Snort mailing list archives
Re: Supper Firewall setup with IPFILTER and SNORT
From: "Jim Sandoz" <sandoz () lucent com>
Date: Sat, 23 Nov 2002 13:35:13 -0500 (EST)
nathan, your ipfilter ruleset is lacking in several areas, and in particular the following line:
block return-rst in log quick on fxp0 proto tcp from any to any
is going to cause you many problems when out-of-order tcp packets arrive at your external interface. see the IPF FAQ at: http://home.earthlink.net/~jaymzh666/ipf/index.html specifically: http://home.earthlink.net/~jaymzh666/ipf/IPFprob.html#9 for additional info on "keep state" with tcp: http://home.earthlink.net/~jaymzh666/ipf/IPFprob.html#1 moreover, you are keeping state in too many places, without proper flags, and not setting up state correctly in others. so here's a better sample ruleset... # # sof "ipf.conf" # # sample ipf.conf, suitable for a firewall which does not # provide any services (e.g. http) to the external world. # (examples are provided for enabling http and ssh though) # # interface naming and configuration # fxp0 = external NIC, facing the world # xl0 = internal NIC, facing private network(s) # lo0 = loopback # ip packet filtering rulesets: # SECTION 0) rules generic to all interfaces block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick all with ipopts block in log quick all with short block in log quick proto icmp all with frag # SECTION 1) rules specific to fxp0 # set up "default deny" inbound rules on external interface fxp0: # block all protocols, no logging block in on fxp0 all # tcp, log these, send back RST only in reply to SYN packets block in log on fxp0 proto tcp all block return-rst in log on fxp0 proto tcp all flags S # udp (you may not want to log these, lots of clutter...) block return-icmp-as-dest(port-unr) in log quick on fxp0 proto udp all # icmp, log these # allow icmp from alternate location, for testing # pass in quick on fxp0 proto icmp from altip/32 to yourip/32 keep state # block everyone else block in log quick on fxp0 proto icmp all # examples if you want to provide services on interface fxp0 # (uncomment these rules to enable http and ssh services...) # allow inbound http on port 80, keep state # pass in quick on fxp0 proto tcp from any to yourip/32 \ # port = 80 flags S keep state keep frags # allow inbound ssh on port 22, keep state # pass in quick on fxp0 proto tcp from any to yourip/32 \ # port = 22 flags S keep frags keep state # set up "keep state" outbound rules on external interface fxp0: pass out quick on fxp0 proto tcp all flags S keep state keep frags pass out quick on fxp0 proto udp all keep state keep frags pass out quick on fxp0 proto icmp all keep state keep frags block out quick on fxp0 all # SECTION 2) rules specific to xl0 # let internal private interface xl0 run free pass in quick on xl0 all pass out quick on xl0 all # SECTION 3) rules specific to lo0 # let loopback interface lo0 run free pass in quick on lo0 all pass out quick on lo0 all # # eof "ipf.conf" # while i'm at it, here's a sample ipnat.conf that will provide real-world user happiness (like proxy for passive ftp and so on): # # sof "ipnat.conf" # # a generic mapping for NAT'ing the 192.168.0.0/24 network # via a single route'able public IP address # # enable ftp proxy from the firewall itself: map fxp0 yourip/32 -> yourip/32 proxy port ftp ftp/tcp # enable ftp proxy for users behind the firewall: map fxp0 192.168.0.0/24 -> yourip/32 proxy port ftp ftp/tcp # enable tcp/udp portmapping map fxp0 192.168.0.0/24 -> yourip/32 portmap tcp/udp 10000:24000 # enable more general mapping (covers icmp etc) map fxp0 192.168.0.0/24 -> yourip/32 # # eof "ipnat.conf" # jim
Yummm! Lets eat! Oh wait, 404 not found on the text version. --ja On Fri, 22 Nov 2002, Nathan Whitehouse wrote:Hi everyone. I have just spent a month setting up a firewall for my Company. I have finally finished and I thought I would post a general tutorial on my web for anyone to check out. Any opinions are welcome. I have one that is a Word doc and one in a text file. Enjoy http://www.dragonmist.net/ipfilter-snort-firewall.zip http://www.dragonmist.net/ipfilter-snort-firewall.txt
------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Supper Firewall setup with IPFILTER and SNORT Nathan Whitehouse (Nov 22)
- Re: Supper Firewall setup with IPFILTER and SNORT jabbott (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Jim Sandoz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Phil Dibowitz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Phil Dibowitz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT Jim Sandoz (Nov 25)
- Re: Supper Firewall setup with IPFILTER and SNORT jabbott (Nov 25)