So I think a number of people were confused about what DFD actually *did*.
I think this is best explained by an example.
Here is a sample transcript, bash$ is the Unix command line and
dfd_keeper> is the dfd command line. Basically I connect up, show the
rules in the example script, block the IP address 1.2.3.4, show what
it did, then exit.
bash$ nc localhost 8007
Your wish is my command.
dfd_keeper>show
nat on xl2 from xl1:network to any -> (xl2)
# Allow all loopback traffic.
pass quick on lo0
# Default deny.
block all
# Allow LAN to bomb out quickly.
block return on xl1
# Don't allow other networks to impersonate LAN.
antispoof quick for xl1
# Block leakage of LAN stuff to anywhere else.
block out log quick on ! xl1 to xl1:network
# Block hosts we have specified in both directions.
block in log quick on xl2 from [] to any
block out log quick on xl2 from any to []
# Allow firewall to talk to LAN.
pass out quick on xl1 from xl1 to xl1:network keep state
# Allow anything in from LAN that isn't destined to the LAN.
pass in quick on xl1 to ! xl1:network keep state allow-opts
# Allow LAN hosts to SSH into this box.
pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA
# Allow connections out WAN, and randomize SEQ #s.
pass out quick on xl2 all modulate state allow-opts
It is done.
dfd_keeper>help
drop_state:
Drop a particular state table entry. Takes src and optional dst.
flush:
Flush the state table. This is done automatically.
sync:
Synchronize the rules with pf. This is done automatically.
show:
This command shows the active rules to the client.
help:
Show help to the user. A command may be provided as an argument.
wan:
Switches on/off connectivity with the Internet.
For emergencies only!
block:
block [add|del] host
Block an IP from sending in data via WAN interface either direction.
XXX: Assumes it is on the remote side of that interface.
It is done.
dfd_keeper>block add 1.2.3.4
It is done.
dfd_keeper>show
nat on xl2 from xl1:network to any -> (xl2)
# Allow all loopback traffic.
pass quick on lo0
# Default deny.
block all
# Allow LAN to bomb out quickly.
block return on xl1
# Don't allow other networks to impersonate LAN.
antispoof quick for xl1
# Block leakage of LAN stuff to anywhere else.
block out log quick on ! xl1 to xl1:network
# XXX This is what appeared by magic
# Block hosts we have specified in both directions.
block in log quick on xl2 from 1.2.3.4 to any
block out log quick on xl2 from any to 1.2.3.4
# Allow firewall to talk to LAN.
pass out quick on xl1 from xl1 to xl1:network keep state
# Allow anything in from LAN that isn't destined to the LAN.
pass in quick on xl1 to ! xl1:network keep state allow-opts
# Allow LAN hosts to SSH into this box.
pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA
# Allow connections out WAN, and randomize SEQ #s.
pass out quick on xl2 all modulate state allow-opts
It is done.
dfd_keeper>block add 2.3.4.5
It is done.
dfd_keeper>show
nat on xl2 from xl1:network to any -> (xl2)
# Allow all loopback traffic.
pass quick on lo0
# Default deny.
block all
# Allow LAN to bomb out quickly.
block return on xl1
# Don't allow other networks to impersonate LAN.
antispoof quick for xl1
# Block leakage of LAN stuff to anywhere else.
block out log quick on ! xl1 to xl1:network
# Block hosts we have specified in both directions.
block in log quick on xl2 from { 1.2.3.4 2.3.4.5 } to any
block out log quick on xl2 from any to { 1.2.3.4 2.3.4.5 }
# Allow firewall to talk to LAN.
pass out quick on xl1 from xl1 to xl1:network keep state
# Allow anything in from LAN that isn't destined to the LAN.
pass in quick on xl1 to ! xl1:network keep state allow-opts
# Allow LAN hosts to SSH into this box.
pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA
# Allow connections out WAN, and randomize SEQ #s.
pass out quick on xl2 all modulate state allow-opts
It is done.
dfd_keeper>exit
bash$
So... this is gearing up for prime time. I'm planning on writing a
sniffer very soon that will do stuff like properly support bittorrent
behind NAT (assuming only one client at a time) and other fun stuff
like portknocking (a/k/a single packet authentication). Since OpenBSD
shows logged packets as appearing on a pflog interface, this is easy
to do with a libpcap-based sniffer. Of course it is trivial to set up
snort to shun attackers (using the above block command already there
in the example script) and logwatchers to shun people attempting to
brute-force SSH passwords.
I also have a volunteer taking over the netfilter implementation,
which makes me very happy. Perhaps this can be rolled up into a Live!
distro for firewalls or something.
If you have any other uses for changing firewall rules dynamically,
then I'd love to hear them! dfd_keeper can already peacefully coexist
with anchors and tables....
--
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
