Snort mailing list archives
RE: OT: ipfilter Suggestions for Snort Use
From: "Justin Honold" <justin () tsunamiresearch com>
Date: Tue, 23 Apr 2002 10:08:29 -0500
you can specify a smaller range of ports for the ftpd... -----Original Message----- From: Ryan Hill [mailto:rhill () xypoint com] Sent: Monday, April 22, 2002 6:42 PM To: 'snort-users () lists sourceforge net'; 'freebsd-questions () freebsd org' Subject: [Snort-users] OT: ipfilter Suggestions for Snort Use All, I am attempting to create and optimize my first ipfilter rule set under FreeBSD 4.5-STABLE and would appreciate any and all feedback regarding the rule set I've come up with thus far. I'm specifically interested in reviewing the rule flow and correctness for errors as well as suggestions anyone might have for tightening and optimizing the system further, given the service constraints defined in the rule set. Also, can anyone tell me if ipmon and ipstat are included in the compiled ipfilters package? I see references to them in the ipfilter how-to (http://www.obfuscation.org/ipf/ipf-howto.txt), but haven't been able to determine where they're located (caveat, I haven't compiled for ipfilter yet, I'd like to get the rule set finalized before venturing down this path). #!/sbin/ipf -f - # # Ipfilter v3.3+ Ruleset v .1 # Created by rhill # Last Modified: 04/22/02 4:19 PM PDT # # -------------------------------------------- # Block all traffic by default. (Most Secure) # -------------------------------------------- # Snort sensor interfaces, send nothing inbound or outbound. block out quick on de0 all group 100 block out quick on de1 all group 100 block out quick on de2 all group 100 block out quick on de3 all group 100 block out quick on de4 all group 100 block out quick on de5 all group 100 block out quick on de6 all group 100 block out quick on de7 all group 100 # Management interface, filter inbound/outbound traffic. block in log auth.alert on xl0 all head 200 block in log auth.alert proto tcp all flags S/SA head 201 group 200 block in log auth.alert proto udp all head 202 group 200 block in log auth.alert proto icmp all head 203 group 200 block out log auth.alert on xl0 all head 250 # Allow inbound web and SSL access pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 80 flags S keep state group 201 pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 443 flags S keep state group 201 # Allow inbound ssh pass in quick on xl0 proto tcp from a.b.c.d/16 to any port = 22 flags S keep state group 201 # Allow outgoing FTP from any internal host to any external FTP server. pass in quick on xl0 proto tcp from any to any port = ftp keep state group 201 pass in quick on xl0 proto tcp from any to any port = ftp-data keep state group 201 pass in quick on xl0 proto tcp from any port = ftp-data to any port > 1023 keep state group 201 # Allow inbound syslog from authorized devices pass in quick on xl0 proto udp from b.c.d.e/32 port = 514 to any keep state group 202 pass in quick on xl0 proto udp from c.d.e.f/32 port = 514 to any keep state group 202 pass in quick on xl0 proto udp from d.e.f.g/32 port = 514 to any keep state group 202 # Allow DNS queries pass in quick on xl0 proto udp from any to any port = 53 keep state group 202 # Allow NTP from any internal host to any external NTP server. pass in quick on xl0 proto udp from any to any port = ntp keep state group 202 # Allow certain inbound pings from trusted network, echo replies from # anywhere and traceroutes. pass in quick on xl0 proto icmp from a.b.c.d/16 to any icmp-type 8 keep state group 203 pass in quick on xl0 proto icmp from any to any icmp-type 0 keep state group 203 pass in quick on xl0 proto icmp from any to any icmp-type 11 keep state group 203 pass out quick on xl0 proto udp from any to any port 33434><33690 keep state group 202 # Filter localhost traffic. # packets going in/out of network interfaces that aren't on the loopback # interface should *NOT* exist. block in log auth.alert quick from 127.0.0.0/8 to any group 100 block in log auth.alert quick from any to 127.0.0.0/8 group 100 block in log auth.alert quick from 127.0.0.0/8 to any group 200 block in log auth.alert quick from any to 127.0.0.0/8 group 200 # And of course, make sure the loopback allows packets to traverse it. pass in quick on lo0 all pass out quick on lo0 all # EOF Thanks in advance, Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OT: ipfilter Suggestions for Snort Use Ryan Hill (Apr 22)
- Re: OT: ipfilter Suggestions for Snort Use James Ainslie (Apr 23)
- <Possible follow-ups>
- RE: OT: ipfilter Suggestions for Snort Use Justin Honold (Apr 23)