Re: I will show you mine if ...
From: Newsgroup Poster (shikahr-usenet_at_localhost.invalid)
Date: 05/02/04
- Previous message: Felix Tilley: "I will show you mine if ..."
- In reply to: Felix Tilley: "I will show you mine if ..."
- Next in thread: James Riden: "Re: I will show you mine if ..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 02 May 2004 02:28:20 +0000 (UTC)
In message <1098bj033pfimc1@news.supernews.com>,
Felix Tilley wrote:
> .. if you show me yours. Here is mine:
Interesting... In reading over this, I'm presuming that yours is
for a single machine not running any particular servers. My setup
is a bit different, so my rule set can be quite different.
As I do have servers on the net, things are configured as a DMZ
LAN. These rules are something of a composite of what gets seen
from the outside looking in. This is in FreeBSD 4.x/5.x ipfw syntax.
It should translate into iptables fairly readily. There are additional
rules that are particular to the site, but this composite gives the
sense of the lockdown.
These rules are applied to the interface on a packet filter bridge
taking traffic from and to the Internet. The bridge does not run
any services, and is not addressable (console serial port monitoring
only). Since the bridge filter is not addressable, it can only deny
traffic. It cannot reply with any icmp error codes. That's a side
effect of the LAN configuration. An IDS is monitoring the traffic
in case the bridge somehow gets compromised or off-line, allowing
the Internet to hit the servers (which are themselves armored. This
is defense in depth.)
Shell variables are defined as:
DMZ=IP address block for the site ( x.0/size )
DMZNET=the x.0 IP address of the DMZ
DMZBCAST=the x.255 IP address of the DMZ
DMZMAIL=IP address of the mail server
DMZWEB=IP address of the web server
DMZFTP=IP address of the ftp server
DMZDNS=IP address of the nameserver
DMZNTP=IP address of the time server
Port definitions, as a range lowport-highport
SAFE="1024-65535"
FTPHIGH="49152-65535"
======================================================================
# nobody talks to my x.0 or my x.255 IP addresses
/sbin/ipfw add deny all from any to $DMZNET
/sbin/ipfw add deny all from any to $DMZBCAST
# Kill off the RFC 3330 IP spaces
# these are never legit source addresses to be received here
/sbin/ipfw add deny all from 0.0.0.0/8 to any
/sbin/ipfw add deny all from 10.0.0.0/8 to any
/sbin/ipfw add deny all from 127.0.0.0/8 to any
/sbin/ipfw add deny all from 169.254.0.0/16 to any
/sbin/ipfw add deny all from 172.16.0.0/12 to any
/sbin/ipfw add deny all from 192.0.2.0/24 to any
/sbin/ipfw add deny all from 192.168.0.0/16 to any
/sbin/ipfw add deny all from 198.18.0.0/15 to any # yes /15
/sbin/ipfw add deny all from 224.0.0.0/4 to any
/sbin/ipfw add deny all from 240.0.0.0/4 to any
# no source routing, if somebody tries something weird
/sbin/ipfw add deny all from any to any ipoptions ssrr
/sbin/ipfw add deny all from any to any ipoptions lsrr
# servers never initiate traffic
# it's amazing how much stuff tries to come under the wire
# thru the 0,20,21,22,23,25,53,80,443 ports as source ports
# /sbin/ipfw add deny tcp from any 1-1023 to any setup
# but the port range limits block such things anyhow
# anybody wanting to talk to the DMZ servers must use high ports
# the mail server
/sbin/ipfw add allow tcp from any $SAFE to $DMZMAIL 25,113
/sbin/ipfw add deny tcp from any to $DMZMAIL
# the web server
/sbin/ipfw add allow tcp from any $SAFE to $DMZWEB 80,443
/sbin/ipfw add deny tcp from any to $DMZWEB
# the ftp server
/sbin/ipfw add allow tcp from any $SAFE to $DMZFTP $FTPHIGH,20,21
/sbin/ipfw add deny tcp from any to $DMZFTP
# time of day
/sbin/ipfw add allow udp from $NTPSERVER1 123 to $DMZNTP $SAFE
/sbin/ipfw add allow udp from $NTPSERVER2 123 to $DMZNTP $SAFE
/sbin/ipfw add allow udp from $NTPSERVER3 123 to $DMZNTP $SAFE
/sbin/ipfw add allow udp from $NTPSERVER4 123 to $DMZNTP $SAFE
# ping, errors, and company
/sbin/ipfw add allow icmp from any to $DMZ icmptypes 0,3,4,8,11,12
# the dynamic rules are set in the outbound filter
# that expect DNS traffic in response to a query
/sbin/ipfw add check-state
/sbin/ipfw deny all from any to any
=====================================================================
And now the outbound rules. A side effect of these rules is that
only the site IP addresses will be allowed as source addresses.
No outbound spoofing allowed. Also, outbound snort rules alert for
traffic attempts that aren't allowed, which would indicate a
compromised machine.
=====================================================================
# the DMZ machines can give icmp error codes and ping things
/sbin/ipfw allow icmp from $DMZ to any icmptypes 0,3,4,8,11,12
# keep state to allow only answers to queries to come back
/sbin/ipfw allow udp from $DMZDNS $SAFE to any 53 keep-state
/sbin/ipfw allow tcp from $DMZMAIL $SAFE to any 25,113
# could do these as dynamic rules, but if DMZNTP got compromised
# then the rules wouldn't help in trapping the crack
/sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER1 123
/sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER2 123
/sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER3 123
/sbin/ipfw allow udp from $DMZNTP $SAFE to $NTPSERVER4 123
# the web server will NEVER initiate outbound traffic
# if it tries, it is a compromised machine...
# a snort alert rule can trap that also
/sbin/ipfw deny tcp from $DMZWEB to any setup
/sbin/ipfw allow tcp from $DMZWEB 80,443 to any $SAFE established
/sbin/ipfw allow tcp from $DMZFTP $FTPHIGH,20,21 to any $SAFE
/sbin/ipfw deny all from any to any
=====================================================================
-- Randall Raemon shikahrsoho.com, email to usenet200405 - userid expires 31 May 2004
- Previous message: Felix Tilley: "I will show you mine if ..."
- In reply to: Felix Tilley: "I will show you mine if ..."
- Next in thread: James Riden: "Re: I will show you mine if ..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
