IPFilter & Packet Filter configuration

Next Door Laboratories

| donate | html/css | terms of use

IPFilter Configuration

Edit the configuration file,

vi /etc/ipf.conf # NetBSD

#vi /etc/ipf.rules # FreeBSD

like,

block return-icmp in all

block return-icmp-as-dest(port-unr) in proto udp all

block return-rst in proto tcp all

block out all

pass in quick proto icmp from any to any icmp-type echo

pass in quick proto icmp from any to any icmp-type echorep

pass out quick proto icmp from any to any icmp-type echo

pass out quick proto icmp from any to any icmp-type echorep

pass in on lo0 all

pass out on lo0 all

pass in on hme0 proto tcp from any to any port = 22 flags S keep state keep frags

pass out on hme0 all keep state

Note. I prefer returning the packets instead of dropping them so one immediately knows when the port is blocked instead of getting a timeout. Although it's preferable to drop them, as attackers' port scanners will need significantly more time to complete. Therefore it's recommended to use "return-*" on secure networks only.

Note. "keep frags" to prevent "flags S" to drop fragmented packets

Note. if a network interface is mixed for DMZ and internal network, you may want to secure services for internal network only,

#... from 192.168.0.0/24 to 192.168.0.1 ...

Note. if you want logs,

#cd /etc

#grep ipmon defaults/rc.conf

#echo "ipmon=yes" >> rc.conf

add "log first" before "proto" or "on" e.g.,

#block return-icmp-as-dest(port-unr) in log first proto udp all

#pass in log first on hme0 ...

you may also define a log priority (log level local1.notice).

Note. to secure even more, you may add those blocks in at the top,

block in from any to 255.255.255.255

block in from any to 127.0.0.1/32

Note. the "quick" string which comes before "on" permits to force the rule whatever comes next.

Note. it's recommended to pass only the ICMP REQUEST type. But if you want all ICMP,

pass in quick proto icmp all

pass out quick proto icmp all

Note. for a passive capable FTP server, you need to open port 21 (not 20, used for active FTP) and a port range,

pass in on hme0 proto tcp from any to any port = 21 keep state

pass in on hme0 proto tcp from any to any port 5999 >< 6011 keep state

this means port 6000 to 6010 (above 5999 and below 6011).

Note. on Solaris, lo0 cannot be filtered.

Note. NetBIOS ports,

tcp/udp 137 #netbios-ns

tcp/udp 138 #netbios-dgm

tcp/udp 139 #netbios-ssn

#tcp/udp 81 # hosts2 name server

Note. IKE/IPsec,

pass in quick proto udp from any to any port = ike

pass in quick proto udp from any to any port = 4500

pass in proto esp from any to any

Note. routing info,

pass in quick proto udp from any to port = route

pass in quick proto icmp from any to any icmp-type 9 #routeradvert

pass in quick proto igmp from any to any

IPNat configuration

On NetBSD, enable IP forwarding,

sysctl -w net.inet.ip.forwarding=1

vi /etc/sysctl.conf

Configure ipnat,

vi /etc/ipnat.conf

like,

map xennet0 10.2.2.0/24 -> 0/32 proxy port ftp ftp/tcp

map xennet0 10.2.2.0/24 -> 0/32 portmap tcp/udp 40000:60000

map xennet0 10.2.2.0/24 -> 0/32

IPFilter usage

Reload rules,

ipf -Fa -f /etc/ipf.conf

show ruleset that loaded,

ipfstat -hion

Packet Filter configuration

The syntax is a little different for /etc/pf.conf. See http://www.openbsd.org/faq/pf/example1.html

Packet Filter usage

To enable,

pfctl -e

to disable,

pfctl -d

References

http://www.netbsd.org/docs/network/nsps/config_ipf.html

http://www.freebsd.org/doc/en/books/handbook/firewalls-ipf.html

http://www.onlamp.com/pub/a/bsd/2003/03/06/ssn_openbsd.html

http://www.openbsd.org/faq/pf/config.html

https://solarflux.org/pf/

http://doc.pfsense.org/index.php/Booting_Options