ipf/ 40755 1751 0 0 7401262725 10512 5ustar jacqueswheelipf/ipf.rules100644 1751 0 50121 7401262717 12461 0ustar jacqueswheel############################ ############################ # # Filtering rules for a 3 NIC Firewall # # using IP Filter 3.4.20 # # Created and maitained by Jacques Bourdeau # # last change : 6 November 2001 # ############################ ############################ ############################ ############################ # # Structure # # Main rule set contain only jumps to others subsets and default rules. # This prevents to have too big and unmanageable filtering rules # # There is 12 rules in 4 category # # First category is global cases : global drops and global accepts # #>> Drop Known Attacks / Unwished packets / Suspects packets #>> Accept all packets with privileges # # Second category is packets generated by the firewall itself # #>> Packets going out on Firewall's Internet NIC (here, xl1) #>> Packets going out on Firewall's DMZ NIC (here, ed1) #>> Packets going out on Firewall's Intranet NIC (here, xl0) # # Third category is filtering packets reaching the firewall # #>> Packets coming from Internet #>> Packets cominf from DMZ #>> Packets coming from Intranet # # Fourth category is default rules : drop, respond and log # #>> TCP packets are dropped, logged, and a TCP-Reset is sent back #>> UDP packets are dropped, logged, and an ICMP Port-Unreachable is sent back #>> ICMP packets are dropped, logged, and an ICMP Host-Unreachable is sent back # # The Firewall do its best to hide itself from Internet. It send error messages # as if a regular problem occurs (no service, no host, routing problem...) # instead of dropping the packets. Being used at a small scale, this choice # produces more informations about bad guys. At a large scale, stealth drop should # be used instead. # # NOTE FOR IPNAT # # IPNAT modify packets just before being filtered by IP Filter, or just # after it, before sending them. NAT, port forwarding and usage of internal # transparent proxys is defined in IP Nat, not IP Filter. # # This script may needs all of these functions : NAT to be done when packets are # going out on Internet ; port forwarding for receiving connections # to servers in DMZ and internal proxys is used for detecting the FTP data # channel. # # All of that is transparent and automatic from IP Filter's point # of view. It's why permissions are granted for packets coming from Internet # and sent to 172.16 ; packets from 172.16 are sent over Internet, and # accepting a single socket over port 21 is enough for doing FTP safely # in both active and passive mode. # # NOTE ABOUT NAMES # # IP Filter is launched before BIND, so can not use a local BIND for name # resolution. Named must be on another servers, or names must be added in # the hosts file. Also, some services are not presents in many /etc/services # (like dnetc and wmplayer which I created from A to Z). # ############################ ############################ ############################ ############################ # # Very Very Special cases : # # Here are some rules preceding the structure described before. # They are very VERY special and must be considered before others rules # They can be used for testing or unusual needs / bad practice like these # ones : # --> DHCP Client must communicates without IP address (and Videotron's DHCP # server is in 10.X.X.X). Permission is granted here # Usually, Firewall have static IP address, or at least, not DHCP from Internet... pass in quick on xl1 proto udp from any port = dhcps to any port = dhcpc pass out quick on xl1 proto udp from any port = dhcpc to any port = dhcps # --> Don't wish to filter the loopback in any way pass in quick on lo0 all pass out quick on lo0 all # # End of very VERY special cases ### ############################ ############################ ############################ ############################ # # Main filtering rules # # --> Drop known attacks using rules group 50 block in all head 50 # --> Accept privilieged packets using rules group 75 pass in all head 75 # OK, it's just a standard packets : not blacklisted, no privileges... # Packet will be filtered using the appropriate rules list selected # by the way IN or OUT wished by the packets and the interface it uses # --> Filter packets generated by the Firewall to Internet with group 100 block out log quick on xl1 from fw-inter.jb.net to any head 100 # --> Filter packets generated by the Firewall to DMZ with group 125 block out log quick on ed1 from fw-dmz.jb.net to dmz.jb.net/24 head 125 # --> Filter packets generated by the Firewall to Intranet with group 150 block out log quick on xl0 from fw-intra.jb.net to intranet.jb.net/24 head 150 # --> Filter packets coming from Internet using group 200 block in log quick on xl1 from any to any head 200 # --> Filter packets coming from DMZ using group 225 block in log quick on ed1 from dmz.jb.net/24 to any head 225 # --> Filter packets coming from Intranet with group 250 block in log quick on xl0 from intranet.jb.net/24 to any head 250 # In case a packet should pass trough the rule set... block return-rst in log quick proto tcp all block return-icmp(port-unr) in log quick proto udp all block return-icmp(host-unr) in log quick proto icmp all block out log quick all # # End of main filtering rules ### ############################ ############################ ############################################## ############################################## ####################### ####################### ##### # Description of rules groups ##### ####################### ####################### ############################################## ############################################## ############################ ############################ ######## # # Group 50 : Known Attacks / Unwished packets / Suspects packets ## --> Cable modem multicasts from 192.168.X.X ; don't wish to log these drops block in quick on xl1 from 192.168.0.0/16 to 224.0.0.0/4 group 50 ## --> P200 may run Windows NT 4 ; don't wish to log these NetBios broadcasts block in quick on xl0 proto tcp/udp from P200.jb.net to any port 134 >< 140 group 50 ## --> He also ping 172.16.0.0... drop this shit block in quick proto icmp from P200.jb.net to uISP.jb.net/16 icmp-type echo group 50 ## --> Drop IP Spoofing from Internet block return-icmp(net-unr) in log quick on xl1 from 10.0.0.0/8 to any group 50 block return-icmp(net-unr) in log quick on xl1 from 127.0.0.0/8 to any group 50 block return-icmp(net-unr) in log quick on xl1 from 172.16.0.0/12 to any group 50 block return-icmp(net-unr) in log quick on xl1 from 192.168.0.0/16 to any group 50 block return-icmp(net-unr) in log quick on xl1 from uISP.jb.net/16 to any group 50 ## --> IP Spoofing from DMZ and Intranet : already denied by # default. HEADs rules in the Main ruleset requires valid IP sources ## --> Drop Source Routed packets block return-icmp(host-unr) in log quick all with opt lsrr group 50 block return-icmp(host-unr) in log quick all with opt ssrr group 50 ## --> Drop all packets on Microsoft's ports block return-rst in log quick proto tcp from any to any port 134 >< 140 group 50 block return-icmp(port-unr) in log quick proto udp from any to any port 134 >< 140 group 50 ## --> Drop all TCP packets with URG (will also drop XMAS Tree port scan...) block return-rst in log quick proto tcp all flags U/U group 50 ## --> Drop NULL Scan block return-rst in log quick proto tcp all flags /SA group 50 ## --> Drop ICMP 5, redirect : RFCs ask to never reply ICMP to an ICMP error... block in log quick proto icmp all icmp-type 5 group 50 ## --> Drop broadcasts / multicasts block return-icmp(net-unr) in log quick from any to 255.255.255.255/32 group 50 block return-icmp(net-unr) in log quick from any to 0.0.0.0/32 group 50 block return-icmp(net-unr) in log quick from any to 224.0.0.0/4 group 50 block return-icmp(net-unr) in log quick from any to 24.202.17.255/32 group 50 block return-icmp(net-unr) in log quick from any to 24.202.17.0/32 group 50 ## --> Drop too shorts frags block return-icmp(host-unr) in log quick all with short group 50 ## --> Return RESET to any access to IDENT and don't log block return-rst in quick proto tcp from any to any port = ident group 50 # # End of rule group 50 ### ######## ############################ ############################ ############################ ############################ ######## ### # Rule group 75, special case # # Any one can ping any one (I will have more infos about these bad guys...) pass in log quick proto icmp all icmp-type echo keep state group 75 # Richard can Telnet to the U5. pass in quick on xl1 proto tcp from rlapointe.dhs.org port > 1023 to U5.jb.net port = telnet flags S/SA keep state group 75 # Any one is welcome to work on Distributed.NET pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 130.161.38.84/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 63.77.33.226/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 130.161.38.67/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 145.89.128.136/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 145.89.128.249/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 128.104.18.148/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 205.149.163.211/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 204.152.186.139/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 204.152.186.178/32 port = dnetc flags S/SA keep state group 75 pass in quick proto tcp from uISP.jb.net/16 port > 1023 to 207.170.66.232/32 port = dnetc flags S/SA keep state group 75 # # End of group 75 ### ######## ############################ ############################ ############################ ############################ ######## ### # Rule group 100 : From Firewall to Internet # # No need to require interface xl1 : it's already a requirement in the head rule. So if we # use this list, its because we matched the head rule, so are over xl1... # Source IP could also be removed, but are kept for a clearer rule list # ## --> Firewall can contact any DNS server on Internet pass out quick proto udp from fw-inter.jb.net port > 1023 to any port = domain keep state group 100 ## --> Firewall can contact Distributed.NET proxys # NOTE : global access previously defined in group 75 was for packets coming IN : these one are going OUT... pass out quick proto tcp from fw-inter.jb.net port > 1023 to 130.161.38.84/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 63.77.33.226/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 130.161.38.67/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 145.89.128.136/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 145.89.128.249/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 128.104.18.148/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 205.149.163.211/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 204.152.186.139/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 204.152.186.178/32 port = dnetc flags S/SA keep state group 100 pass out quick proto tcp from fw-inter.jb.net port > 1023 to 207.170.66.232/32 port = dnetc flags S/SA keep state group 100 # Firewall can send TCP Reset and ICMP error to any one on Internet. Log these explicit drops pass out log quick proto tcp from fw-inter.jb.net to any flags R/R group 100 pass out log quick proto icmp from fw-inter.jb.net to any icmp-type unreach group 100 # # End of rule group 100 ### ######## ############################ ############################ ############################ ############################ ### # Rule group 125 : From Firewall to DMZ # # No need to require interface ed1 : it's already a requirement in the head rule. So if we # use this list, it's because we matched the head rule, so are over ed1... # Source IP could also be removed, but are kept for a clearer rule list # # The Firewall can send errors messages to the DMZ ( like the return-reset if access to IDENT is attempt) pass out quick proto tcp from fw-dmz.jb.net to dmz.jb.net/24 flags R/SR group 125 pass out quick proto icmp from fw-dmz.jb.net to dmz.jb.net/24 icmp-type unreach group 125 # The Firewall can ping the DMZ pass out quick proto icmp from fw-dmz.jb.net to dmz.jb.net/24 icmp-type echo keep state group 125 # # End of group 125 ### ############################ ############################ ############################ ############################ ### # Rule group 150 : From Firewall to Intranet # # No need to require interface xl0 : it's already a requirement in the head rule. So if we # use this list, it's because we matched the head rule, so are over xl0... # Source IP could also be removed, but are kept for a clearer rule list # # The Firewall can send errors messages to the Intranet ( like the return-reset if access to IDENT is attempt) pass out quick proto tcp from fw-intra.jb.net to intranet.jb.net/24 flags R/SR group 150 pass out quick proto icmp from fw-intra.jb.net to intranet.jb.net/24 icmp-type unreach group 150 # The Firewall can ping the intranet pass out quick proto icmp from fw-intra.jb.net to intranet.jb.net/24 icmp-type echo keep state group 150 # The Firewall can send files to E2 using FTP pass out quick proto tcp from fw-intra.jb.net port > 1023 to E2.jb.net port = ftp flags S/SA keep state group 150 # # End of group 150 ### ############################ ############################ ############################ ############################ ### # Rule group 200 : Access from Internet # ## --> Any one can use my DNS server but will be logged pass in log quick proto udp from any port > 1023 to fw-inter.jb.net port = domain keep state group 200 ## --> Any one can connect the Web server over both HTTP and HTTPS. NAT is done pass in quick proto tcp from any port > 1023 to U5.jb.net port = http flags S/SA keep state group 200 pass in quick on xl1 dup-to xl0:P200.jb.net proto tcp from any port > 1023 to U5.jb.net port = https flags S/SA keep state group 200 ## --> Any one can send mail to my QMail server. Relaying is restricted by TCPServer pass in quick proto tcp from any port > 1023 to U5.jb.net port = smtp flags S/SA keep state group 200 pass in quick proto tcp from any port > 1023 to U5.jb.net port = qmtp flags S/SA keep state group 200 ## --> Any one can connect the POP3 server but will be logged pass in log quick proto tcp from any port > 1023 to U5.jb.net port = pop3 flags S/SA keep state group 200 # --> In case a packets should pass through the rules, block and log it and hide the firewall block return-rst in log quick proto tcp all group 200 block return-icmp(port-unr) in log quick proto udp all group 200 block return-icmp(host-unr) in log quick proto icmp all group 200 # # End of rule group 200 # ### ############################ ############################ ############################ ############################ ### # Rule group 225 : access granted from DMZ # ## --> The entire DMZ can connect the DNS server pass in quick proto udp from dmz.jb.net/24 port > 1023 to fw-dmz.jb.net port = domain keep state group 225 ## --> The QMail server can send mail to any one other than local net pass in quick proto tcp from U5.jb.net port > 1023 to !uISP.jb.net/16 port = smtp flags S/SA keep state group 225 ## --> The QMail server can retreive my mail from Videotron's POP3D pass in quick proto tcp from U5.jb.net port > 1023 to pop.videotron.ca port = pop3 flags S/SA keep state group 225 ## --> The Proxy server can connects any one on Internet over HTTP, HTTPS, FTP. pass in quick proto tcp from U5.jb.net port > 1023 to !uISP.jb.net/16 port = ftp flags S/SA keep state group 225 pass in quick proto tcp from U5.jb.net port > 1023 to !uISP.jb.net/16 port = http flags S/SA keep state group 225 pass in quick proto tcp from U5.jb.net port > 1023 to !uISP.jb.net/16 port = https flags S/SA keep state group 225 ## --> Some Web servers are over ports in 8000-8100... The proxy need to open them too... pass in quick proto tcp from U5.jb.net port > 1023 to !uISP.jb.net/16 port 7999 >< 8101 flags S/SA keep state group 225 ## --> Sometimes, I wish to connect a graphical sesison on U5... the rule is ready but inactive pass in quick proto tcp from U5.jb.net to E2.jb.net port = 6001 flags S/SA keep state group 225 # --> In case a packets should pass through the rules, block and log it and hide the firewall block return-rst in log quick proto tcp all group 225 block return-icmp(port-unr) in log quick proto udp all group 225 block return-icmp(host-unr) in log quick proto icmp all group 225 # # End of group 225 ### ############################ ############################ ############################ ############################ ### # Access granted from Intranet # # --> Intranet can use the DNS server pass in quick proto udp from intranet.jb.net/24 to fw-intra.jb.net port = domain keep state group 250 # --> Intranet can use the proxy server in DMZ pass in quick proto tcp from intranet.jb.net/24 port > 1023 to U5.jb.net port = 8080 flags S/SA keep state group 250 # --> WMplayer do not pass through the proxy (it should... but it's Microsoft...) Open for Nostalgie... pass in quick proto tcp from P200.jb.net port > 1023 to cache.yacast.fr/24 port = wmplayer flags S/SA keep state group 250 # --> P200 run Winboose... Many times, it (or apps running in it) do HTTP # connection to any one. These Spyware are needed, but logged pass in log quick proto tcp from P200.jb.net port > 1023 to any port = http flags S/SA keep state group 250 pass in log quick proto tcp from P200.jb.net port > 1023 to U5.jb.net port = 8080 flags S/SA keep state group 250 # --> Intranet can connect any one with Telnet, rlogin, NFS or SSH pass in quick proto tcp from intranet.jb.net/24 port > 1023 to any port = telnet flags S/SA keep state group 250 pass in quick proto tcp/udp from intranet.jb.net/24 to any port = sunrpc keep state group 250 pass in quick proto tcp from intranet.jb.net/24 to any port = login flags S/SA keep state group 250 pass in quick proto tcp/udp from intranet.jb.net/24 to any port = nfs keep state group 250 pass in quick proto tcp from intranet.jb.net/24 port > 1023 to any port = ssh flags S/SA keep state group 250 # --> Intranet can do FTP with the entire world pass in quick proto tcp from intranet.jb.net/24 port > 1023 to any port = ftp flags S/SA keep state group 250 # --> Intranet can connect Videotron's news server pass in quick proto tcp from intranet.jb.net/24 port > 1023 to 205.237.233.50/32 port = nntp flags S/SA keep state group 250 pass in quick proto tcp from intranet.jb.net/24 port > 1023 to 205.237.233.52/32 port = nntp flags S/SA keep state group 250 # --> Intranet can send mail using U5 server pass in quick proto tcp from intranet.jb.net/24 port > 1023 to U5.jb.net port = smtp flags S/SA keep state group 250 # --> Intranet can retreive mail from U5 server pass in quick proto tcp from intranet.jb.net/24 port > 1023 to U5.jb.net port = pop3 flags S/SA keep state group 250 # --> Graphical login from E2 to U5 requires some ports... pass in quick proto udp from E2.jb.net to U5.jb.net port = 177 keep state group 250 pass in quick proto tcp from E2.jb.net to U5.jb.net port = 7100 flags S/SA keep state group 250 # --> In case a packets should pass through the rules, block and log it and hide the firewall block return-rst in log quick proto tcp all group 250 block return-icmp(port-unr) in log quick proto udp all group 250 block return-icmp(host-unr) in log quick proto icmp all group 250 # # End of group 250 ### ############################ ############################ ipf/ipnat.rules100644 1751 0 6100 7401262724 12772 0ustar jacqueswheel############################# ############################# # # Address and Port translations script for a 3 NIC Firewall # # using IP NAT 3.4.20 # # Created and maintained by Jacques Bourdeau # ############################# ############################# ############################# ############################# # # IP Nat modify packets just before passing them to IP Filter, or just # after receiving them after being accepted by IP Filter. # # IP Nat is used for NAT (of course), but also for port forwarding and # transparent proxys. All of these functions are used here. # # This script is a part of a 3 NIC firewall using RFC1918 in both DMZ # and intranet. NAT is used for Internet access, port forwarding is used # for connection to servers in DMZ from Internet and transparent proxy # is used for FTP. It manage the data channel automatically for both # active and passive FTP, requiring IP Filter to accept only the opening # of the command channel. # # NOTE : rule for FTP proxy overlap with the rule for general Internet access. # In a more global case : rules for transparent proxys frequently overlap # regular NAT rules. # # They must be put in first. If not, IP Nat will match with the general rule # and will do only regular NAT : FTP command will work, but not FTP data. # At the end, FTP will not work... # ############################# ############################# ############################# ############################# # # Transparent proxys : # # FTP : the most specific case in first... # Any connection to an FTP server over Internet will pass through internal FTP proxy # Using it, the data channel will be detected automatically and opened in a safe way. map xl1 uISP.jb.net/16 -> fw-inter.jb.net/32 proxy port ftp ftp/tcp map ed1 intranet.jb.net/24 -> fw-dmz.jb.net/32 proxy port ftp ftp/tcp map ed1 rlapointe.dhs.org/32 -> fw-dmz.jb.net/32 proxy port ftp ftp/tcp map xl0 fw-intra.jb.net/32 -> fw-intra.jb.net/32 proxy port ftp ftp/tcp # # End of transparent proxys ### ############################# ############################# ############################# ############################# # # Regular NAT : static and dynamic # # Any packets going out on Internet will be Nat'ed with firewal's IP address map xl1 uISP.jb.net/16 -> fw-inter.jb.net/32 # # End of regular NAT ### ############################# ############################# ############################# ############################# # # Port forwarding # # Any one asking for granted services form Internet is redirected to the server rdr xl1 fw-inter.jb.net/32 port ftp -> U5.jb.net port ftp rdr xl1 fw-inter.jb.net/32 port smtp -> U5.jb.net port smtp rdr xl1 fw-inter.jb.net/32 port telnet -> U5.jb.net port telnet rdr xl1 fw-inter.jb.net/32 port qmtp -> U5.jb.net port qmtp rdr xl1 fw-inter.jb.net/32 port pop3 -> U5.jb.net port pop3 rdr xl1 fw-inter.jb.net/32 port http -> U5.jb.net port http rdr xl1 fw-inter.jb.net/32 port https -> U5.jb.net port https rdr xl1 fw-inter.jb.net/32 port 230 -> U5.jb.net port telnet # # End of port forwarding ### ############################# #############################