--- Anthony Lieuallen <[EMAIL PROTECTED]> wrote:
> Below is the output from
> ipchains --list, the /etc/dns_floods file and /etc/ipfilter.conf
> file.
Hahaha.... here's the actual files (I'm such a dummy):
myrouter: -root- # ipchains --list
Chain input (policy DENY):
target prot opt source destination
ports
DENY icmp ----l- anywhere anywhere
timestamp-request
DENY icmp ----l- anywhere anywhere
timestamp-reply
DENY all ----l- myrouter.private.network anywhere
n/a
DENY all ----l- 255.255.255.255 anywhere n/a
DENY all ----l- localnet/8 anywhere n/a
DENY all ----l- BASE-ADDRESS.MCAST.NET/4 anywhere
n/a
ACCEPT all ------ 10.17.56.13 anywhere n/a
DENY all ----l- 10.0.0.0/8 anywhere n/a
DENY all ----l- 172.16.0.0/12 anywhere n/a
DENY all ----l- 192.168.0.0/16 anywhere n/a
DENY all ----l- myrouter.private.network/8 anywhere
n/a
DENY all ----l- 128.0.0.0/16 anywhere n/a
DENY all ----l- 191.255.0.0/16 anywhere n/a
DENY all ----l- 192.0.0.0/24 anywhere n/a
DENY all ----l- 223.255.255.0/24 anywhere n/a
DENY all ----l- 240.0.0.0/4 anywhere n/a
DENY all ----l- 192.168.1.0/24 anywhere n/a
DENY all ----l- 208.59.162.243 anywhere n/a
REJECT all ----l- anywhere localnet/8 n/a
REJECT all ----l- anywhere 192.168.1.0/24 n/a
REJECT tcp ------ anywhere anywhere any
-> netbios-ns
REJECT tcp ------ anywhere anywhere any
-> 135
REJECT udp ------ anywhere anywhere any
-> netbios-ns
REJECT udp ------ anywhere anywhere any
-> 135
REJECT tcp ------ anywhere anywhere any
-> netbios-dgm:netbios-ssn
REJECT udp ------ anywhere anywhere any
-> netbios-dgm
REJECT udp ------ anywhere anywhere
netbios-ns:netbios-dgm -> any
REJECT udp ------ anywhere anywhere 135
-> any
REJECT tcp ------ anywhere anywhere
netbios-ns:netbios-ssn -> any
REJECT tcp ------ anywhere anywhere 135
-> any
ACCEPT tcp ------ anywhere anywhere any
-> ssh
ACCEPT tcp ------ anywhere anywhere any
-> www
REJECT tcp ------ anywhere anywhere any
-> auth
ACCEPT tcp ------ anywhere anywhere any
-> 1024:65535
REJECT udp ----l- anywhere anywhere any
-> snmp:snmp-trap
ACCEPT udp ------ anywhere anywhere any
-> domain
ACCEPT udp ------ anywhere anywhere any
-> ntp
ACCEPT udp ------ anywhere anywhere any
-> bootpc
DENY udp ------ anywhere anywhere any
-> bootps
ACCEPT udp ------ anywhere anywhere any
-> 1024:65535
ACCEPT icmp ------ anywhere anywhere any
-> any
ACCEPT ospf ------ anywhere anywhere n/a
DENY all ----l- anywhere anywhere n/a
REJECT udp ----l- anywhere anywhere any
-> snmp:snmp-trap
REJECT udp ----l- anywhere anywhere
snmp:snmp-trap -> any
ACCEPT all ------ anywhere anywhere n/a
Chain forward (policy DENY):
target prot opt source destination
ports
DENY icmp ----l- anywhere anywhere
redirect
MASQ all ------ 192.168.1.0/24 anywhere n/a
DENY all ------ anywhere anywhere n/a
Chain output (policy DENY):
target prot opt source destination
ports
fairq all ------ anywhere anywhere n/a
DENY all ----l- myrouter.private.network anywhere
n/a
DENY all ----l- 255.255.255.255 anywhere n/a
DENY all ----l- localnet/8 anywhere n/a
DENY all ----l- BASE-ADDRESS.MCAST.NET/4 anywhere
n/a
ACCEPT all ------ 10.17.56.13 anywhere n/a
DENY all ----l- 10.0.0.0/8 anywhere n/a
DENY all ----l- 172.16.0.0/12 anywhere n/a
DENY all ----l- 192.168.0.0/16 anywhere n/a
DENY all ----l- myrouter.private.network/8 anywhere
n/a
DENY all ----l- 128.0.0.0/16 anywhere n/a
DENY all ----l- 191.255.0.0/16 anywhere n/a
DENY all ----l- 192.0.0.0/24 anywhere n/a
DENY all ----l- 223.255.255.0/24 anywhere n/a
DENY all ----l- 240.0.0.0/4 anywhere n/a
DENY all ------ 192.168.1.0/24 anywhere n/a
REJECT tcp ------ anywhere anywhere any
-> netbios-ns
REJECT tcp ------ anywhere anywhere any
-> 135
REJECT udp ------ anywhere anywhere any
-> netbios-ns
REJECT udp ------ anywhere anywhere any
-> 135
REJECT tcp ------ anywhere anywhere any
-> netbios-dgm:netbios-ssn
REJECT udp ------ anywhere anywhere any
-> netbios-dgm
REJECT udp ------ anywhere anywhere
netbios-ns:netbios-dgm -> any
REJECT udp ------ anywhere anywhere 135
-> any
REJECT tcp ------ anywhere anywhere
netbios-ns:netbios-ssn -> any
REJECT tcp ------ anywhere anywhere 135
-> any
ACCEPT all ------ anywhere anywhere n/a
Chain fairq (1 references):
target prot opt source destination
ports
RETURN ospf ------ anywhere anywhere n/a
RETURN ospf ------ anywhere anywhere n/a
RETURN udp ------ anywhere anywhere any
-> route
RETURN udp ------ anywhere anywhere
route -> any
RETURN tcp ------ anywhere anywhere any
-> bgp
RETURN tcp ------ anywhere anywhere bgp
-> any
RETURN tcp ------ anywhere anywhere any
-> domain
RETURN tcp ------ anywhere anywhere
domain -> any
RETURN udp ------ anywhere anywhere any
-> domain
RETURN udp ------ anywhere anywhere
domain -> any
RETURN tcp ------ anywhere anywhere any
-> telnet
RETURN tcp ------ anywhere anywhere
telnet -> any
RETURN tcp ------ anywhere anywhere any
-> ssh
RETURN tcp ------ anywhere anywhere ssh
-> any
myrouter: -root- # cat dns_floods
140.239.227.9
194.205.125.26
194.213.64.150
198.32.200.81
202.139.133.129
203.194.166.182
203.208.128.70
207.55.138.206
208.184.162.71
209.249.97.40
212.23.225.98
212.78.160.237
212.78.164.193
216.220.39.42
216.33.35.214
216.34.68.2
216.35.167.58
62.23.80.2
62.26.119.34
63.209.147.246
64.14.200.154
64.37.200.46
64.55.37.26
64.56.174.186
64.78.235.14
myrouter: -root- # cat ipfilter.conf
#
#
# ipfilter.conf This file contains the functions that contain the
firewall
# and ipfilter configuration. This is an example setup
for
# IP masquearding
#
# set -x # Uncomment for script debug
#INTERN_WWW_SERVER="192.168.1.200"
IPCH="/sbin/ipchains --no-warnings"
IPMASQADM=/usr/sbin/ipmasqadm
# DONT change this!
LOCAL_NET=127.0.0.0/8
LOCAL_IP=127.0.0.1
# Some functions to handle Protocol IP Port tuples
echoProto () {
local IFS='_'
set -- $1
echo $1
}
echoIpPort () {
local IFS='_'
set -- $1
echo "$2 $3"
}
echoSrvIpPort () {
local IFS='_'
set -- $1
echo "$4 $5"
}
echoMrkMark () {
local IFS='_'
set -- $1
echo $1
}
echoMrkProto () {
local IFS='_'
set -- $1
echo $2
}
echoMrkIpPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoBpSrc () {
local IFS='_'
set -- $1
echo "$2"
}
echoBpDstPort () {
local IFS='_'
set -- $1
echo "$3 $4"
}
echoFwDstPort () {
local IFS='_'
set -- $1
echo "$2"
}
echoFwSrcIp () {
local IFS='_'
set -- $1
echo "$1"
}
# A function to filter out Martian source addresses
stopMartians () {
local LIST=$1
shift
# The source addresses listed here are conservatively
# invalid as they are either used as broadcast/multicast
# destation addresses, a special value in IP stacks, loopback
# networks and illegal/ambiguous Classed IP addressing
networks.
#
# You can add your 'martian/invalid' source address blocks to
the
# MARTIAN_NETS list in /etc/network.conf
# All ones, all zeroes
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 255.255.255.255 -d 0/0 -l $*
# Loop back addresses
$IPCH -A $LIST -j DENY -p all -s 127.0.0.0/8 -d 0/0 -l $*
# Multicast source addresses
$IPCH -A $LIST -j DENY -p all -s 224.0.0.0/4 -d 0/0 -l $*
# RFC 1918/1627/1597 blocks
$IPCH -A $LIST -j ACCEPT -p all -s 10.17.56.13 -d 0/0 $*
$IPCH -A $LIST -j DENY -p all -s 10.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 172.16.0.0/12 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.168.0.0/16 -d 0/0 -l $*
# IANA reserved blocks (Martians from the gated restricted list
# - actually impossible/ambiguous classed networks)
$IPCH -A $LIST -j DENY -p all -s 0.0.0.0/8 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 128.0.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 191.255.0.0/16 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 192.0.0.0/24 -d 0/0 -l $*
$IPCH -A $LIST -j DENY -p all -s 223.255.255.0/24 -d 0/0 -l $*
# Class E address (experimental use)
$IPCH -A $LIST -j DENY -p all -s 240.0.0.0/4 -d 0/0 -l $*
# Addtions/other IANA reserved blocks
for NET in $MARTIAN_NETS; do
$IPCH -A $LIST -j DENY -p all -s $NET -d 0/0 -l $*
done; unset NET
}
# A function to block services that give trouble on an IFACE
standardBlock () {
local LIST=$1
shift
# Block SMB/Windows networking to protect Windows boxes and to
stop
# Windows NT doing braindead things with mail, www, etc
# This also prevents Internet Explorer spraying user logins
# and passwords everywhere
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-ns $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 135 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 -d 0/0
netbios-dgm:netbios-ssn $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d 0/0 netbios-dgm $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 netbios-ns:netbios-dgm
-d 0/0 $*
$IPCH -A $LIST -j REJECT -p udp -s 0/0 135 -d 0/0 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 netbios-ns:netbios-ssn
-d 0/0 $*
$IPCH -A $LIST -j REJECT -p tcp -s 0/0 135 -d 0/0 $*
}
# A function to control SNMP access on a network
snmpBlock () {
local LIST=$1
local DEST_IP=$2
local SNMP_IP
shift 2
if [ "$SNMP_BLOCK" != "YES" -a "$SNMP_BLOCK" != "Yes" \
-a "$SNMP_BLOCK" != "yes" ] ; then
return 0
fi
for SNMP_IP in $SNMP_MANAGER_IPS; do
$IPCH -A $LIST -j ACCEPT -p udp -s $SNMP_IP -d $DEST_IP
161:162 $*
done; unset SNMP_IP
$IPCH -A $LIST -j REJECT -p udp -s 0/0 -d $DEST_IP 161:162 -l
$*
}
# A function to mark packets for classification
ipfilter_fairq () {
[ -z "$CLS_FAIRQ" ] && return 0
# Create new chain
$IPCH -N fairq
# Populate chain
for CLS in $CLS_FAIRQ; do
$IPCH -A fairq -j RETURN -m `echoMrkMark $CLS` -p `echoMrkProto
$CLS` \
-d `echoMrkIpPort $CLS` -b
done; unset CLS
return 0
}
# A function to flush the filters (for internal use)
ipfilter_flush () {
# Flush the filters out
$IPCH -F input # input firewall list
$IPCH -F output # output firewall list
$IPCH -F forward # forwarding firewall list
# Flush fairq chain!
[ -n "$CLS_FAIRQ" ] && qt $IPCH -F fairq && qt $IPCH -X fairq
# Flush portfw rules
[ "$IPPORTFW" ] && $IPMASQADM portfw -f
# Flush autofw rules
[ "$IPAUTOFW" ] && $IPMASQADM autofw -F
# Flush mfw rules
[ "$IPMFW" ] && $IPMASQADM mfw -F
}
# A function to set the filter default policies
ipfilter_policy () {
$IPCH -P input $1
$IPCH -P output $1
$IPCH -P forward $1
}
# A function to clear the filters
ipfilter_clear () {
# Flush the filters
ipfilter_flush
# Reset the default policy
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any
traffic!
#
ipfilter_policy ACCEPT
}
# A function to configure the filters for routing
ipfilter_router_cfg () {
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Block known IPs who do TCP port 53 floods
# Added to block list of IPs on 4/15/2001
IP_LIST="`cat /etc/dns_floods`"
for IP in $IP_LIST ; do
$IPCH -I input -j DENY -p tcp -s $IP/32 -d $EXTERN_IP/32 53 -i
$EXTERN_IF
done ; unset IP ; unset IP_LIST
# Set up Fair Queueing classifier lists
ipfilter_fairq
# Forwarding
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A forward -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A forward -j ACCEPT -p all -s 0/0 -d 0/0
# Incoming Stuff
# Do this here to control junk coming in - good for defending against
flood
# attacks
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" =
"yes" ];
then
# Origin blocking
for SRC in $BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF
done; unset SRC
for SRC in $LOGGED_BLOCKED_INSRC; do
$IPCH -A input -j DENY -p `echoProto $SRC` \
-s `echoIpPort $SRC` -i $EXTERN_RIF -l
done; unset SRC
fi
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" =
"yes" ];
then
# Get rid of incoming Martians
stopMartians input -i $EXTERN_RIF
# Prevent RFC 1918/1627/1597 IP packets from coming in
$IPCH -A input -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i
$EXTERN_RIF
$IPCH -A input -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i
$EXTERN_RIF
$IPCH -A input -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i
$EXTERN_RIF
# Allow icmp/BGP coming in on our link net
if [ -n "$LINK_NET" ]; then
$IPCH -A input -j ACCEPT -p icmp -s $LINK_NET -d 0/0 \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET -d
$LINK_NET bgp \
-i $EXTERN_RIF
$IPCH -A input -j ACCEPT -p tcp -s $LINK_NET bgp \
-d $LINK_NET 1024:65535 ! -y -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET -d
$LINK_NET egp \
# -i $EXTERN_RIF
# $IPCH -A input -j ACCEPT -p udp -s $LINK_NET egp \
# -d $LINK_NET 1024:65535 -i $EXTERN_RIF
fi
# Get rid of fake packets from our internal source addresses
for IP in $IP_BLOCKS; do
$IPCH -A input -j DENY -p all -s $IP -d 0/0 -i
$EXTERN_RIF -l
done; unset IP
# Destination blocking
for DEST in $BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_INDEST; do
$IPCH -A input -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# SNMP control - Prevent SNMP access to our network
if [ "$SNMP_BLOCK" = "YES" -o "$SNMP_BLOCK" = "Yes" \
-o "$SNMP_BLOCK" = "yes" ] ; then
$IPCH -A input -j REJECT -p udp -s 0/0 -d 0/0 161:162 \
-i $EXTERN_RIF -l
fi
# Block SMB stuff on input interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock input -i $EXTERN_RIF
fi
# DNS control - only allow certain machines to do zone
transfers
if [ -n "$DNS_IPS" ]; then
for IP in $DNS_IPS; do
$IPCH -A input -j ACCEPT -p tcp -d 0/0 domain
-i $EXTERN_RIF
done; unset IP
$IPCH -A input -j REJECT -p tcp -d 0/0 domain -i
$EXTERN_RIF -l
fi
fi
# Stop address spoofing - uncomment the next two lines if needed
# $IPCH -A input -j ACCEPT -p all -s $LOCAL_IP -d 0/0 -i lo
# stopMartians input
# Control SNMP access in network
snmpBlock input 0/0 -b
# On all other interfaces accept everything.
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A input -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
# Border router stuff
if [ "$BORDER_RTR" = "YES" -o "$BORDER_RTR" = "Yes" -o "$BORDER_RTR" =
"yes" ]
then
# Stop outgoing RFC 1918/1627/1597 packets
$IPCH -A output -j DENY -p all -s 0/0 -d 10.0.0.0/8 -i
$EXTERN_RIF
$IPCH -A output -j DENY -p all -s 0/0 -d 192.168.0.0/16 -i
$EXTERN_RIF
$IPCH -A output -j DENY -p all -s 0/0 -d 172.16.0.0/12 -i
$EXTERN_RIF
# Log and stop certain outgoing traffic
for DEST in $BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF
done; unset DEST
for DEST in $LOGGED_BLOCKED_OUTDEST; do
$IPCH -A output -j REJECT -p `echoProto $DEST` -s 0/0 \
-d `echoIpPort $DEST` -i $EXTERN_RIF -l
done; unset DEST
# Block SMB stuff on output interface
if [ "$SMB_BLOCK" = "YES" -o "$SMB_BLOCK" = "Yes" -o \
"$SMB_BLOCK" = "yes" ]; then
standardBlock output -i $EXTERN_RIF
fi
# Control Outgoing Source addresses
for IP in $IP_BLOCKS; do
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ];
then
$IPCH -A output -j ACCEPT -f -p all -s $IP -d
0/0 \
-i $EXTERN_RIF
fi
$IPCH -A output -j ACCEPT -p all -s $IP -d 0/0 -i
$EXTERN_RIF
done; unset IP
$IPCH -A output -j DENY -p all -i $EXTERN_RIF -l
fi
#
# Server screening control.
#
for IF in $SERVER_RIFS; do
# localise variables
eval local BYPASS=\${"$IF"_BYPASS:-""}
eval local PORT_BLOCK=\${"$IF"_PORT_BLOCK:-""}
eval local LOGGED_PORT_BLOCK=\${"$IF"_LOGGED_PORT_BLOCK:-""}
eval local SMB_BLOCK=\${"$IF"_SMB_BLOCK:-""}
eval local HOST_BYPASS=\${"$IF"_HOST_BYPASS:-""}
eval local HOST_ACKPASS=\${"$IF"_HOST_ACKPASS:-""}
eval local HOST_BLOCK=\${"$IF"_HOST_BLOCK:-""}
# Block Martians
stopMartians output -i $IF
# Bypass for port blocks
for PASS in $BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS`
-i $IF
done; unset PASS
# Port Blocks
for DEST in $PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF
done; unset DEST
for DEST in $LOGGED_PORT_BLOCK; do
$IPCH -A output -j REJECT -p `echoProto $DEST` \
-s 0/0 -d 0/0 `echoIpPort $DEST` -i $IF -l
done; unset DEST
# SMB blocking
if [ "$SMB_BLOCK" != "NO" -a "$SMB_BLOCK" != "No" \
-a "$SMB_BLOCK" != "no" ]; then
standardBlock output -i $IF
fi
#Host Bypassing
for PASS in $HOST_BYPASS; do
$IPCH -A output -j ACCEPT -p `echoProto $PASS` \
-s `echoBpSrc $PASS` -d `echoBpDstPort $PASS`
-i $IF
done; unset PASS
#Host Blocking
for DEST in $HOST_BLOCK; do
$IPCH -A output -j REJECT -p tcp -s 0/0 -d $DEST auth
-i $IF
done; unset DEST
for PASS in $HOST_ACKPASS; do
$IPCH -A output -j ACCEPT -p tcp \
-s 0/0 -d $PASS 1024:65535 -i $IF ! -y
done; unset PASS
for DEST in $HOST_BLOCK; do
$IPCH -A output -j DENY -p all -s 0/0 -d $DEST -i $IF
-l
done; unset DEST
# Otherwise, accept all output on this interface
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
# Handle fragmented packets
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0 -i $IF
done; unset IF
# On all other interfaces accept anything
if [ "`cat /proc/sys/net/ipv4/ip_always_defrag`" = 0 ]; then
$IPCH -A output -j ACCEPT -f -p all -s 0/0 -d 0/0
fi
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
# A function to configure the filters for firewalling
ipfilter_firewall_cfg () {
local ADDR
local DEST
local NET
#
# set default policies
#
# ONLY DENY FORWARDING ETC IF YOU KNOW WHAT YOU ARE DOING! If
# you turn off the filters, the box will become opaque to any traffic!
#
ipfilter_policy DENY
# Clear any garbage rules out of the filters
ipfilter_flush
# Set up Fair Queueing classifier lists
ipfilter_fairq
#
# Set up forwarding
#
# Set up masquerading timout values
$IPCH -M -S 14400 0 0
# Stop forwarding of ICMP redirects
$IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
# Handle masquerading denial - always valid because this controls
access
# to DMZ from inside etc.
for PORT in $NOMASQ_DEST_BYPASS; do
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
for PORT in $NOMASQ_DEST; do
for NET in $INTERN_NET; do
$IPCH -A forward -j REJECT -p `echoProto $PORT` \
-s $NET -d `echoIpPort $PORT`
done; unset NET
done; unset PORT
# Connect DMZ to internet
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
# Masquerade internal network to DMZ network
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d $DMZ_NET -i
$DMZ_IF
done; unset NET
for DEST in $DMZ_CLOSED_DEST; do
$IPCH -A forward -j REJECT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
for DEST in $DMZ_OPEN_DEST; do
$IPCH -A forward -j ACCEPT -p `echoProto $DEST` \
-d `echoIpPort $DEST` -i $DMZ_IF
done; unset DEST
if [ "$DMZ_HIGH_TCP_CONNECT" = "YES" \
-o "$DMZ_HIGH_TCP_CONNECT" = "Yes" \
-o "$DMZ_HIGH_TCP_CONNECT" = "yes" ]; then
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF
else
$IPCH -A forward -j ACCEPT -p tcp -s 0/0 \
-d $DMZ_NET 1024:65535 -i $DMZ_IF ! -y
fi
$IPCH -A forward -j ACCEPT -p icmp -s 0/0 -d $DMZ_NET -i
$DMZ_IF
$IPCH -A forward -j ACCEPT -p tcp -s $DMZ_NET -d 0/0 -i
$EXTERN_IF
$IPCH -A forward -j ACCEPT -p icmp -s $DMZ_NET -d 0/0 -i
$EXTERN_IF
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET domain \
-d 0/0 -i $EXTERN_IF
$IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i
$EXTERN_IF
fi
# Set up port forwards for internal services
for DEST in $INTERN_SERVERS; do
# Can't deal with PASV mode
$IPMASQADM portfw -a -P `echoProto $DEST` \
-L `echoIpPort $DEST` -R `echoSrvIpPort $DEST`
$IPCH -A forward -j MASQ -p `echoProto $DEST` \
-s `echoSrvIpPort $DEST`
done; unset DEST
if [ -n "$INTERN_FTP_SERVER" ] ; then
# Can't deal with PASV mode
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ftp -R $INTERN_FTP_SERVER
ftp
fi
if [ -n "$INTERN_WWW_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP www -R $INTERN_WWW_SERVER
www
fi
if [ -n "$INTERN_SMTP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP smtp -R
$INTERN_SMTP_SERVER smtp
fi
if [ -n "$INTERN_POP3_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP pop-3 -R
$INTERN_WWW_SERVER pop-3
fi
if [ -n "$INTERN_IMAP_SERVER" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP imap -R
$INTERN_IMAP_SERVER imap
fi
if [ -n "$INTERN_SSH_SERVER" ] ; then
if [ -n "$EXTERN_SSH_PORT" ] ; then
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_SSH_PORT \
-R $INTERN_SSH_SERVER ssh
else
$IPMASQADM portfw -a -P tcp -L $EXTERN_IP ssh \
-R $INTERN_SSH_SERVER ssh
fi
fi
# Masquerade internal network to world
if [ "$MASQ_SWITCH" = "YES" -o "$MASQ_SWITCH" = "Yes" \
-o "$MASQ_SWITCH" = "yes" ]; then
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d 0/0 -i
$EXTERN_IF
done; unset NET
fi
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A forward -j DENY -p all -s 0/0 -d $DMZ_NET -i $DMZ_IF
-l
fi
$IPCH -A forward -j DENY -p all -s 0/0 -d 0/0
#
# EXTERNAL INTERFACE
#
# Input filter
# Stop ICMP time stamp messages - don't need these
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
# Spoofing prevention
stopMartians input -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A input -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF -l
done; unset NET
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j DENY -p all -s $DMZ_NET -d 0/0 -i $EXTERN_IF
-l
fi
if [ "$EXTERN_DYNADDR" = "YES" -o "$EXTERN_DYNADDR" = "Yes" \
-o "$EXTERN_DYNADDR" = "yes" ]; then
# Spoof protection
if_setproc $EXTERN_IF rp_filter YES
# Kernel logging of martians on this interface
if_setproc $EXTERN_IF log_martians YES
local EX_IP=0/0
else
for ADDR in $EXTERN_IP; do
$IPCH -A input -j DENY -p all -s $ADDR -d 0/0 \
-i $EXTERN_IF -l
done; unset ADDR
local EX_IP=0/0
fi
# Turn off all traffic from net to internal IP numbers
$IPCH -A input -j REJECT -p all -s 0/0 -d $LOCAL_NET -i $EXTERN_IF -l
for NET in $INTERN_NET; do
$IPCH -A input -j REJECT -p all -s 0/0 -d $NET -i $EXTERN_IF
-l
done; unset NET
# Stop Netbios shenanagans
standardBlock input -i $EXTERN_IF
# Bypass filters below for DMZ_NET access - port control done in
forwarding
# firewall
if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
-o "$DMZ_SWITCH" = "yes" ]; then
$IPCH -A input -j ACCEPT -p all -s 0/0 -d $DMZ_NET -i
$EXTERN_IF
fi
# TCP
# Open specified TCP services to the world
for SERVICE in $EXTERN_TCP_PORTS; do
$IPCH -A input -j ACCEPT -p tcp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# auth - send a reject packet. You may want to to forward this to an
internal bo# x if using IRC. Here so that a rule above can override
$IPCH -A input -j REJECT -p tcp -s 0/0 -d 0/0 auth -i $EXTERN_IF
# NFS server protection
# $IPCH -A input -j DENY -p tcp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Accept all incoming TCP packets to the External interface on
non-priveleged
# ports
$IPCH -A input -j ACCEPT -p tcp -s 0/0 -d $EX_IP 1024:65535 -i
$EXTERN_IF
#UDP
# SNMP control
snmpBlock input $EX_IP -i $EXTERN_IF
# Open specfied UDP services to the world
for SERVICE in $EXTERN_UDP_PORTS; do
$IPCH -A input -j ACCEPT -p udp -s `echoFwSrcIp $SERVICE` \
-d $EX_IP `echoFwDstPort $SERVICE` -i $EXTERN_IF
done; unset SERVICE
# Block NFS access
#$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 2049 -i $EXTERN_IF -l
# Block all incoming DHCP/BOOTP queries - this bypasses the logging
further down
$IPCH -A input -j DENY -p udp -s 0/0 -d 0/0 bootps -i $EXTERN_IF
# Allow UDP masquerading for non-priviliged services Comment this out
for
# higher security
$IPCH -A input -j ACCEPT -p udp -s 0/0 -d $EX_IP 1024:65535 -i
$EXTERN_IF
#ICMP
# Uncomment the following to protect against ping bomb attacks on
Windows
# $IPCH -A input -j DENY -p icmp -s 0/0 0 8 -d 0/0 -i $EXTERN_IF -l
$IPCH -A input -j ACCEPT -p icmp -s 0/0 -d $EX_IP -i $EXTERN_IF
# Allow OSPF through - this is for gated to work
$IPCH -A input -j ACCEPT -p 89 -s 0/0 -d 0/0 -i $EXTERN_IF
# Bottom line - DENY anything that does not match
$IPCH -A input -j DENY -p all -s 0/0 -d 0/0 -i $EXTERN_IF -l
#
# Global Incoming
#
# Global control on SNMP
snmpBlock input 0/0 -b
# Allow input on all other interfaces
$IPCH -A input -j ACCEPT -p all -s 0/0 -d 0/0
# Outgoing stuff
# Classify packets, apply TOS etc
[ -n "$CLS_FAIRQ" ] && $IPCH -A output -j fairq
#Guard against sending rubbish onto Internet
stopMartians output -i $EXTERN_IF
for NET in $INTERN_NET; do
$IPCH -A output -j DENY -p all -s $NET -d 0/0 -i $EXTERN_IF
done; unset NET
# Stop Netbios
standardBlock output -i $EXTERN_IF
# Allow output on all other interfaces
$IPCH -A output -j ACCEPT -p all -s 0/0 -d 0/0
}
=====
_________________________
/ \ Some great sites:
[ Tony Lieuallen ] http://www.dilbert.com
[ [EMAIL PROTECTED] ] http://www.borg.com/~rjgtoons/
[ ] http://www.memepool.com
\_________________________/ http://www.bottomquark.com/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
