forum.opennet.ru - "Помогите с правилами в ipfw" (1)

форумы

помощь

поиск

регистрация

майллист

ВХОД

слежка

"Помогите с правилами в ipfw"

Форумы Информационная безопасность (Public)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[Проследить за развитием треда]

"Помогите с правилами в ipfw"
Сообщение от Ilya_s (ok) on 25-Ноя-05, 12:49 (MSK)
Добрый день. Достался "в наследство" шлюз на FreeBSD с криво настроенным ipfw. На машине должны быть открыты порты: 20,21 - FTP 22 - SSH 25 - SMTP 53 - DNS 80 - Apache 110 - POP3 3128 - Squid (только для пользователей LAN) Остальные порты надо закрыть. При проверке этой машины на открытость портов обнаружил, что открыт порт 31337 "Baron Night, BO client, BO2, Bo Facil, BackFire, Back Orifice, DeepBO" судя по описанию "http://sygatetech.com/quickscan.html" Начал смотреть правила файрвола и обнаружил, что они мягко говоря "дырявые": # xl0 - LAN # xl1 - Internet # 192.168.0.44 - FreeBSD router # 192.168.0.1-192.168.0.50 LAN users IP 00100 allow ip from any to any via lo0 00200 allow ip from any to any via xl0 00300 divert 8668 ip from any to any 00400 deny icmp from any to any frag 00450 allow ip from any to any via xl1 00500 allow icmp from any to any 00600 allow tcp from any to any 80 out xmit xl0 00700 allow tcp from any 80 to any out xmit xl0 00800 allow udp from any to any 53 00900 allow udp from any 53 to any 01000 allow udp from any to any 110 01100 allow udp from any 110 to any 01200 allow tcp from any to any 21 01300 allow tcp from any 20 to any 01400 allow tcp from any to any 20 01500 allow tcp from 192.168.0.5 22 to 192.168.0.44 01600 allow tcp from 192.168.0.44 to 192.168.0.5 22 01700 allow tcp from any to any 53,80,110 via xl1 65535 deny ip from any to any Очень "смущает" правило 450, видимо его надо заменить на нечто в виде: 00450 allow ip from (здесь наверное 192.168.0.1-192.168.0.50 или с помощью битовой маски) to any via xl1 и тогда наверное надо будет добавить еще одно правило вида 00450 allow ip from ME to any via xl1 Или не так? Где-то надо будет описать еще что все порты кроме указанных в правилах закрыты! Кстати, при проверке машины Win2k3, защищенной Kerio Winroute http://sygatetech.com/quickscan.html показывает, что нерабочие порты имеют статус "Blocked" (Ideally your status should be "Blocked". This indicates that your ports are not only closed, but they are completely hidden (stealthed) to attackers.) А при проверке машины c FreeBSD с ipfw нерабочие порты имеют статус "Closed". Собственно еще вопрос: Как сделать на ipfw блокирование портов, а не только их закрытие?
	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх

Оглавление

Помогите с правилами в ipfw, billy, 14:33 , 25-Ноя-05, (1)

Сообщения по теме [Сортировка по времени, UBB]

1. "Помогите с правилами в ipfw"

Сообщение от billy (ok) on 25-Ноя-05, 14:33  (MSK)

Ммм... Я не сильно мастер в этом и да пусть мне возражают те кто опытнее (мне же полезнее будет!), но мне кажется, что правило 200 исключает необходимость правил 600, 700, 1500 и 1600:
00200 allow ip from any to any via xl0
против
00600 allow tcp from any to any 80 out xmit xl0
00700 allow tcp from any 80 to any out xmit xl0
01500 allow tcp from 192.168.0.5 22 to 192.168.0.44
01600 allow tcp from 192.168.0.44 to 192.168.0.5 22
Также можно попробовать просто запретить правило 450:
#00450 allow ip from any to any via xl1
Правило 500 можно и не писать (данный трафик выше не запрещен):
#00500 allow icmp from any to any
Для почты можно так:
# Allow out send & get email function
$cmd 1000 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 1100 $skip tcp from any to any 110 out via $pif setup keep-state
в листинге ipfw -a list это будет выглядеть примерно так:
01000 allow tcp from any to any 25 keep-state out xmit xl1 setup
01100 allow tcp from any to any 110 keep-state out xmit xl1 setup
Также можно добавить следующее:
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16  to any in via xl1  #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via xl1  #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via xl1  #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via xl1  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via xl1  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via xl1  #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via xl1  #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via xl1  #Sun cluster
$cmd 308 deny all from 224.0.0.0/3     to any in via xl1  #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via xl1
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via xl1
$cmd 321 deny tcp from any to any 138 in via xl1
$cmd 322 deny tcp from any to any 139 in via xl1
$cmd 323 deny tcp from any to any 81  in via xl1
Вот мой конфиг стенки:
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="xl1"     # public interface name of NIC
              # facing the public Internet

#$cmd 001 pipe 31 ip from any to 192.168.2.4 out via $pif
#$cmd 002 pipe 31 config 31 bw 128Kbit/s
$cmd 005 allow all from any to any via xl0
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
$cmd 020 $skip udp from any to any 53 out via $pif
$cmd 021 $skip udp from any 53 to any in via $pif
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow all for 192.168.2.62
$cmd 041 $skip tcp from 192.168.2.62 to any out via $pif setup keep-state
# Allow SWING
$cmd 042 $skip tcp from any to any 4430 out via $pif setup keep-state
#$cmd 045 $skip tcp from any to cyprus.payment.ru 4430 out via $pif setup keep-state
# Allow WebMail on Megafon
$cmd 043 $skip tcp from any to any 8101 out via $pif setup keep-state
# Allow ICQ
$cmd 046 $skip tcp from any to any 5190 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state

# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
#$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81  in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow in standard www function because I have Apache server
#$cmd 370 allow tcp from any to me 80 in via $pif setup
# Allow in secure FTP, Telnet, and SCP from public Internet
#$cmd 380 allow tcp from any to me 22 in via $pif setup
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any

Удалить Правка | Высказать мнение | Ответить | Рекомендовать в FAQ | Cообщить модератору | Наверх

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема

Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ]

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "Помогите с правилами в ipfw"
Сообщение от billy (ok) on 25-Ноя-05, 14:33 (MSK)
Ммм... Я не сильно мастер в этом и да пусть мне возражают те кто опытнее (мне же полезнее будет!), но мне кажется, что правило 200 исключает необходимость правил 600, 700, 1500 и 1600: 00200 allow ip from any to any via xl0 против 00600 allow tcp from any to any 80 out xmit xl0 00700 allow tcp from any 80 to any out xmit xl0 01500 allow tcp from 192.168.0.5 22 to 192.168.0.44 01600 allow tcp from 192.168.0.44 to 192.168.0.5 22 Также можно попробовать просто запретить правило 450: #00450 allow ip from any to any via xl1 Правило 500 можно и не писать (данный трафик выше не запрещен): #00500 allow icmp from any to any Для почты можно так: # Allow out send & get email function $cmd 1000 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 1100 $skip tcp from any to any 110 out via $pif setup keep-state в листинге ipfw -a list это будет выглядеть примерно так: 01000 allow tcp from any to any 25 keep-state out xmit xl1 setup 01100 allow tcp from any to any 110 keep-state out xmit xl1 setup Также можно добавить следующее: ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via xl1 #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via xl1 #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via xl1 #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via xl1 #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via xl1 #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via xl1 #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via xl1 #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via xl1 #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via xl1 #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via xl1 # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via xl1 $cmd 321 deny tcp from any to any 138 in via xl1 $cmd 322 deny tcp from any to any 139 in via xl1 $cmd 323 deny tcp from any to any 81 in via xl1 Вот мой конфиг стенки: #!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="xl1" # public interface name of NIC # facing the public Internet #$cmd 001 pipe 31 ip from any to 192.168.2.4 out via $pif #$cmd 002 pipe 31 config 31 bw 128Kbit/s $cmd 005 allow all from any to any via xl0 $cmd 010 allow all from any to any via lo0 ################################################################# # check if packet is inbound and nat address if it is ################################################################# $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state $cmd 020 $skip udp from any to any 53 out via $pif $cmd 021 $skip udp from any 53 to any in via $pif # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow all for 192.168.2.62 $cmd 041 $skip tcp from 192.168.2.62 to any out via $pif setup keep-state # Allow SWING $cmd 042 $skip tcp from any to any 4430 out via $pif setup keep-state #$cmd 045 $skip tcp from any to cyprus.payment.ru 4430 out via $pif setup keep-state # Allow WebMail on Megafon $cmd 043 $skip tcp from any to any 8101 out via $pif setup keep-state # Allow ICQ $cmd 046 $skip tcp from any to any 5190 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FreeBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) #$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via $pif $cmd 321 deny tcp from any to any 138 in via $pif $cmd 322 deny tcp from any to any 139 in via $pif $cmd 323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $pif # Allow in standard www function because I have Apache server #$cmd 370 allow tcp from any to me 80 in via $pif setup # Allow in secure FTP, Telnet, and SCP from public Internet #$cmd 380 allow tcp from any to me 22 in via $pif setup # Reject & Log all unauthorized incoming connections from the public Internet $cmd 400 deny log all from any to any in via $pif # Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any
Удалить	Правка \| Высказать мнение \| Ответить \| Рекомендовать в FAQ \| Cообщить модератору \| Наверх

Архив \| Удалить	Индекс форумов \| Темы \| Пред. тема \| След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 \| 2 \| 3 \| 4 \| 5 ]