Snort mailing list archives

RE: OT: ipfilter Suggestions for Snort Use

From: "Justin Honold" <justin () tsunamiresearch com>
Date: Tue, 23 Apr 2002 10:08:29 -0500
you can specify a smaller range of ports for the ftpd...

-----Original Message-----
From: Ryan Hill [mailto:rhill () xypoint com] 
Sent: Monday, April 22, 2002 6:42 PM
To: 'snort-users () lists sourceforge net'; 'freebsd-questions () freebsd org'
Subject: [Snort-users] OT: ipfilter Suggestions for Snort Use


All,

I am attempting to create and optimize my first ipfilter rule set under
FreeBSD 4.5-STABLE and would appreciate any and all feedback regarding
the rule set I've come up with thus far.  

I'm specifically interested in reviewing the rule flow and correctness
for errors as well as suggestions anyone might have for tightening and
optimizing the system further, given the service constraints defined in
the rule set.

Also, can anyone tell me if ipmon and ipstat are included in the
compiled ipfilters package?  I see references to them in the ipfilter
how-to (http://www.obfuscation.org/ipf/ipf-howto.txt), but haven't been
able to determine where they're located (caveat, I haven't compiled for
ipfilter yet, I'd like to get the rule set finalized before venturing
down this path).

#!/sbin/ipf -f -
#
# Ipfilter v3.3+ Ruleset v .1
# Created by rhill
# Last Modified: 04/22/02 4:19 PM PDT
#
# --------------------------------------------
# Block all traffic by default. (Most Secure)
# --------------------------------------------
# Snort sensor interfaces, send nothing inbound or outbound. block out
quick on de0 all group 100 block out quick on de1 all group 100 block
out quick on de2 all group 100 block out quick on de3 all group 100
block out quick on de4 all group 100 block out quick on de5 all group
100 block out quick on de6 all group 100 block out quick on de7 all
group 100

# Management interface, filter inbound/outbound traffic.

block in log auth.alert on xl0 all head 200
block in log auth.alert proto tcp all flags S/SA head 201 group 200
block in log auth.alert proto udp all head 202 group 200 block in log
auth.alert proto icmp all head 203 group 200 block out log auth.alert on
xl0 all head 250

# Allow inbound web and SSL access
pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 80 flags S
keep state group 201 pass in quick on xl0 proto tcp from a.b.c.d/16 to
any port = 443 flags S keep state group 201

# Allow inbound ssh
pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 22 flags S
keep state group 201

# Allow outgoing FTP from any internal host to any external FTP server.
pass in quick on xl0 proto tcp from any to any port = ftp keep state
group 201 pass in quick on xl0 proto tcp from any to any port = ftp-data
keep state group 201 pass in quick on xl0 proto tcp from any port =
ftp-data to any port > 1023 keep state group 201

# Allow inbound syslog from authorized devices
pass in quick on xl0 proto udp from b.c.d.e/32 port = 514 to any keep
state group 202 pass in quick on xl0 proto udp from c.d.e.f/32 port =
514 to any keep state group 202 pass in quick on xl0 proto udp from
d.e.f.g/32 port = 514 to any keep state group 202

# Allow DNS queries
pass in quick on xl0 proto udp from any to any port = 53 keep state
group 202

# Allow NTP from any internal host to any external NTP server. pass in
quick on xl0 proto udp from any to any port = ntp keep state group 202

# Allow certain inbound pings from trusted network, echo replies from 
# anywhere and traceroutes.
pass in quick on xl0 proto icmp from a.b.c.d/16 to any icmp-type 8 keep
state group 203 pass in quick on xl0 proto icmp from any to any
icmp-type 0 keep state group 203 pass in quick on xl0 proto icmp from
any to any icmp-type 11 keep state group 203 pass out quick on xl0 proto
udp from any to any port 33434><33690 keep state group 202
 
# Filter localhost traffic.
# packets going in/out of network interfaces that aren't on the loopback
# interface should *NOT* exist. block in log auth.alert quick from
127.0.0.0/8 to any group 100 block in log auth.alert quick from any to
127.0.0.0/8 group 100 block in log auth.alert quick from 127.0.0.0/8 to
any group 200 block in log auth.alert quick from any to 127.0.0.0/8
group 200

# And of course, make sure the loopback allows packets to traverse it.
pass in quick on lo0 all pass out quick on lo0 all

# EOF

Thanks in advance,
Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

OT: ipfilter Suggestions for Snort Use Ryan Hill (Apr 22)
- Re: OT: ipfilter Suggestions for Snort Use James Ainslie (Apr 23)
- <Possible follow-ups>
- RE: OT: ipfilter Suggestions for Snort Use Justin Honold (Apr 23)