp/ip layer to 'reassemble' all the incoming packet (even if it comes fragmented) before to be processed. This will allow ya to have a more reliable firewall, otherwise (again as docs) 'second and further fragments will always be accepted by the firewall'.
single-homed example. Turning off CONFIG_IP_FORWARD can prevent some spoofing attacks. RedHat 5.2 comes with CONFIG_IP_FIREWALL (and CONFIG_IP_FIREWALL_VERBOSE) already turned on by default so there is no need to recompile the kernel.
[snip]
You can also set the default policy with a command like: ipfwadm -I -p accept /* accept all packets by default */ Note that your default policy is *not* flushed when you flush the rules. That means that if you have at some time issued a command: ipfwadm -I -p deny And setup some rules to allow certain packets through, and then you issue a flush command: ipfwadm -If You will now be blocking all incoming packets to your default interface, and you might need to reboot the machine. No packets will be getting through, and this will lock the X11 console display since the machine will not be able to talk to itself via the port 6000 X11 services (even though these packets do not go over the wire, they are still TCP and they are still blocked).
This is not really true, imho. This is true if you're trying to set up your firewall's rules from a remote workstation (i.e. an Xterminal) which communicate w/ the firewall host through tcp/ip socket stream, but when you work with your 'linux pc' and setup X, you won't use tcp/ip (even if you'll start the X server making the 6000 tcp port LISTEN), but you'll use a *unix domain* socket (that, however, could be local security issue as figured out in some BUGTRAQ's thread) # file /tmp/.X11-unix/X0 /tmp/.X11-unix/X0: socket <-- that means unix domain socket # So, even if you will block all incoming connection on your 'young' firewall host, you will be able to fix the stuff (when working in console (even w/ X)) imho. [snip]
The actual format of a rule that I'll use looks like this (a simplified subset of what ipfwadm is capable of): ipfwadm [-I|-O] -a [accept|deny] [-P [tcp|udp|icmp]] [-S IP/net [port/icmp #]] [-D IP/net [port]] [-o]
I guess that 'all' as protocol is very important too.
You specify either the Input or Output rules, weither to accept or deny, optionally specify a protocol (default matches *any* protocol, including those which are not tcp, udp or icmp), optionally specify source and destination addresses/ports (default matches any), and optionally log the packets.
[snip]
THE DIRT -------- Lets step through the actual rules to see what I did: # flush rules /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f /sbin/ipfwadm -A -f That should hopefully be self-explanatory -- we're starting with a completely fresh slate. # default is to allow all incoming packets /sbin/ipfwadm -I -p accept /sbin/ipfwadm -O -p accept I setup the default rule to be accept. Setting them to deny will mean that if you flush the rules then you'll wind up pretty well hosing your
Well, you have to add further rules obviously and if you'll work on console (read linux pc, with its video card and a monitor ;)) you'lll always be able to fix the things up.
machine. And if you rely on a default deny rule then you will not get any logging. For that reason I will actually implement an explicit
mmmm let's consider these simple rules... (For semplicity I will omit -O -F -A adn I'll give only a simple tcp example, forgive me ;)) ipfwadm -I -p deny ipfwadm -I -i accept -P tcp -S 0/0 -D 0/0 -k -W <interface> -V <address> ipfwadm -I -i deny -P all -S 0/0 -D 0/0 -o -W <interface> -V <address> Let's note that this will accept even spoofed stuff such as w/ source address 127.0.0.1 (ACK bit set) and so on ... it's only a poor example. Improvement can be easly achieved imho. This will setup the default policy to deny (i.e. you'll deny all tcp/ip protocols), unless those segments (we're talking about tcp) that will income from <interface> that have the ACK bit set (so you won't allow to connect from outside to inside). Then you'll deny and log any other kinda of protocol (-P all) (i.e. tcp,icmp,igmp,ip - even raw stuff -, udp and so on). I know that this isn't a really good example, but maybe it could be an alternative way to setup your firewall rules (maybe it's better for a dial-up user). (and IMHO packet filter firewall ain't the total solution. I appreciate a mixed system, i.e. packet filter and proxy gateway fw should work fine :))
default deny rule which will also log all the packets that it drops -- so keep in mind that the default will eventually be set to deny packets when we get to the final rule at the bottom of this file.
-- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
I hope that nobody takes offense from this :) .. and I wich to everybody .. HAPPY NEW YEAR - Keep on Hacking guys - ;) bye bye -- gg sullivan -- Lorenzo Cavallaro Intesis SECURITY LAB Phone: +39-02-671563.1 Via Settembrini, 35 Fax: +39-02-66981953 I-20124 Milano ITALY Email: sullivan () seclab com
Current thread:
- Re: weird Cisco print Ryan Russell (Dec 27)
- Re: weird Cisco print Peter van Dijk (Dec 29)
- Linux ipfwadm howto Lamont Granquist (Dec 29)
- Re: Linux ipfwadm howto Lorenzo Cavallaro (Dec 30)
- Linux ipfwadm howto Lamont Granquist (Dec 29)
- <Possible follow-ups>
- Re: weird Cisco print Ryan Russell (Dec 29)
- Re: weird Cisco print Peter van Dijk (Dec 29)