>This would be between eth0 with about 10-20 clients to ppp0 dialed into
>another Linux machine.
Modify your IPFWADM ruleset to only allow POP3 from the world.
Here is a even newer (still unpublished) IPFWADM ruleset from the
TrinityOS doc. This firewall allows ALL DNS and SMTP from the
world to the Linux Box. Yet, it only allows things like FTP, SSH,
FTP, etc to remote IP addresses. Modidy to suit your tastes.
You can also do this with the /etc/hosts.allow and /etc/hosts.deny
files but they aren't as strong as IPFWADM rulesets. Personally,
I would recommend BOTH!
All described here:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri
/etc/rc.d/rc.firewall
--
#!/bin/sh
# v2.10
# ++ Best viewed in a window at 90+ columns
#
# This script was adapted from Ambrose's IPMASQ-HOWTO and several
# other resources including:
#
# - Me
#
# **Note**: This config ASSUMES:
# 1) that you have your private LAN addressing set as
# 192.168.0.x
# 2) Your internal LAN is on eth0
# 3) Your external LAN is on eth1
# 3) Your static IP address is 24.1.83.137
#
# Obviously, this config won't be totally correct for your
# enviroment nor can your static IP address be the same
# as mine!
#
# So, you'll need to either manually change the IP address in
# the enviroment variable section or or use the following
# command to set it up for you.
#
# This config also handles both IP spoofing and stuffed routing
# and IP Masquerading. Anything not explictly allowed is
# REJECTED. Rejecting traffic is better than DENYING it since
# it makes the IPFWADM'ED machine look like its not CAPIBLE of
# doing that particular protocol!
#
# NOTE: All PPP users that get Dynamic IP address should use
# this command:
#
# extnic='/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e
s/addr://'
#---------------------------------------------------------------------------
#Enviroment Variables - Change to suit your enviroment
#
intip="192.168.0.1"
extip="24.1.83.137"
universe="0.0.0.0/0"
broadcast="255.255.255.255"
intnet="192.168.0.0/24"
unprivports="1024:65535"
intif="eth1"
extif="eth0"
secondarydns="208.162.41.10"
dgw="24.1.83.1"
#---------------------------------------------------------------------------
# For a nice display
echo " "
echo "Enabling IP Masquerading.."
echo "1" > /proc/sys/net/ipv4/ip_forwarding
#---------------------------------------------------------------------------
# Masq timeouts
# -------------
#
# Set timeout values for masq sessions (seconds).
# I only did this because my telnet connections would drop after inactivity
# of 15 mins.
echo "Changing IP MASQ Timeouts.."
/sbin/ipfwadm -M -s 7200 10 120
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# Masq Modules
# -------------
#
echo "Loading MASQ modules.."
#/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake
#/sbin/modprobe ip_masq_vdolive
#/sbin/modprobe ip_masq_raudio
#---------------------------------------------------------------------------
echo "Enabling general INPUT on the internal LAN.. line 74"
#---------------------------------------------------------------------------
# INCOMING traffic on the INTERNAL LAN network
# --------------------------------------------
# # Incoming, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
#
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -p deny
# local interface, local machines, going anywhere is valid
/sbin/ipfwadm -I -a accept -V $intip -S $intnet -D $universe
# remote interface, claiming to be local machines, IP spoofing, get lost & log
/sbin/ipfwadm -I -a deny -V $extip -S $intnet -D $universe -o
# loopback interface is valid.
/sbin/ipfwadm -I -a accept -V 127.0.0.1 -S $universe -D $universe
# Enable DHCP
/sbin/ipfwadm -I -a accept -W $intif -P udp -S $universe 68 -D $broadcast 67
echo "Enabling general INPUT on the external LAN.. line 94"
#---------------------------------------------------------------------------
# INCOMING traffic on the EXTERNAL LAN network
# --------------------------------------------
#
## remote interface, any source, going to permanent PPP address is valid
## --Disabled due to too much open access. Change this if you want ANYONE on
# the Inet to be able to access your Linux box.
#
#ipfwadm -I -a accept -V $extnic -S $universe -D $extnic/32
# Questionable... ???
# /sbin/ipfwadm -I -a accept -V $extip -P -k -S $universe -D #intnet
$unprivports
#-----------
# ICMP: Allow ICMP from the local default GW
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $dgw/24 -D $extip
## ICMP: Allow ICMP from the universe but LOG it .. nice thought but unless you
## can figure out how to ignore REPLIES.. this is too much logging!
#/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe -D $extip -o
/sbin/ipfwadm -I -a accept -W $extif -P icmp -S $universe -D $extip
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S $universe -D $extip ntp
# IDENT: Allow IDENT on ALL interfaces but disable it in /etc/inetd.conf
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $universe 113
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS server,
we must
# open up DNS to the public on ALL interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $universe 53
/sbin/ipfwadm -I -a accept -P udp -S $universe -D $universe 53
# MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $extip smtp
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -I -a accept -P tcp -S $universe -D $extip $unprivports
/sbin/ipfwadm -I -a accept -P udp -S $universe -D $extip $unprivports
echo "Enabling explict INPUT on the external LAN.. line 136"
##############################################################################
# Begin Explict IP INPUT allows:
##############################################################################
#
#stimpy2
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.2/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.2/32 -D $intip 137 138
139
#dellster
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.4/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.4/32 -D $intip 137 138
139
#spare
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.9/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.9/32 -D $intip 137 138
139
#spare2
/sbin/ipfwadm -I -a accept -W $intif -P tcp -S 192.168.0.10/32 -D $intip ftp
ftp-data ssh
/sbin/ipfwadm -I -a accept -W $intif -P udp -S 192.168.0.10/32 -D $intip 137
138 139
#rocko
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S 132.241.185.20/32 -D $extip ftp
ftp-data ssh
#trinity.value.net
/sbin/ipfwadm -I -a accept -W $extif -P tcp -S 205.162.63.211/32 -D $extip ftp
ftp-data ssh pop-3
# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
##############################################################################
# End Explict IP INPUT allows:
##############################################################################
# catch all rule, all other incoming is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -I -a reject -S $universe -D $universe -o
echo "Enabling general OUTPUT on the internal LAN.. line 174 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the INTERNAL LAN network
# --------------------------------------------
# Outgoing, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
/sbin/ipfwadm -O -f
/sbin/ipfwadm -O -p deny
# local interface, any source going to local net is valid
/sbin/ipfwadm -O -a accept -V $intip -S $universe -D $intnet
# outgoing to local net on remote interface, stuffed routing, deny & log
/sbin/ipfwadm -O -a deny -V $extip -S $universe -D $intnet -o
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a deny -V $extip -S $intnet -D $universe -o
# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipfwadm -O -a deny -V $extip -S $universe -D $intnet -o
#DISABLED - Too open
## anything else outgoing on remote interface is valid
#ipfwadm -O -a accept -V $extip -S $extip/32 -D $universe
# loopback interface is valid.
/sbin/ipfwadm -O -a accept -V 127.0.0.1 -S $universe -D $universe
# DHCP
/sbin/ipfwadm -O -a accept -W $intif -P udp -S $intip 67 -D $broadcast 68
echo "Enabling general OUTPUT on the EXTERNAL LAN.. line 204 "
#---------------------------------------------------------------------------
# OUTGOING traffic on the external LAN network
# --------------------------------------------
# ICMP: Allow ICMP traffic out
/sbin/ipfwadm -O -a accept -P icmp -S $universe -D $universe
# NTP: Allow NTP updates tcp from any host
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip ntp -D $universe
# IDENT: Allow IDENT out but have it disabled in /etc/inetd.conf
/sbin/ipfwadm -O -a accept -P tcp -S $universe 113 -D $universe
# DNS Lookups & Zone transfers: Since this site is an authoritative DNS
# server, we must open up DNS to the public
# on ALL interfaces
# - You do not need port 42?
/sbin/ipfwadm -O -a accept -P tcp -S $extip 53 -D $universe
/sbin/ipfwadm -O -a accept -P udp -S $extip 53 -D $universe
# MAIL: Since this site is an authoritative SMTP server, allow it in on ALL
# interfaces
/sbin/ipfwadm -O -a accept -P tcp -S $extip smtp -D $universe
# PPTP - reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip -D $universe 1723 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip -D $universe 1723 -o
# Remote Winsock - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip -D $universe 1745 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip -D $universe 1745 -o
# NFS - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip -D $universe 2049 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip -D $universe 2049 -o
# PcAnywhere - Reject
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip -D $universe 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip -D $universe 5631 -o
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip -D $universe 5632 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip -D $universe 5632 -o
# Xwindows - Deny
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip -D $universe 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip -D $universe 6000 -o
# HIGH PORTS: Enable all HIGH ports for reply tcp/udp traffic
/sbin/ipfwadm -O -a accept -P tcp -S $extip $unprivports -D $universe
/sbin/ipfwadm -O -a accept -P udp -S $extip $unprivports -D $universe
echo "Enabling explict OUTPUT on the external LAN.. line 231"
##############################################################################
# Begin Explict IP OUTPUT allows:
##############################################################################
#
#rocko
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D 132.241.185.20/32
ftp ftp-data ssh $unprivports
#trinity.value.net
/sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D 205.162.63.211/32
ftp ftp-data ssh $unprivports
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##############################################################################
# End Explict IP OUTPUT allows:
##############################################################################
# catch all rule, all other outgoing is denied and logged. pity there is no
# log option on the policy but this does the job instead.
#
# This should catch everything including SAMBA an all non-explictly allowed
# TELNET, FTP, FTP-DATA, SSH, etc.
/sbin/ipfwadm -O -a reject -S $universe -D $universe -o
echo "Enabling MASQ on the external LAN.. line 250"
#---------------------------------------------------------------------------
# Forwarding traffic from the internal LAN network
# --------------------------------------------
#
# Forwarding, flush and set default policy of deny. Actually the default policy
# is irrelevant because there is a catch all rule with deny and log.
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
# Masquerade from local net on local interface to anywhere.
/sbin/ipfwadm -F -a masquerade -W $extif -S $intnet -D $universe
# catch all rule, all other forwarding is denied and logged. pity there is no
# log option on the policy but this does the job instead.
/sbin/ipfwadm -F -a reject -S $universe -D $universe -o
#--------------------------------------------------------------------
# For a nice display
echo " "
#--------------------------------------------------------------------
# How to test your new firewall..
#
# From the IPFWADM console:
#
# TELNET: telnet to a remote site
# SSH: ssh to a remote site
# DNS: run nslookup with "server = " and "set q ="
# NTP: run "/etc/cron.15min/gettime"
# Xwin: "export DISPLAY=your-remote-FQDN:0.0"
# Run a X-server on the remote machine
# Run "xeyes"
#
# From a MASQed computer on the internal LAN:
#
# From another machine on the Internet:
# TELNET: telnet to your IPFWADMed machine
# SSH: SSH to your IPFWADMed machine
#
# *** Finally.. download "nmap" and run it in both SOCKET
# and UDP mode to port scan your new firewall!
#
# More to come....
#
#--------------------------------------------------------------------
# Below are comments on how to explictly DENY all traffic from a
# specific host
#
# You can block traffic to a particular site using the -I, -O or -F.
# Remember that the set of rules are scanned top to bottom and -a means
# "append" to the existing set of rules so any restrictions need to come
# before global rules. For example (and untested) :-
#
# Using -I rules. Probably the fastest but it only stops the local
# machines, the firewall itself can still access the "forbidden" site.
# Of course you might want to allow that combination.
#
# # reject and log local interface, local machines going to 204.50.10.13
# ipfwadm -I -a reject -V 192.168.255.1 -S 192.168.0.0/16 -D 204.50.10.13/32
-o
# # local interface, local machines, going anywhere is valid
# ipfwadm -I -a accept -V 192.168.255.1 -S 192.168.0.0/16 -D 0.0.0.0/0
#
# Using -O rules. Slowest because the packets go through masquerading
# first but this rule even stops the firewall accessing the forbidden
# site.
#
# # reject and log outgoing to 204.50.10.13
# ipfwadm -O -a reject -V your.static.PPP.address -S
your.static.PPP.address/32 -D
# 204.50.10.13/32 -o
# # anything else outgoing on remote interface is valid
# ipfwadm -O -a accept -V your.static.PPP.address -S
your.static.PPP.address/32 -D
# 0.0.0.0/0
#
# Using -F rules. Probably slower than -I and this still only stops
# masqueraded machines (i.e. internal), firewall can still get to
# forbidden site.
#
# # Reject and log from local net on PPP interface to 204.50.10.13.
# ipfwadm -F -a reject -W ppp0 -S 192.168.0.0/16 -D 204.50.10.13/32 -o
# # Masquerade from local net on local interface to anywhere.
# ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/16 -D 0.0.0.0/0
#
# No need for a special rule to allow 192.168.0.0/16 to go to
# 204.50.11.0, it is covered by the global rules.
#
# There is more than one way of coding the interfaces in the above
# rules. For example instead of -V 192.168.255.1 you can code -W eth0,
# instead of -V your.static.PPP.address you can use -W ppp0. Personal
# choice and documentation more than anything.
#
#--------------------------------------------------------------------
# Version Control
#
# v1.0 - Oringial draft
# v2.0 - Totally re-written and MUCH stronger
# v2.1 - Disabled ALL outbound Xwindows (Xwin uses port 6000) which was
# previously allowed since its in the >1024 port range. Gotcha!
#
# --end
.----------------------------------------------------------------------------.
| David A. Ranch - Remote Access/Linux/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
