Oi pessoal. Fiz um pequeno howto pra quem quiser implementar um firewall-bridge com vlan. Eu coloquei o snort_inline na jogada, mas ele tem algumas limitacões. É possivel usar snort apenas como IDS, evitando qualquer problema.
Fiz em inglês, com alguns erros é claro, mas se acharem legal, posso refazer em portugues. Não testei suficientemente o Howto e o fiz de memória. Está tudo funcionando bem por aqui, no entanto não fiz teste de desempenho. Há um pequeno aumento de latencia apenas pelo fato de usar a bridge, mas de resto não houve mudanca significativa. Não vi nenhum howto para essa arquitetura, por isso estou postando. Se estiver enganado, desculpem... :) Correcões tb são bem vindas! O intúito do HOWTO é ser possivel controlar todas as portas do switch com firewall e, possivelmente, com um IPS (ou um IDS). Ou seja, ao final do howto, será possivel controlar toda a comunicacão da rede, pois todas as maquinas poderão se comunicar apenas pelo firewall-bridge. Elimina a necessidade de roving analisys port em muitos dos casos, característica presente apenas nos switches mais caros. Espero ajudar a alguém e, também, reunir mais usuários nessa arquitetura, resolvendo possiveis problemas, como o do IPS descrito aqui. Abracos, -- Aristeu Gil Alves Jr -------------------------------------------------------------------------------------------------------------------- FREEBSD + IPFW/PF + VLAN + BRIDGE + IPS/IDS MINI-HOWTO -------------------------------------------------------------------------------------------------------------------- - Author: Aristeu Gil Alves Jr ********************************* Fist step - the switch ********************************* First you need to enable some VLANs on the switch. Of course, a suitable switch that supports tagged VLAN is mandatory. In this case, I will call "client port" any untagged port on any VLAN. The "firewall port" will be a tagged port that will be present on all VLANs. A client port can only access another client port through the firewall port. You'll need to make a VLAN to each client port of the switch, and the firewall port will be a member of those VLANs as a tagged port. For the firewall port, prefer a Gigabit port (or the highest bitrate port available) for traffic throughput purposes. As said before, the client port of each VLAN will be set as untagged, and the firewall port will be set as a tagged port. For example, if you have a 26 port switch (24 ports 10/100mbps and 2 ports 1000mbps), you will choose 1 gigabit port for the firewall, other gigabit port for switch interconnection, and the other 24 ports will be setted for client connection. In my case, only for testing purposes I used a cheep realtek NIC (rl0) and a 3Com Superstack 3 4228G switch, but the only premise is to use a VLAN enabled switch and NIC (on the firewall). So there would be 24 VLANs with two members (one gigabit tagged port and one 10/100 mbps untagged port). ******************************** Second step - The firewall ******************************** The firewall SO chosen for this task is the FreeBSD 6.2. The first thing you need to do is create the bridge and vlan ports on the firewall. The easy way to do that is creating the entries on /boot/loader.conf, /etc/sysctl.conf and /etc/rc.conf. On /boot/loader.conf # load the bridge modules if_bridge_load=YES bridgestp_load=YES # load the ipdivert module ipdivert_load=YES --------- On /etc/rc.conf # # create the clone interfaces clone_interfaces="bridge0 vlan0 vlan1 vlan2 vlan3 ..." # # bind the VLANs to the bridge autobridge_interfaces="bridge0" autobridge_bridge0="vlan*" # # bind the VLANs interfaces to the switch vlans ifconfig_vlan0="vlan 1 vlandev rl0" ifconfig_vlan1="vlan 2 vlandev rl0" ifconfig_vlan2="vlan 3 vlandev rl0" ifconfig_vlan3="vlan 4 vlandev rl0" ifconfig_vlan4="vlan 5 vlandev rl0" (...) # # Put an IP on the bridge interface and an default route going out on it. # Without this snort_inline reinjection would be lost and it won't work!! ifconfig_bridge0="192.168.100.10 netmask 0xffffff00" ifconfig_rl0="up" defaultrouter="192.168.100.1" # # Enable IPFW and PF checkings firewall_enable=YES firewall_script="/etc/rc.firewall" firewall_type=OPEN firewall_quiet=YES firewall_logging=YES pf_enable=YES pflog_enable=YES ---------- On /etc/sysctl.conf # # Enable ipfw on bridge net.link.bridge.ipfw=1 net.link.bridge.ipfw_arp=1 net.link.bridge.pfil_member=1 net.link.bridge.pfil_onlyip=1 ---------- Now the firewall and bridge are up and running. Put the rules you want on rc.firewall and on pf.conf. ***************************** Third Step - The IPS ***************************** A quick installation of snort_rules from FreeBSD packages. You can use the http://snort_inline.sourceforge.net site to download and install the sources. # pkg_add -r snort_inline OK. Don't forget you have to edit /usr/local/etc/snort_inline.conf and check the right location for things. Download the rules for 2.3 (the version for the current FreeBSD snort_inline package). Theres a small failure on the package, so we need to set a symbolic link for the snort_inline binary. # ln -s /usr/local/bin/snort_inline /usr/local/bin/snort Set things up on rc.conf # echo snort_enable=YES >> /etc/rc.conf # echo snort_interfaces="bridge0" >> /etc/rc.conf Start snort_inline. # /usr/local/rc.d/snort start Now, you need to add a divert rule on ipfw ruleset for packets to be diverted to snort_inline divert socket. ipfw add 1000 divert 8000 all from any to any * the number 1000 is for the default rc.firewall/OPEN section. You will need to include it on rc.firewall file. wow! Now you have an FreeBSD bridge IPS on a VLAN environment. *** ATTENTION: If you only need to use an IDS, just install snort and make it listen on bridge0 interface. ******************************** CURRENT PROBLEMS: ******************************** - On the packet reinjection, snort changes the original source MAC to the bridge MAC. Possible causes are on IPDIVERT (it works only on network layer and don't passes link layer data). The network survives this problem because the arp resolution goes to the right mac address, but it makes impossible to make MAC-IP checkings on the servers, so do it on the bridge firewall. - The snort_inline packet reinjection depends on the network settings for the bridge interface, or else snort_inline (or the SO) won't know where to deliver the packet. - Despite the fact that it's easy to deploy, forget the complete transparency when IPS comes the the scene, because it's possible to check that there's something on the way. When working only with firewall-bridge, the transparency can be kept. - Using an IDS instead of an IPS, theres no limitation detected. REFERENCES - O uso de bridge linux no controle de trafego entre sub-redes de uma mesma rede lógica. Ricardo Kleber. ftp://ftp.registro.br/pub/gts/gts07/05-filtrobridges.pdf (It's in portuguese). ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
