Hi, I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy Who installed it left our company some months ago. I spent some years far from iptables, now i have to migrate this firewall to PF. THere are some 'special' features on this firewall, i need some documentation or help about implementing this features at new firewall ( PF ).
This is the iptables scripts: #!/bin/bash FW=/sbin/iptables LOAD=/sbin/modprobe #__________________________________________________________________________ # Carregando Modulo do IPTABLES . /etc/rc.d/init.d/prodata/fw_modulos # Carregando Variaveis . /etc/rc.d/init.d/prodata/fw_variaveis if [ $KERNEL = "sim" ] then . /etc/rc.d/init.d/prodata/fw_kernel fi #___________________________________________________________________________ # Cria politicas de LOGs #___________________________________________________________________________ if [ $LOGS = "sim" ] then . /etc/rc.d/init.d/prodata/fw_politicas fi Normal rules here #################################################################### EOF /etc/rc.d/init.d/prodata/fw_modulos #$LOAD nfnetlink $LOAD ip_conntrack $LOAD ip_conntrack_ftp #$LOAD ip_conntrack_pptp ## #$LOAD ip_conntrack_netlink ## #$LOAD ip_conntrack_tftp ## #$LOAD ip_nat $LOAD ip_nat_ftp $LOAD ip_gre #$LOAD ip_nat_pptp ## #$LOAD ip_nat_tftp ## $LOAD ip_queue ## $LOAD ip_tables $LOAD iptable_filter $LOAD iptable_nat $LOAD iptable_mangle $LOAD ipt_helper $LOAD ipt_LOG $LOAD ipt_limit $LOAD ipt_state #$LOAD ipt_layer7 ## $LOAD ipt_MASQUERADE $LOAD ipt_multiport #$LOAD ipt_string $LOAD ipt_tcpmss $LOAD ipt_TCPMSS ######################################################### EOF /etc/rc.d/init.d/prodata/fw_kernel #___________________________________________________________________________ # Protecao do KERNEL #___________________________________________________________________________ #Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = "sim" ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack ################################################################### EOF /etc/rc.d/init.d/prodata/fw_politicas #___________________________________________________________________________ # LOG - Politica de Negacao de frames #___________________________________________________________________________ LOGLIMIT="2/s" LOGLIMITBURST="10" # Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" # Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="1" $FW -N LOG_DROP $FW -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " $FW -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " $FW -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " $FW -A LOG_DROP -p 47 -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=VPN:4 a=DROP " $FW -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:5 a=DROP " $FW -A LOG_DROP -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=NEW nao SYN: " $FW -A LOG_DROP -j DROP #___________________________________________________________________________ # LOG - Politica de Liberacao de frames #___________________________________________________________________________ $FW -N LOG_OK $FW -A LOG_OK -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 3 --log-prefix "fp=LOG_OK:3 a=ACCEPT " $FW -A LOG_OK -j ACCEPT #___________________________________________________________________________ # LOG - Politica de Negacao TCP-SYN-Flood #___________________________________________________________________________ $FW -N LSYNFLOOD $FW -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " $FW -A LSYNFLOOD -j DROP #___________________________________________________________________________ # TCP - Politica para Aceitar conexoes TCP verificando SYN-Floods #___________________________________________________________________________ $FW -N TCPACCEPT $FW -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $FW -A TCPACCEPT -p tcp -m state --state ESTABLISHED,RELATED --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $FW -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $FW -A TCPACCEPT -p tcp ! --syn -j ACCEPT #___________________________________________________________________________ # SMB - Rejeita frames SMB (Netbios) #___________________________________________________________________________ $FW -N SMB $FW -A SMB -p tcp --dport 137 -j DROP $FW -A SMB -p tcp --dport 138 -j DROP $FW -A SMB -p tcp --dport 139 -j DROP $FW -A SMB -p tcp --dport 445 -j DROP $FW -A SMB -p udp --dport 137 -j DROP $FW -A SMB -p udp --dport 138 -j DROP $FW -A SMB -p udp --dport 139 -j DROP $FW -A SMB -p udp --dport 445 -j DROP $FW -A SMB -p tcp --sport 137 -j DROP $FW -A SMB -p tcp --sport 138 -j DROP $FW -A SMB -p tcp --sport 139 -j DROP $FW -A SMB -p tcp --sport 445 -j DROP $FW -A SMB -p udp --sport 137 -j DROP $FW -A SMB -p udp --sport 138 -j DROP $FW -A SMB -p udp --sport 139 -j DROP $FW -A SMB -p udp --sport 445 -j DROP #___________________________________________________________________________ # ICMP/TRACEROUTE (IN) #___________________________________________________________________________ #Logging of possible Ping-Floods $FW -N LPINGFLOOD $FW -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " $FW -A LPINGFLOOD -j DROP #___________________________________________________________________________ $FW -N ICMPINBOUND #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT $FW -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $FW -A ICMPINBOUND -p icmp --icmp-type redirect -j LOG_DROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP $FW -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP $FW -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP #Allow all other ICMP in $FW -A ICMPINBOUND -p icmp -j ACCEPT #___________________________________________________________________________ # ICMP/TRACEROUTE (OUT) #___________________________________________________________________________ $FW -N ICMPOUTBOUND #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $FW -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOG_DROP #Block ICMP-TTL-Expired #MS Traceroute (MS uses ICMP instead of UDp for tracert) $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOG_DROP $FW -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LOG_DROP #Block ICMP-Parameter-Problem $FW -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOG_DROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOG_DROP $FW -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOG_DROP #Block ICMP-address-mask (can help to prevent OS-fingerprinting) $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOG_DROP $FW -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOG_DROP ##Accept all other ICMP going out $FW -A ICMPOUTBOUND -p icmp -j ACCEPT #___________________________________________________________________________ # PING Server - Libera ICMP #___________________________________________________________________________ $FW -N icmp_packets $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $FW -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT #___________________________________________________________________________ # PING Client - Libera ICMP #___________________________________________________________________________ $FW -N icmp_ping $FW -A icmp_ping -p ICMP --icmp-type 8 -j ACCEPT $FW -A icmp_ping -p ICMP --icmp-type 11 -j ACCEPT
