Re: Linux ipfwadm howto

[Lorenzo Cavallaro <sullivan () seclab com>]

Good Afternoon to all :)

I'd like to do only a few 'fix' and comment about Lamont's HOWTO.
This is all IMHO, so I don't wanna offende anybody :)

On Tue, Dec 29, 1998 at 10:29:41AM -0800, Lamont Granquist wrote:
> I wrote the following howto on hardening your linux system with ipfwadm.
> It seems relevant to post it here, since these measures are an attempt to
> block things like nmap.  I'd be interested both in comments on how to make
> this better, and in discussion of how nmap might adapt to this kind of
> thing (for example using ftp-data as a source port might not be a bad
> idea...).

This will be logged also by tcplogd (Really known Hobbit's FTP Bounce Attack) imho.

[snip]
> To use ipfwadm, you need to have your kernel compiled with
> CONFIG_IP_FIREWALL and CONFIG_IP_FIREWALL_VERBOSE turned on.  While
> you're at it turn on CONFIG_IP_ALWAYS_DEFRAG for kicks, and turn off
> CONFIG_IP_FORWARD.  CONFIG_IP_ALWAYS_DEFRAG is necessary for dual-homed
> bastion hosts in a firewall but is not necessary (?) for our

It's a good thing to turn on CONFIG_ALWAYS_DEFRAG, expecially on a firewall host.
This (as explained in the docs) will allow the tcp/ip layer to 'reassemble' all the
incoming packet (even if it comes fragmented) before to be processed.
This will allow ya to have a more reliable firewall, otherwise (again as docs)
'second and further fragments will always be accepted by the firewall'.

> single-homed example.  Turning off CONFIG_IP_FORWARD can prevent some
> spoofing attacks.  RedHat 5.2 comes with CONFIG_IP_FIREWALL (and
> CONFIG_IP_FIREWALL_VERBOSE) already turned on by default so there is no
> need to recompile the kernel.
[snip]

> You can also set the default policy with a command like:
>
> ipfwadm -I -p accept  /* accept all packets by default */
>
> Note that your default policy is *not* flushed when you flush the rules.
> That means that if you have at some time issued a command:
>
> ipfwadm -I -p deny
>
> And setup some rules to allow certain packets through, and then you
> issue a flush command:
>
> ipfwadm -If
>
> You will now be blocking all incoming packets to your default interface,
> and you might need to reboot the machine.  No packets will be getting
> through, and this will lock the X11 console display since the machine
> will not be able to talk to itself via the port 6000 X11 services (even
> though these packets do not go over the wire, they are still TCP and
> they are still blocked).

This is not really true, imho.
This is true if you're trying to set up your firewall's rules from a remote workstation
(i.e. an Xterminal) which communicate w/ the firewall host through tcp/ip socket stream,
but when you work with your 'linux pc' and setup X, you won't use tcp/ip (even if you'll start the X
server making the 6000 tcp port LISTEN), but you'll use a *unix domain* socket (that, however, could be
local security issue as figured out in some BUGTRAQ's thread)

# file /tmp/.X11-unix/X0
/tmp/.X11-unix/X0: socket       <-- that means unix domain socket
#

So, even if you will block all incoming connection on your 'young' firewall host, you will be able
to fix the stuff (when working in console (even w/ X)) imho.

[snip]
> The actual format of a rule that I'll use looks like this (a simplified
> subset of what ipfwadm is capable of):
>
> ipfwadm [-I|-O] -a [accept|deny] [-P [tcp|udp|icmp]] [-S IP/net [port/icmp #]]
>         [-D IP/net [port]] [-o]

I guess that 'all' as protocol is very important too.

> You specify either the Input or Output rules, weither to accept or deny,
> optionally specify a protocol (default matches *any* protocol, including
> those which are not tcp, udp or icmp), optionally specify source and
> destination addresses/ports (default matches any), and optionally log the
> packets.
[snip]

> THE DIRT
> --------
>
> Lets step through the actual rules to see what I did:
>
>  # flush rules
>  /sbin/ipfwadm -I -f
>  /sbin/ipfwadm -O -f
>  /sbin/ipfwadm -F -f
>  /sbin/ipfwadm -A -f
>
> That should hopefully be self-explanatory -- we're starting with a completely
> fresh slate.
>
>  # default is to allow all incoming packets
>  /sbin/ipfwadm -I -p accept
>  /sbin/ipfwadm -O -p accept
>
> I setup the default rule to be accept.  Setting them to deny will mean
> that if you flush the rules then you'll wind up pretty well hosing your

Well, you have to add further rules obviously and if you'll work on console
(read linux pc, with its video card and a monitor ;)) you'lll always be able to fix the things up.

> machine.  And if you rely on a default deny rule then you will not get
> any logging.   For that reason I will actually implement an explicit

mmmm let's consider these simple rules...
(For semplicity I will omit -O -F -A adn I'll give only a simple tcp example, forgive me ;))

ipfwadm -I -p deny
ipfwadm -I -i accept -P tcp -S 0/0 -D 0/0 -k -W <interface> -V <address>
ipfwadm -I -i deny -P all -S 0/0 -D 0/0 -o -W <interface> -V <address>

Let's note that this will accept even spoofed stuff such as w/ source address 127.0.0.1 (ACK bit set)
and so on ... it's only a poor example. Improvement can be easly achieved imho.

This will setup the default policy to deny (i.e. you'll deny all tcp/ip protocols), unless
those segments (we're talking about tcp) that will income from <interface> that have the 
ACK bit set (so you won't allow to connect from outside to inside).
Then you'll deny and log any other kinda of protocol (-P all) (i.e. tcp,icmp,igmp,ip - even raw stuff -,
udp and so on).

I know that this isn't a really good example, but maybe it could be an alternative way to setup
your firewall rules (maybe it's better for a dial-up user).
(and IMHO packet filter firewall ain't the total solution. I appreciate a mixed system, i.e. packet filter and
proxy gateway fw should work fine :))


> default deny rule which will also log all the packets that it drops --
> so keep in mind that the default will eventually be set to deny packets
> when we get to the final rule at the bottom of this file.

> -- 
> Lamont Granquist                       lamontg () raven genome washington edu
> Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
> Box 352145 / University of Washington / Seattle, WA 98195
> PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka


I hope that nobody takes offense from this :)
.. and I wich to everybody .. HAPPY NEW YEAR - Keep on Hacking guys - ;)

bye bye



                        -- gg sullivan



--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-02-671563.1
Via Settembrini, 35             Fax: +39-02-66981953
I-20124 Milano  ITALY           Email: sullivan () seclab com