Опубликован: 06.08.2012 | Доступ: свободный | Студентов: 1328 / 46 | Оценка: 5.00 / 5.00 | Длительность: 53:41:00
Лекция 22:

Firewalls, IP aliasing and proxies

< Лекция 21 || Лекция 22: 12345 || Лекция 23 >
The simple profile

Despite the name, the simple profile is really a (simple) server profile. It assumes that the machine is a gateway, and that it supplies DNS and NTP services to the outside world (for example, to the client machine we just looked at). This profile is more appropriate for the system http://gw.example.org, so we'll use its addresses.

#set these to your outside interface network and netmask and ip oif="tun0"
onet="139.130.136.133"
omask="255.255.255.255"
oip="139.130.136.133"
#set these to your inside interface network and netmask and ip iif="ep0"
inet="223.147.37.0"
imask="255.255.255.0"
iip="223.147.37.0"

These addresses and networks correspond to the PPP link and the local ethernet, respectively.

#Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} 
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}

These two rules stop any packets purporting to come from the local network that arrive via the external network, and any packets purporting to come from the remote network that arrive via the local interface. These packets would have been faked, an action known as spoofing.

#Stop RFC1918 nets on the outside interface 
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} 
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} 
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

RFC 1918 defines networks that should not be routed. These rules enforce that requirement.

At this point in the file there are also some other addresses that should not be routed. A check is made for address translation, because non-routed addresses are typically used by NAT environments.

#Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
#Allow IP fragments to pass through 
${fwcmd} add pass all from any to any frag
#Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
#Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
#Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup

These rules add to what we saw for the client profile: in addition to email, we allow incoming DNS and WWW connections.

#Reject&Log all setup of incoming connections from the outside 
${fwcmd} add deny log tcp from any to any in via ${oif} setup
#Allow setup of any other TCP connection 
${fwcmd} add pass tcp from any to any setup

Here, we don't just reject TCP setup requests from the outside world, we log them as well.

#Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state 
#Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state 
#Everything else is denied as default.

Finally, we allow DNS and NTP queries via UDP, and deny everything else from the outside world.

user-defined profiles

If the profile isn't one of the recognized keywords, /etc/rc.firewall checks if there's a file with that name. If so, it uses it as a command file to pass to ipfw:

elif [ "${firewall}" != "NONE" -a -r "${firewall}" ]; 
   then ${fwcmd} ${firewall_flags} ${firewall_type}

Note that you can't put comment lines in the file defined by ${firewall}.

Entries in /etc/rc.conf

When you have decided what kind of firewall configuration best suits your network, note that fact in /etc/rc.conf. Set the value of firewall_enable to YES to enable the firewall, and the value of firewall_type to indicate the type of firewall. For our example network, client is probably the most appropriate type:

firewall_enable="YES"                # Set to YES to enable firewall functionality 
firewall_script="/etc/rc.firewall"   # Which script to set up the firewall 
firewall_type="client"               # Firewall type (see /etc/rc.firewall)

If you have decided to write your own file rather than modify /etc/rc.firewall, set firewall_type to the name of the file.

Trying it out

You'll probably find that your first attempt at firewall configuration won't be the optimum. You'll probably discover requirements that you hadn't thought of and that are now being denied by the default rule. Be prepared to spend some time getting everything to work, and do this at the system console. There's no good alternative.

< Лекция 21 || Лекция 22: 12345 || Лекция 23 >