Hey guys,
Building my first firewall with IBM Firewall 3.1. I'm aware it's old
and boring, but it works - sort of.
ALL of the default rules assume that the firewall machine has only two
NICs - a secure and an insecure. I'm building it with three NICs - we
need a DMZ. Unfortunately, this means that I have to rewrite every rule
and discard the defaults.
So, what I'm looking for is some manner of reference that will detail
each service, and what connections need to be allowed. For example:
Telnet: TCP out, random port, to port 23 on remote system.
TCP/ACK in, random port, from port 23 on remote system.
Web: TCP out, random port, to port 80 on remote system.
TCP in, random port, from port 80 on remote system.
Also on a slightly bizarre note - IBM Firewall needs FOUR rules to
allow a telnet connection. For some reason (is this different, or am I
naive?) it wants a rule for the DMZ interface to RECEIVE the TCP-out
packet, a rule for the insecure interface to retransmit to the final
destination, a rule for the insecure to receive the ACK, and a rule for
the DMZ interface to retransmit the ACK to the client machine.
I find this a bit bizarre.
I don't know if it's bizarre -- it made quite a lot of sense to me when I worked with it. You have to create rules to allow a service through each of the interfaces. So you have to create two filters to allow it through your DMZ interface (one inbound and one outbound), and another two filters to allow it through your secured interface. I remember having to configure LDM through my firewall and it took a total of 16 filters.
I'm aware that the way I'm going about things is wrong from the
perspective of a "complete" security solution (no rants, please - I'm
aware of the idiocy of this statement). I'm just building a "better"
security plan for now, with stages two and three gradually tightening my
control over traffic. For now, telnet etc. have to be allowed to
placate everyone.
But, I digress.
Is there a resource such as this? Telnet is fine, and works now - same
with DNS and web. However, when we move into ADSM (for offsite backups)
and ICQ, etc, it'll get more difficult. IS this available, or should I
be tossing out some html as I go?
For basic services, the Cheswick/Bellovin firewall book is a good resource for trying to figure out what ports to open. The Steven's TCP/IP series is also great for learning what ports a protocol uses. Look at the IANA port listing for services like ADSM. If you want to allow ICQ, they tell firewall administrators what ports are needed at their website.
The IBM firewall requires you to be very specific about what ports you are opening. Other firewalls have pre-configured services and can be a lot easier to use. Remember, you can always looks at your firewall log to see what ports a protocol is trying to use. You can always test with ip addresses that you know and look at the drops in the log.
Hope this helps....
-- Joe
