Re: Clever firewall rules

From: Fabrice MARIE (fabrice@celestix.com)
Date: 09/15/01 

Message-Id: <200109150445.f8F4jaJ01265@fabrice.celestix.com>
From: Fabrice MARIE <fabrice@celestix.com>
To: Scott Gifford <sgifford@tir.com>, "Rob 'Feztaa' Park" <fezziker@home.com>
Subject: Re: Clever firewall rules
Date: Sat, 15 Sep 2001 04:45:35 +0000

On Friday 14 September 2001 02:27, Scott Gifford wrote:
> Thanks for posting these; I'd love to see others follow suit, and
> maybe we can put together a "recommended" ruleset for a couple
> different configurations.

Hello,

I usually compile in some netfilter patch-o-matic extensions that I quite like...
the extensions I usually compile in are :

TTL match+target
ipv4options match
length match
pkttype match
psd match
time match
log match (to be able to log&drop in the same time).

[...for the very short list, but the rest of the p-o-m
patches are quite cool too, one just have to need them
to compile them in, that's all :)]

1- I will usually make sure all the packets with a TTL less 3
   coming onto my firewall get their TTL incremented by 5.
   It can be dangerous if you have some complex routing involved
   (risk to have loops), but just pay attention and it is going
   to be fine (TTL match+target).
2- drop all the packets with source routing, record route, timestamp
   or router-alert options (ipv4options match)
3- drop all the outgoing (generated by a box on the LAN or the firewall itself)
   icmp-time-exceeded to avoid being tracerouted.
4- drop all the incoming big icmp packets,
   some weird devices do not really like big icmp packets.
   (length match)
5- drop all incoming broadcast packets (pkttype match).
6- drop all packets that seems to be part of a portscan (psd match).
7- use time enforcement for some services that only your employee
   use during office hours (time match).

cat "0" > /proc/sys/net/ipv4/tcp_timestamps
or add
net.ipv4.tcp_timestamps = 0 in /etc/sysctl.conf
if you want to avoid nmap to find out (with -O) that you run linux ;-)
Addionally, people won't be able to remotely guess your up-time either.

cat "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
or add
net.ipv4.icmp_echo_ignore_all = 0 in sysctl.conf
if you want your box to not reply any echo request (ping).
the /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts can be usefull
too if you don't want to disable all pings reply, you should at least
turn of reply to broadcast...
just my 2 cents.

Actually, if you have some cool rulesets or some good examples of usage
of some particular netfilter matches, you can always send your ruleset
to the netfilter mailing list. Netfilter folks are always looking for
more documented ruleset to put in the 'examples' section.

Have a nice day,

Fabrice. 

-- 
Fabrice MARIE
Senior R&D Engineer
Celestix Networks
http://www.celestix.com/

"Silly hacker, root is for administrators" 
       -Unknown

Relevant Pages

  • Re: IpFilter / IpFireWall
    ... causes the firewall to not decrease the ttl for packets that ...
    (FreeBSD-Security)
  • Re: phrack - Java tears down the Firewall
    ... I think the use of TTL to detect if a packet came from the host itself ... What could a firewall do about that? ... Changing the TTL of all outgoing packets would not be a good idea. ...
    (comp.os.linux.security)
  • Re: TTL based firewall attacks
    ... utilizing TTL = 1. ... enought resources to analyze all the packets, and will let some of them ... > map out the rules on a firewall. ... filtered port ...
    (comp.security.firewalls)
  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)