>I have two NT 4.0 servers running on my local network both running NetBios
>services. Well, it seems NetBios likes to try sending UDP packets out to
>some strange address. Just because of the kind of guy I am, I didn't much
>like this idea, so I changed my rc.local setup to the following:
>
>/sbin/ipfwadm -F -p deny
>/sbin/ipfwadm -F -a deny -S 192.168.1.0/24 137 -P udp
>/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
This is Microsoft Networking connecting to the Internet. This is BAD!
I would HIGHLY recommend that you impliment a stronger IPFWADM ruleset
than what you posted above since other NT stuff is probably available
on the Inet too!
So, here is a whole new revamped IPFWADM ruleset from my TrinityOS doc
(the old one honestly SUCKED!) which isn't published quite yet. Its
very strong but it might be too restrictive for your use����So, read
all the in-line comments and open up the rulesets for your needs!
Ps. Turn on "Firewall accounting" in the kernel and re-compile. With
this, all the IPFWADM commands with the "-o" at the end will
log all denied incomming/outgoing packets to SYSLOG. This helps
debugging stuff when things don't work and when people are trying
to contact your machine!
/etc/rc.d/rc.firewall
--< begin >--
#!/bin/sh
# v2.00
# ++ Best viewed in a window at 90+ columns
#
# This script was adapted from Ambrose's IPMASQ-HOWTO and several
# other resources including:
#
# - Me
#
# **Note**: This config ASSUMES:
#
# 1) that you have your private LAN addressing set as
# 192.168.0.x
# 2) Your internal LAN is on eth0
# 3) Your external LAN is on eth1
# 3) Your static IP address is 24.1.83.137
#
# Obviously, this config won't be totally correct for your
# enviroment nor can your static IP address be the same
# as mine!
#
# So, you'll need to either manually change the IP address in
# the enviroment variable section or or use the following
# command to set it up for you.
#
# This config also handles both IP spoofing and stuffed routing
# and IP Masquerading. Anything not explictly allowed is
# REJECTED. Rejecting traffic is better than DENYING it since
# it makes the IPFWADM'ED machine look like its not CAPIBLE of
# doing that particular protocol!
#
# NOTE: All PPP users that get Dynamic IP address should use
# this command:
#
# extnic='/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e
s/addr://'
#---------------------------------------------------------------------------
#Enviroment Variables - Change to suit your enviroment
#
intip="192.168.0.1"
extip="24.1.83.137"
universe="0.0.0.0/0"
broadcast="255.255.255.255"
intnet="192.168.0.0/24"
unprivports="1024:65535"
intif="eth1"
extif="eth0"
secondarydns="208.162.41.10"
dgw="24.1.83.1"
#---------------------------------------------------------------------------
# For a nice display
echo " "
echo "Enabling IP Masquerading.."
echo "1" > /proc/sys/net/ipv4/ip_forwarding
#---------------------------------------------------------------------------
# Masq timeouts
# -------------
#
# Set timeout values for masq sessions (seconds).
# I only did this because my telnet connections would drop after inactivity
# of 15 mins.
echo "Changing IP MASQ Timeouts.."
/sbin/ipfwadm -M -s 7200 10 120
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# Masq Modules
# -------------
#
echo "Loading MASQ modules.."
#/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_vdolive
#/sbin/modprobe ip_masq_raudio
#---------------------------------------------------------------------------
echo "Enabling general INPUT on the internal LAN.. line 74"
#---------------------------------------------------------------------------
# INCOMING traffic on the INTERNAL LAN network
# --------------------------------------------
#
# Incoming, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -V $intip -S $intnet -D $universe
# remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipfwadm -I -a deny -V $extip -S $intnet -D $universe -o
# loopback interface is valid.
/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S $universe -D $universe
# Enable DHCP
/sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe 68 -D $broadcast 67
echo "Enabling general INPUT on the external LAN.. line 94"
#---------------------------------------------------------------------------
# INCOMING traffic on the EXTERNAL LAN network
# --------------------------------------------
#
## remote interface, any source, going to permanent PPP address is valid
#
## --Disabled due to too much open access. Change this if you want ANYONE on
# the Inet to be able to access your Linux box.
#
#ipfwadm -I -a accept -V $extnic -S $universe -D $extnic/32
# Questionable... ???
# /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe -D #intnet
unprivports
#-----------
# ICMP: Allow ICMP from the local default GW
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/24 -D $extip
## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless
## you can figure out how to ignore REPLIES.. this is too much logging!
#/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe -D $extip -o
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe -D $extip
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe -D $extip ntp
# IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $universe 113
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS server,
# we must open up DNS to the public on ALL interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $universe 53
/sbin/ipfwadm -I -a accept -P udp -S $universe -D $universe 53
# MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $extip smtp
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $extip $unprivports
/sbin/ipfwadm -I -a accept -P udp -S $universe -D $extip $unprivports
echo "Enabling explict INPUT on the external LAN.. line 136"
##############################################################################
# Begin Explict IP INPUT allows:
##############################################################################
#
#stimpy2
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.2/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.2/32 -D $intip 137 138
139
#dellster
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.4/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.4/32 -D $intip 137 138
139
#spare
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.9/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.9/32 -D $intip 137 138
139
#spare2
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.10/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.10/32 -D $intip 137
138 139
#rocko
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S 132.241.185.20/32 -D $extip ftp
ftp-data ssh
#trinity.value.net
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S 205.162.63.211/32 -D $extip ftp
ftp-data ssh pop-3
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
##############################################################################
# End Explict IP INPUT allows:
##############################################################################
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -I -a reject -S $universe -D $universe -o
echo "Enabling general OUTPUT on the internal LAN.. line 174 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the INTERNAL LAN network
# --------------------------------------------
#
# Outgoing, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
# local interface, any source going to local net is valid
/sbin/ipfwadm -O -a accept -V $intip -S $universe -D $intnet
# outgoing to local net on remote interface, stuffed routing, deny & log
/sbin/ipfwadm -O -a deny -V $extip -S $universe -D $intnet -o
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a deny -V $extip -S $intnet -D $universe -o
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a deny -V $extip -S $universe -D $intnet -o
#DISABLED - Too open
## anything else outgoing on remote interface is valid
#ipfwadm -O -a accept -V $extip -S $extip/32 -D $universe
# loopback interface is valid.
/sbin/ipfwadm -O -a accept -V 127.0.0.1 -S $universe -D $universe
# DHCP
/sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip 67 -D $broadcast 68
echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the external LAN network
# --------------------------------------------
# ICMP: Allow ICMP traffic out
/sbin/ipfwadm -O -a accept -P icmp -S $universe -D $universe
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip ntp -D $universe
# IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf
/sbin/ipfwadm -O -a accept -P tcp -S $universe 113 -D $universe
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS
# server, we must open up DNS to the public
# on ALL interfaces
# - You do not need port 42?
/sbin/ipfwadm -O -a accept -P tcp -S $extip 53 -D $universe
/sbin/ipfwadm -O -a accept -P udp -S $extip 53 -D $universe
# MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
/sbin/ipfwadm -O -a accept -P tcp -S $extip smtp -D $universe
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -O -a accept -P tcp -S $extip $unprivports -D $universe
/sbin/ipfwadm -O -a accept -P udp -S $extip $unprivports -D $universe
echo "Enabling explict OUTPUT on the external LAN.. line 231"
##############################################################################
# Begin Explict IP OUTPUT allows:
##############################################################################
#
#rocko
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D 132.241.185.20/32
ftp ftp-data ssh $unprivports
#trinity.value.net
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D 205.162.63.211/32
ftp ftp-data ssh $unprivports
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##############################################################################
# End Explict IP OUTPUT allows:
##############################################################################
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -O -a reject -S $universe -D $universe -o
echo "Enabling MASQ on the external LAN.. line 250"
#---------------------------------------------------------------------------
# Forwarding traffic from the internal LAN network
# --------------------------------------------
#
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -a masquerade -W $extif -S $intnet -D $universe
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -F -a reject -S $universe -D $universe -o
#--------------------------------------------------------------------
# For a nice display
echo " "
#--------------------------------------------------------------------
# How to test your new firewall..
#
# From the IPFWADM console:
#
# TELNET: telnet to a remote site
# SSH: ssh to a remote site
# DNS: run nslookup with "server = " and "set q ="
# NTP: run "/etc/cron.15min/gettime"
#
# From a MASQed computer on the internal LAN:
#
# From another machine on the Internet:
# TELNET: telnet to your IPFWADMed machine
# SSH: SSH to your IPFWADMed machine
#
# Finally.. download "nmap" and run it in both SOCKET
# and UDP mode to port scan your new firewall!
#
# More to come....
#
#--------------------------------------------------------------------
# Below are comments on how to explictly DENY all traffic from a
# specific host
#
# You can block traffic to a particular site using the -I, -O or -F.
# Remember that the set of rules are scanned top to bottom and -a means
# "append" to the existing set of rules so any restrictions need to come
# before global rules. For example (and untested) :-
#
# Using -I rules. Probably the fastest but it only stops the local
# machines, the firewall itself can still access the "forbidden" site.
# Of course you might want to allow that combination.
#
# # reject and log local interface, local machines going to 204.50.10.13
# ipfwadm -I -a reject -V 192.168.255.1 -S 192.168.0.0/16 -D 204.50.10.13/32
-o
# # local interface, local machines, going anywhere is valid
# ipfwadm -I -a accept -V 192.168.255.1 -S 192.168.0.0/16 -D 0.0.0.0/0
#
# Using -O rules. Slowest because the packets go through masquerading
# first but this rule even stops the firewall accessing the forbidden
# site.
#
# # reject and log outgoing to 204.50.10.13
# ipfwadm -O -a reject -V your.static.PPP.address -S
your.static.PPP.address/32 # -D 204.50.10.13/32 -o
# # anything else outgoing on remote interface is valid
# ipfwadm -O -a accept -V your.static.PPP.address -S
your.static.PPP.address/32 # -D 0.0.0.0/0
#
# Using -F rules. Probably slower than -I and this still only stops
# masqueraded machines (i.e. internal), firewall can still get to
# forbidden site.
#
# # Reject and log from local net on PPP interface to 204.50.10.13.
# ipfwadm -F -a reject -W ppp0 -S 192.168.0.0/16 -D 204.50.10.13/32 -o
# # Masquerade from local net on local interface to anywhere.
# ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/16 -D 0.0.0.0/0
#
# No need for a special rule to allow 192.168.0.0/16 to go to
# 204.50.11.0, it is covered by the global rules.
#
# There is more than one way of coding the interfaces in the above
# rules. For example instead of -V 192.168.255.1 you can code -W eth0,
# instead of -V your.static.PPP.address you can use -W ppp0. Personal
# choice and documentation more than anything.
#
# --end
----< end >--
.----------------------------------------------------------------------------.
| David A. Ranch - Remote Access/Linux/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
