At 08:49 12/22/2007, Ian Smith wrote:
>Warning: overlong message.
> > > > >W. D. wrote:
> > OK, sorry. I guess I just assumed that it would
be obvious
> > that this is a Web server. ("Never assume
anything, my good
> > fellow" - Sherlock Holmes).
> > By the way, it is/will be running Plesk server
management
> > software, if it matters:
> > http://
www.swsoft.com/en/products/plesk/reqs/
>
>I know nothing of Plesk, but doubt it's relevant to this
now.
>
> > Also, this server is on an internal LAN before I
subject
> > it to the wild, untamed, InterWeb, with its
dangerous
> > internets darting back and forth inside all of the
tubes.
>
>Really good idea 
>
> > > > >> add allow all from any
to any via lo0
> > > > >> add deny ip from any to
127.0.0.0/8
> > > > >> add deny ip from
127.0.0.0/8 to any
> > >
> > >That's ok. It may help you in debugging
what's happening to use:
> >
> > allow log tcp from any to any in established
> > allow log tcp from any to any out established
>In that case 'me to any' or 'any to me' provides
unambiguous direction
>where appropriate. As shown in your ipfw show below,
direction can help
>make things clear, and clarity means safety when it
comes to firewalls,
>even if it means a slightly larger ruleset.
>
> > > > >> # Deny fragmented
packets:
> > > > >> add deny ip from any to
any frag
> >
> > > > >> # Show pings:
> > > > >> add count icmp from any
to any icmptypes 8 in
> > > > >
> > >
> > >That's inbound ping requests. Don't forget
that 'inbound' means coming
> > >into the firewall, not necessarily from the
outside world. Your own
> > >ping requests _from_ this box also have to
both come in, and go out.
> >
> > Hmmm. OK. Outbound Ping will be rarely used, but
should
> > be allowed. Isn't that included in the next
rule?
>
>Yes it is, so here ambiguous directionality works ok, as
long as you're
>well aware of it.
>
> > > > >> # Allow pings, ping
replies, and host unreach:
> > > > >> add allow icmp from any
to any icmptypes 0,8,3
> > >
> > >Add icmptype 11 as well if you want
traceroutes to work ..
>
> > >Ok, though udp rules are often better done
statefully. See below.
> > >
> > > > >> # Allow DNS with name
server
> > > > >> add allow udp from any
to any domain out
> > > > >> add allow udp from any
domain to any in
> > > > >Nope.
> > >
> > >You want to watch out here. This allows udp
packets from any address
> > >with source port 53 to connect with any open
udp port on your system,
> > >and allows the responses as well. It's a
simple matter using such as
> > >netcat to source packets from port 53.
> >
> > Should I restrict it by specifically stating the
service?
> > How can I be safe? What would the rule look like?
> >
> > >I gather from this that you're not running a
DNS server yourself, but
> > >using upstream server/s? In that case a
stateful rule is safer:
> >
> > Again, I apologize for not being clear. I will be
running
> > DNS on this box for the domains being hosted. So,
it will
> > be polled whenever a request for a hosted domain
is needed.
>
>Ok, so your nameserver will be making upstream requests
too, and you'll
>need to do TCP 53 traffic with your secondary
nameserver/s as well as
>UDP 53 traffic with upstream nameservers, up to the root
unless you're
>only using specified upstream forwarders. Given that
you're checking TCP
>setup, allowing established, then maybe:
>
> allow udp from me to any 53 out keep-state # my
requests
> allow udp from any to me 53 in keep-state # serve
outside requests
> allow tcp from me to $secondaries 53 setup # zone
transfers out
> allow tcp from $secondaries to me 53 setup # zone
transfers in
What is $secondaries?
>
>though you'll want to protect named with ACLs for xfers
as well.
"ACLs"? What are those?
> > > > >> # SSH
> > > > >> # Note that
/etc/hosts.allow has restrictions
> > > > >> # on which IP
addresses are allowed.
> > > > >> #
> > > > >> # Allow SSH:
> > > > >> add allow tcp from any
to any ssh in setup
> > >
> > >By 'ssh working', I guess you mean ssh
connections to this box from
> > >elsewhere, rather than ssh connections from
this box? Not clear.
> >
> > Sorry! I am using SSH into this box, since it is
easier to
> > cut and paste for editing and configuration.
> >
> > I can't really see a situation where I would
normally need to SSH
> > outbound, can you? I use the Windoze boxes for
that.
>
>You never know; you may want to use ssh or scp to other
boxes, for
>backups and such, but you can always add rules whenever
required.
>
> > > > >> # HTTP & HTTPS:
> > > > >> add allow tcp from any
to any https in setup
> > > > >> add allow tcp from any
to any http in setup
> > > > >
> > >
>access to only your LAN. Will this webserver later have
a public IP
>address, or run behind NAT with port forwarding?
Public IP.
>
> > > > >> # FTP:
> > > > >> add allow tcp from any
to any ftp in setup
> > > > >> add allow tcp from any
to any ftp-data in setup
> > > > >> add allow tcp from any
ftp-data to any setup out
>
> > >Mmm, I prefer using and enforcing FTP passive
mode, but YMMV.
> >
> > How would I do that? This guy doesn't think it's
even
> > possible:
> > http://tinyurl.com/2z6ynr
>
>Mmm, ok. Passive mode needs allowing connections to
this port range
> net.inet.ip.portrange.hifirst: 49152
> net.inet.ip.portrange.hilast: 65535
>which is adjustable, but I'm unsure of my ground
regarding ftp - pass.
How would I write this as a rule?
> > > # Allow access to our WWW
> > > $ add pass tcp from any to
$ 80 setup
> > >
> > > # Reject&Log all setup of incoming
connections from the outside
> > > $ add deny log tcp from any to
any in via $ setup
> > >
> > > # Allow setup of any other TCP
connection
> > > $ add pass tcp from any to any
setup
> >
> > I really don't get the above rule. Isn't it
saying that
> > *any* kind of TCP connection can come in or go out
initially?
>
>Yes, but only AFTER denying & logging any
unaccounted for inbound setup
>requests on the outside interface. The last rule
therefore allows setup
>of a) TCP requests from this box to anywhere, and b)
setup requests from
>any boxes 'behind' this box on the LAN. You don't have
any (b) but may
>need (a) to access external services (anything: c{,v}sup
comes to mind);
>you may rather limit these to specific services or from
uid root etc,
>and having no other interfaces, can use from 'me' rather
than 'any'.
>
> > In my set, should I include some "out"
rules like this:
> >
> > add allow tcp from any to any https out setup
> > add allow tcp from any to any http out setup
>
>Again, 'any to any' is too broad a brush. Once you
allow everything you
>want to in from outside addresses (which currently
includes your LAN on
>your outside interface!) and then deny the rest there,
then 'pass tcp
>from me to any setup' is safe, and covers the above, and
anything else.
>
> > > > should allow connections that are
"setup" to
> > > > continue. Do I need a
"check-state" or "keep-state"
> > > > statement somewhere?
> > >
> > >No, though you can use stateful TCP rules if
you want to, in which case
> > >you'll want to DENY established connections.
Personally I find relying
> > >on the TCP state established by using 'setup'
and 'established' fine for
> > >TCP, but tend to use keep-state for UDP and
some ICMP rules.
> >
> > That sounds reasonable.
>Since you've logged some denied packets, searching
denied packets in
>/var/log/security should show you exactly what they are
to debug this,
>no need to speculate. However for this rule try maybe
'logamount 500'
>along with running tcpdump in another console till you
spot the problem.
>
>Whenever you like, without reloading others, you can do
eg:
>
> # ipfw delete 2400; ipfw add 2400 deny log logamount
500 ip from any to any
>
>and of course run 'ipfw resetlog 2400' anytime you want
some more.
>
> > > > Besides adding the "log"
keyword on all of the rules,
> > > > these are the debugging tools I have
been using:
> > > >
> > > > ipfw disable firewall
> > > > ipfw -f flush
> > > > ipfw enable firewall
> > > > /etc/rc.d/ipfw start
> > > > ipfw -a -S -N -t list
> > > > ipfw list
> > > > tail -f /var/log/ipfw/ipfw.log
>
>Ah right, you're not using /var/log/security. Is
ipfw.log working ok?
>
> > > > tcpdump -i nve0 'proto tcp &&
port http'
>
>Doesn't that show incoming http setup requests, and
responses (or not)?
>
>I'd use 'tcpdump -pn -i nve0 tcp port 80' to keep it
simple and numeric.
>
> > netstat -finet -a
> > > >
> > Am using this link, since "man ipfw"
doesn't work on 6.2. (I dare
> > someone to explain to me how to get it to work):
> > http://www.freebsd.org/cgi/man.cgi?query=ipfw&sek
tion=8
>
>That's weird. Does man work for others in section 8, eg
man mount ?
Nope. How to get working?
Here is my latest /etc/ipfw.rules. Please critique:
# Filename: ipfw.rules
# Description: ipfw firewall ruleset
# Locattion: /etc/ipfw.rules
# Date: 2007 Dec 29
# By default, everything is denied access. You
# need to specifically allow something for it
# to work.
# Debugging tools:
#
# Check the syntax of the rules file:
#
# ipfw -n /etc/ipfw.rules
#
#
# Stop, then restart ipfw:
#
# ipfw disable firewall; /etc/rc.d/ipfw start
#
#
# Flush rules:
#
# ipfw -f flush
#
#
# List firewall hits:
#
# ipfw -a -S -N -t list
#
#
# Zero out hits counter:
#
# ifpw zero
#
#
# View the log:
#
# tail -f /var/log/ipfw/ipfw.log
#
# Others:
#
# ipfw show
# tcpdump -i nve0 'proto tcp && port http'
# netstat -finet -a
# Loopback: ==================================
# Allow anything on the local loopback:
add allow all from any to any via lo0
# ============================================
# Disallow Spoofers: =========================
#
# For more info, see:
# RFC3330
# http://e
n.wikipedia.org/wiki/Private_network
#
# "This" Network:
add deny log ip from any to 0.0.0.0/8 in
add deny log ip from 0.0.0.0/8 to any in
# IANA Reserved:
add deny log ip from any to 1.0.0.0/8 in
add deny log ip from 1.0.0.0/8 to any in
# IANA Reserved:
add deny log ip from any to 2.0.0.0/8 in
add deny log ip from 2.0.0.0/8 to any in
# Class A Private Network:
add deny log ip from any to 10.0.0.0/8 in
add deny log ip from 10.0.0.0/8 to any in
# Localhost:
add deny log ip from any to 127.0.0.0/8 in
add deny log ip from 127.0.0.0/8 to any in
# Link Local/Auto-Config:
add deny log ip from any to 169.254.0.0/16 in
add deny log ip from 169.254.0.0/16 to any in
# Class B Private Network:
add deny log ip from any to 172.16.0.0/12 in
add deny log ip from 172.16.0.0/12 to any in
# TEST-NET/Examples:
add deny log ip from any to 192.0.2.0/24 in
add deny log ip from 192.0.2.0/24 to any in
# Class C Private Network:
add deny log ip from any to 192.168.0.0/16 in
add deny log ip from 192.168.0.0/16 to any in
# IPV6to4 relay anycast addresses:
add deny log ip from any to 192.88.99.0/24 in
add deny log ip from 192.88.99.0/24 to any in
# Interconnect Benchmarks:
add deny log ip from any to 198.18.0.0/15 in
add deny log ip from 198.18.0.0/15 to any in
# Multicast:
add deny log ip from any to 224.0.0.0/3 in
add deny log ip from 224.0.0.0/3 to any in
# Class E Reserved:
add deny log ip from any to 240.0.0.0/4 in
add deny log ip from 240.0.0.0/4 to any in
# Spoofers ===================================
# Initialize the system to keep track of states:
add check-state
# ============================================
# Allow already established connections. These
# connections are allowed by the subsequent
# rules listed below this one.
add allow tcp from any to me in established
add allow tcp from me to any out established
# ============================================
# Deny fragmented packets: ===================
add deny log ip from any to any frag
# ============================================
# ICMP - Pings: ==============================
# Count inbound pings (8 = Echo Request)
add count icmp from any to any icmptypes 8 in
# Allow pings, ping replies, and host unreach:
# 0 = Echo Reply
# 3 = Destination Unreachable
# 8 = Echo Request
# 11 = Time-to-Live exceeded (for traceroute)
add allow icmp from any to any icmptypes 0,8,3,11
# ICMP =======================================
# Allow UDP traceroutes: =====================
add allow udp from any to any 33434-34458 in
add allow udp from any 33434-34458 to any out
# ============================================
# DNS (Port 53): ============================
# add allow udp from any to any domain out
# add allow udp from any domain to any in
# My DNS requests
add allow udp from me to any 53 out keep-state
# Serve outside DNS requests
add allow udp from any to me 53 in keep-state
# DNS Zone transfers out
# ??? add allow tcp from me to $secondaries 53 setup
# DNS Zone transfers in
# ??? add allow tcp from $secondaries to me 53 setup
# DNS ========================================
# SSH (Port 22) ==============================
# Note that /etc/hosts.allow has restrictions
# on which IP addresses are allowed.
#
add allow tcp from any to me ssh in setup
add allow tcp from me to any ssh in setup
# SSH ========================================
# HTTP: ======================================
# HTTP (Port 80):
add allow tcp from any to me http in setup
add allow tcp from me to any http in setup
# HTTPS (Port 443):
add allow tcp from any to me https in setup
# HTTPS for Plesk Server Administrator (Port 8443):
add allow tcp from any to me dst-port 8443 in setup
# HTTP = ======================================
# MAIL: ======================================
# POP3 (Port 110)
add allow tcp from any to me pop3 in setup
# POP3S (Port 995)
add allow tcp from any to me pop3s in setup
# SMTP (Port 25):
add allow tcp from any to me smtp in setup
# SMTPS (Port 465):
add allow tcp from any to me smtps in setup
# IMAP (Port 143):
add allow tcp from any to me imap in setup
# IMAPS (Port 993):
add allow tcp from any to me imaps in setup
# MAIL =======================================
# FTP (Port 21): =============================
add allow tcp from any to me ftp in setup
add allow tcp from me to any ftp in setup
# FTP Data (Port 20):
add allow tcp from any to me ftp-data in setup
add allow tcp from any ftp-data to me setup out
# FTP Passive (Ports 10000-65000):
add allow tcp from me to any 10000-65000 in setup
# FTPS (Port 990):
add allow tcp from any to me ftps in setup
add allow tcp from me to any ftps in setup
# FTP ========================================
# Allow NTP in and out to Navobs.WUstl.edu:
add allow udp from me ntp to 128.252.19.1 ntp out
add allow udp from 128.252.19.1 ntp to me ntp in
# NTP ========================================
# Allow UserID of "root" unfettered access:
add allow tcp from me to any out setup uid root
# ============================================
# MySQL (Port 3306): =========================
# add allow tcp from any to me 3306 in setup
# add allow tcp from me to any 3306 in setup
# MySQL ======================================
# PgSQL (Port 5432): =========================
# add allow tcp from any to me 5432 in setup
# add allow tcp from me to any 5432 in setup
# PgSQL ======================================
# TomCat (Port 9080): ========================
# add allow tcp from any to me 9080 in setup
# add allow tcp from me to any 9080 in setup
# TomCat =====================================
# Plesk Server Administrator - PSA ===========
# Get updates on port 5224
add allow tcp from me to 64.131.90.31 dst-port 5224 out
setup
# add allow tcp from 64.131.90.31 to me dst-port 5224 in
setup
# ============================================
# Deny and log everything else: ==============
add deny log ip from any to me in
add deny log ip from any to me out
add deny log ip from me to any in
add deny log ip from me to any out
add deny log udp from any to me in
add deny log udp from any to me out
add deny log udp from me to any in
add deny log udp from me to any out
# ============================================
Start Here to Find It Fast!™ -> http://
www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-w
ebmasters.com/
_______________________________________________
freebsd-questions freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
|
