At 08:49 12/22/2007, Ian Smith wrote:
>Warning: overlong message.
> > > > >W. D. wrote:

> > OK, sorry.  I guess I just assumed that it would be obvious 
> > that this is a Web server.  ("Never assume anything, my good 
> > fellow" - Sherlock Holmes).  

> > By the way, it is/will be running Plesk server management
> > software, if it matters:
> > http://www.swsoft.com/en/products/plesk/reqs/
>
>I know nothing of Plesk, but doubt it's relevant to this now.
>
> > Also, this server is on an internal LAN before I subject
> > it to the wild, untamed, InterWeb, with its dangerous
> > internets darting back and forth inside all of the tubes.
>
>Really good idea :)
>
> > > > >>         add allow all from any to any via lo0
> > > > >>         add deny ip from any to 127.0.0.0/8
> > > > >>         add deny ip from 127.0.0.0/8 to any

> > >
> > >That's ok.  It may help you in debugging what's happening to use:

> > 
> >   allow log tcp from any to any in established
> >   allow log tcp from any to any out established

>In that case 'me to any' or 'any to me' provides unambiguous direction
>where appropriate.  As shown in your ipfw show below, direction can help
>make things clear, and clarity means safety when it comes to firewalls,
>even if it means a slightly larger ruleset.
>
> > > > >>         # Deny fragmented packets:
> > > > >>         add deny ip from any to any frag
> > 
> > > > >>         # Show pings:
> > > > >>         add count icmp from any to any icmptypes 8 in
> > > > >
> > >
> > >That's inbound ping requests.  Don't forget that 'inbound' means coming
> > >into the firewall, not necessarily from the outside world.  Your own
> > >ping requests _from_ this box also have to both come in, and go out. 
> > 
> > Hmmm.  OK.  Outbound Ping will be rarely used, but should
> > be allowed.  Isn't that included in the next rule?
>
>Yes it is, so here ambiguous directionality works ok, as long as you're
>well aware of it.
> 
> > > > >>         # Allow pings, ping replies, and host unreach:
> > > > >>         add allow icmp from any to any icmptypes 0,8,3
> > >
> > >Add icmptype 11 as well if you want traceroutes to work ..
>

> > >Ok, though udp rules are often better done statefully.  See below.
> > >
> > > > >>         # Allow DNS with name server
> > > > >>         add allow udp from any to any domain out
> > > > >>         add allow udp from any domain to any in
> > > > >Nope.
> > >
> > >You want to watch out here.  This allows udp packets from any address
> > >with source port 53 to connect with any open udp port on your system,
> > >and allows the responses as well.  It's a simple matter using such as
> > >netcat to source packets from port 53. 
> > 
> > Should I restrict it by specifically stating the service?
> > How can I be safe?  What would the rule look like? 
> > 
> > >I gather from this that you're not running a DNS server yourself, but
> > >using upstream server/s?  In that case a stateful rule is safer:
> > 
> > Again, I apologize for not being clear.  I will be running
> > DNS on this box for the domains being hosted.  So, it will
> > be polled whenever a request for a hosted domain is needed.
>
>Ok, so your nameserver will be making upstream requests too, and you'll
>need to do TCP 53 traffic with your secondary nameserver/s as well as
>UDP 53 traffic with upstream nameservers, up to the root unless you're
>only using specified upstream forwarders. Given that you're checking TCP
>setup, allowing established, then maybe:
>
> allow udp from me to any 53 out keep-state    # my requests
> allow udp from any to me 53 in keep-state     # serve outside requests
> allow tcp from me to $secondaries 53 setup    # zone transfers out
> allow tcp from $secondaries to me 53 setup    # zone transfers in

What is $secondaries?

>
>though you'll want to protect named with ACLs for xfers as well.

"ACLs"?  What are those?


> > > > >>         # SSH
> > > > >>         #  Note that /etc/hosts.allow has restrictions
> > > > >>         #  on which IP addresses are allowed.
> > > > >>         #
> > > > >>         # Allow SSH:
> > > > >>         add allow tcp from any to any ssh in setup
> > >
> > >By 'ssh working', I guess you mean ssh connections to this box from
> > >elsewhere, rather than ssh connections from this box?  Not clear.
> > 
> > Sorry!  I am using SSH into this box, since it is easier to
> > cut and paste for editing and configuration.
> > 
> > I can't really see a situation where I would normally need to SSH
> > outbound, can you?  I use the Windoze boxes for that.
>
>You never know; you may want to use ssh or scp to other boxes, for
>backups and such, but you can always add rules whenever required.
>
> > > > >>         # HTTP & HTTPS:
> > > > >>         add allow tcp from any to any https in setup
> > > > >>         add allow tcp from any to any http in setup
> > > > >
> > >
>access to only your LAN.  Will this webserver later have a public IP
>address, or run behind NAT with port forwarding? 

Public IP.




>
> > > > >>         # FTP:
> > > > >>         add allow tcp from any to any ftp in setup
> > > > >>         add allow tcp from any to any ftp\-data in setup
> > > > >>         add allow tcp from any ftp\-data to any setup out
>
> > >Mmm, I prefer using and enforcing FTP passive mode, but YMMV.
> > 
> > How would I do that?  This guy doesn't think it's even 
> > possible:
> > http://tinyurl.com/2z6ynr
>
>Mmm, ok.  Passive mode needs allowing connections to this port range
>  net.inet.ip.portrange.hifirst: 49152
>  net.inet.ip.portrange.hilast: 65535
>which is adjustable, but I'm unsure of my ground regarding ftp - pass.

How would I write this as a rule?


> > >        # Allow access to our WWW
> > >        ${fwcmd} add pass tcp from any to ${oip} 80 setup
> > >
> > >        # Reject&Log all setup of incoming connections from the outside
> > >        ${fwcmd} add deny log tcp from any to any in via ${oif} setup
> > >
> > >        # Allow setup of any other TCP connection
> > >        ${fwcmd} add pass tcp from any to any setup
> > 
> > I really don't get the above rule.  Isn't it saying that
> > *any* kind of TCP connection can come in or go out initially?
>
>Yes, but only AFTER denying & logging any unaccounted for inbound setup
>requests on the outside interface.  The last rule therefore allows setup
>of a) TCP requests from this box to anywhere, and b) setup requests from
>any boxes 'behind' this box on the LAN.  You don't have any (b) but may
>need (a) to access external services (anything: c{,v}sup comes to mind); 
>you may rather limit these to specific services or from uid root etc,
>and having no other interfaces, can use from 'me' rather than 'any'.
>
> > In my set, should I include some "out" rules like this:
> > 
> >   add allow tcp from any to any https out setup
> >   add allow tcp from any to any http out setup
>
>Again, 'any to any' is too broad a brush.  Once you allow everything you
>want to in from outside addresses (which currently includes your LAN on
>your outside interface!) and then deny the rest there, then 'pass tcp
>from me to any setup' is safe, and covers the above, and anything else.
>
> > > > should allow connections that are "setup" to 
> > > > continue.  Do I need a "check-state" or "keep-state"
> > > > statement somewhere?
> > >
> > >No, though you can use stateful TCP rules if you want to, in which case
> > >you'll want to DENY established connections.  Personally I find relying
> > >on the TCP state established by using 'setup' and 'established' fine for
> > >TCP, but tend to use keep-state for UDP and some ICMP rules. 
> > 
> > That sounds reasonable.

>Since you've logged some denied packets, searching denied packets in
>/var/log/security should show you exactly what they are to debug this,
>no need to speculate.  However for this rule try maybe 'logamount 500'
>along with running tcpdump in another console till you spot the problem.
>
>Whenever you like, without reloading others, you can do eg:
>
> # ipfw delete 2400; ipfw add 2400 deny log logamount 500 ip from any to any 
>
>and of course run 'ipfw resetlog 2400' anytime you want some more.
>
> > > > Besides adding the "log" keyword on all of the rules,
> > > > these are the debugging tools I have been using:
> > > > 
> > > >   ipfw disable firewall
> > > >   ipfw -f flush
> > > >   ipfw enable firewall
> > > >   /etc/rc.d/ipfw start
> > > >   ipfw -a -S -N -t list
> > > >   ipfw list      
> > > >   tail  -f   /var/log/ipfw/ipfw.log
>
>Ah right, you're not using /var/log/security.  Is ipfw.log working ok?
>
> > > >   tcpdump -i nve0 'proto \tcp && port http'
>
>Doesn't that show incoming http setup requests, and responses (or not)?
>
>I'd use 'tcpdump -pn -i nve0 tcp port 80' to keep it simple and numeric. 
>
> >       netstat -finet -a
> > > > 


> > Am using this link, since "man ipfw" doesn't work on 6.2.  (I dare
> > someone to explain to me how to get it to work):
> > http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8
>
>That's weird.  Does man work for others in section 8, eg man mount ? 

Nope.  How to get working?



Here is my latest /etc/ipfw.rules.  Please critique:


#    Filename: ipfw.rules
# Description: ipfw firewall ruleset
#   Locattion: /etc/ipfw.rules
#        Date: 2007 Dec 29

# By default, everything is denied access.  You
# need to specifically allow something for it
# to work.

# Debugging tools:
#
# Check the syntax of the rules file:
#    
#   ipfw -n /etc/ipfw.rules
#
#
# Stop, then restart ipfw:
# 
#   ipfw disable firewall; /etc/rc.d/ipfw start
#
#
# Flush rules:
#
#   ipfw -f flush
#
#
# List firewall hits:
#
#   ipfw -a -S -N -t list
#
#
# Zero out hits counter:
#
#   ifpw zero
#
#
# View the log:
#
#    tail  -f   /var/log/ipfw/ipfw.log
#
# Others:
#
#    ipfw show
#    tcpdump -i nve0 'proto \tcp && port http'
#    netstat -finet -a


# Loopback: ==================================
# Allow anything on the local loopback:
add allow all from any to any via lo0
# ============================================


# Disallow Spoofers: =========================
#
# For more info, see: 
#  RFC3330
#  http://en.wikipedia.org/wiki/Private_network               
#
# "This" Network:
add deny log ip from any to 0.0.0.0/8 in
add deny log ip from 0.0.0.0/8 to any in

# IANA Reserved:
add deny log ip from any to 1.0.0.0/8 in
add deny log ip from 1.0.0.0/8 to any in

# IANA Reserved:
add deny log ip from any to 2.0.0.0/8 in
add deny log ip from 2.0.0.0/8 to any in

# Class A Private Network:
add deny log ip from any to 10.0.0.0/8 in
add deny log ip from 10.0.0.0/8 to any in

# Localhost:
add deny log ip from any to 127.0.0.0/8 in
add deny log ip from 127.0.0.0/8 to any in

# Link Local/Auto-Config:
add deny log ip from any to 169.254.0.0/16 in
add deny log ip from 169.254.0.0/16 to any in

# Class B Private Network:
add deny log ip from any to 172.16.0.0/12 in
add deny log ip from 172.16.0.0/12 to any in

# TEST-NET/Examples:
add deny log ip from any to 192.0.2.0/24 in
add deny log ip from 192.0.2.0/24 to any in

# Class C Private Network:
add deny log ip from any to 192.168.0.0/16 in
add deny log ip from 192.168.0.0/16 to any in

# IPV6to4 relay anycast addresses:
add deny log ip from any to 192.88.99.0/24 in
add deny log ip from 192.88.99.0/24 to any in

# Interconnect Benchmarks:
add deny log ip from any to 198.18.0.0/15 in
add deny log ip from 198.18.0.0/15 to any in

# Multicast:
add deny log ip from any to 224.0.0.0/3 in
add deny log ip from 224.0.0.0/3 to any in

# Class E Reserved:
add deny log ip from any to 240.0.0.0/4 in
add deny log ip from 240.0.0.0/4 to any in

# Spoofers ===================================


# Initialize the system to keep track of states:
add check-state
# ============================================


# Allow already established connections.  These
# connections are allowed by the subsequent
# rules listed below this one.
add allow tcp from any to me in established
add allow tcp from me to any out established
# ============================================


# Deny fragmented packets: ===================
add deny log ip from any to any frag
# ============================================


# ICMP - Pings: ==============================
# Count inbound pings (8 = Echo Request)
add count icmp from any to any icmptypes 8 in

# Allow pings, ping replies, and host unreach:
# 0 = Echo Reply
# 3 = Destination Unreachable
# 8 = Echo Request
# 11 = Time-to-Live exceeded (for traceroute)
add allow icmp from any to any icmptypes 0,8,3,11
# ICMP =======================================


# Allow UDP traceroutes: =====================
add allow udp from any to any 33434-34458 in
add allow udp from any 33434-34458 to any out
# ============================================


#  DNS (Port 53): ============================
# add allow udp from any to any domain out
# add allow udp from any domain to any in

# My DNS requests
add allow udp from me to any 53 out keep-state

# Serve outside DNS requests
add allow udp from any to me 53 in keep-state 

# DNS Zone transfers out
# ??? add allow tcp from me to $secondaries 53 setup    

# DNS Zone transfers in
# ??? add allow tcp from $secondaries to me 53 setup
# DNS ========================================


# SSH (Port 22) ==============================
#  Note that /etc/hosts.allow has restrictions
#  on which IP addresses are allowed.
#
add allow tcp from any to me ssh in setup
add allow tcp from me to any ssh in setup
# SSH ========================================


# HTTP: ======================================
# HTTP (Port 80):
add allow tcp from any to me http in setup
add allow tcp from me to any http in setup

# HTTPS (Port 443):
add allow tcp from any to me https in setup

# HTTPS for Plesk Server Administrator (Port 8443):
add allow tcp from any to me dst-port 8443 in setup
# HTTP = ======================================


# MAIL: ======================================
# POP3 (Port 110)
add allow tcp from any to me pop3 in setup

# POP3S (Port 995)
add allow tcp from any to me pop3s in setup

# SMTP (Port 25):
add allow tcp from any to me smtp in setup

# SMTPS (Port 465):
add allow tcp from any to me smtps in setup

# IMAP (Port 143):
add allow tcp from any to me imap in setup

# IMAPS (Port 993):
add allow tcp from any to me imaps in setup
# MAIL =======================================


# FTP (Port 21): =============================
add allow tcp from any to me ftp in setup
add allow tcp from me to any ftp in setup

# FTP Data (Port 20):
add allow tcp from any to me ftp\-data in setup
add allow tcp from any ftp\-data to me setup out

# FTP Passive (Ports 10000-65000):
add allow tcp from me to any 10000-65000 in setup

# FTPS (Port 990):
add allow tcp from any to me ftps in setup
add allow tcp from me to any ftps in setup
# FTP ========================================


# Allow NTP in and out to Navobs.WUstl.edu:
add allow udp from me ntp to 128.252.19.1 ntp out
add allow udp from 128.252.19.1 ntp to me ntp in
# NTP ========================================


# Allow UserID of "root" unfettered access:
add allow tcp from me to any out setup uid root
# ============================================


# MySQL (Port 3306): =========================
# add allow tcp from any to me 3306 in setup
# add allow tcp from me to any 3306 in setup
# MySQL ======================================


# PgSQL (Port 5432): =========================
# add allow tcp from any to me 5432 in setup
# add allow tcp from me to any 5432 in setup
# PgSQL ======================================


# TomCat (Port 9080): ========================
# add allow tcp from any to me 9080 in setup
# add allow tcp from me to any 9080 in setup
# TomCat =====================================


# Plesk Server Administrator - PSA ===========
#  Get updates on port 5224
add allow tcp from me to 64.131.90.31 dst-port 5224 out setup
# add allow tcp from 64.131.90.31 to me dst-port 5224 in setup
# ============================================


# Deny and log everything else: ==============
add deny log ip from any to me in
add deny log ip from any to me out
add deny log ip from me to any in
add deny log ip from me to any out
add deny log udp from any to me in
add deny log udp from any to me out
add deny log udp from me to any in
add deny log udp from me to any out
# ============================================




Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to