Nethence NSBH Laboratory Webmail Your IP BBDock
New Software Burns in Hell print | donate | html/css | terms of use
Home | Unix | Windows | Oracle | Obsolete | Hardware | Mechanics | Scripts | Configs | Private

Configuring IPFilter and IPNat on NetBSD
 
Configuring IPFilter
Configuration file locations,
vi /etc/ipf.conf  # on NetBSD
vi /etc/ipf.rules  # on FreeBSD
 
In case you just need to filter the public network interface, start right off with it instead of messing with a default policy -- this actually prevents you from changing the configuration whatever you do with bridges, agregates and other internal virtual or physical network interfaces.
#
# public network
#
block in log first on fxp0 all
block return-icmp in log first on fxp0 all
block return-icmp-as-dest(port-unr) in log first on fxp0 proto udp all
block return-rst in log first on fxp0 proto tcp all

pass in on fxp0 proto tcp from any to any port = 22 flags S keep state keep frags
pass out on fxp0 all keep state

#
# applies everywhere
#
pass in quick proto icmp from any to any icmp-type echo
pass in quick proto icmp from any to any icmp-type echorep
pass out quick proto icmp from any to any icmp-type echo
pass out quick proto icmp from any to any icmp-type echorep
 
Otherwise, here's how it goes,
#
# default policy
#
block in log first all
block return-icmp in log first all
block return-icmp-as-dest(port-unr) in log first proto udp all
block return-rst in log first proto tcp all
block out all

#
# applies everywhere
#
pass in quick proto icmp from any to any icmp-type echo
pass in quick proto icmp from any to any icmp-type echorep
pass out quick proto icmp from any to any icmp-type echo
pass out quick proto icmp from any to any icmp-type echorep

#
# public network
#
pass in on fxp0 proto tcp from any to any port = 22 flags S keep state keep frags
pass out on fxp0 all keep state

#
# loopback and internal network
#
pass in quick on lo0 all
pass out quick on lo0 all

pass in quick on INTERNAL_IF all
pass ou quick on INTERNAL_IF all
 
Note. It's preferable to drop the packets as attackers' port scanners will need significantly more time to complete. But I prefer to reject them instead of dropping them so one immediately knows when the port is blocked instead of waiting for a timeout. On critical networks, don't just "return-*" and use the default blocking rule and feature.
 
Note. "keep frags" to prevent "flags S" to drop fragmented packets
 
Note. to secure even more, you may add those blocks in at the top,
block in from any to 255.255.255.255
block in from any to 127.0.0.1/32
 
Note. the "quick" string allows to force the rule whatever comes next.
 
Configuring IPnat
Configuration file locations,
vi /etc/ipnat.conf  # on NetBSD
e.g.,
map fxp0 10.0.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map fxp0 10.0.0.0/24 -> 0/32 portmap tcp/udp 10000:20000
map fxp0 10.0.0.0/24 -> 0/32

rdr fxp0 0.0.0.0/0 port 22 -> 10.0.0.X port 22 tcp
 
And enable packet forwarding (NetBSD),
sysctl -w net.inet.ip.forwarding=1
cd /etc/
cat >> /etc/sysctl.conf <<EOF9
net.inet.ip.forwarding=1
EOF9
 
Ready to go
On NetBSD, simply,
cd /etc/
cat >> rc.conf <<EOF9
ipnat=yes
ipfs=yes
ipmon=yes
ipfilter=yes
EOF9
rc.d/ipnat start
rc.d/ipfs start
rc.d/ipmon start
rc.d/ipfilter start
 
Eventually configure syslog to send the IPFilter logs to some place else,
cd /etc/
mv syslog.conf syslog.dist
cat > syslog.conf <<EOF9
*.emerg *
*.*;local0.none -/var/log/messages
local0.* -/var/log/ipfilter
EOF9
touch /var/log/ipfilter
chmod 640 /var/log/messages
chmod 640 /var/log/ipfilter
rc.d/syslogd restart
 
Additional notes
Note. to reload rules,
ipf -Fa -f /etc/ipf.conf
 
Note. to show the ruleset that is loaded,
ipfstat -hion
 
Note. for a passive capable FTP server, you need to open port 21 (not 20, used for active FTP) and a port range e.g.,
pass in on hme0 proto tcp from any to any port = 21 keep state
pass in on hme0 proto tcp from any to any port 5999 >< 7000 keep state
this means port 6000 to 6999 can be used by the FTP daemons to open passive connexion ports.
 
Note. on Solaris, lo0 cannot be filtered.
 
Ports reference
Note. NetBIOS ports,
tcp/udp 137 #netbios-ns
tcp/udp 138 #netbios-dgm
tcp/udp 139 #netbios-ssn
#tcp/udp 81 # hosts2 name server
 
Note. IKE/IPsec,
pass in quick proto udp from any to any port = ike
pass in quick proto udp from any to any port = 4500
pass in proto esp from any to any
 
Note. routing info,
pass in quick proto udp from any to port = route
pass in quick proto icmp from any to any icmp-type 9 #routeradvert
pass in quick proto igmp from any to any
 
References
Chapter 3. Configuring IPFILTER
http://www.netbsd.org/docs/network/nsps/config_ipf.html
 
30.5. The IPFILTER (IPF) Firewall
http://www.freebsd.org/doc/en/books/handbook/firewalls-ipf.html
 
Booting Options
http://doc.pfsense.org/index.php/Booting_Options
 

Last update: Jul 25, 2013
Copyright © 2007-2014 Pierre-Philipp Braun