Nethence Pbraun Lab Webmail Your IP BBDock
No bloatware needed print | donate | html/css | terms of use
Home | Unix | Windows | Oracle | Obsolete | Hardware | DIY | Mechanics | Scripts | Configs | Private

Configuring IPFilter and IPNat on NetBSD and FreeBSD
 
Configuring IPFilter
Configuration file locations,
vi /etc/ipf.conf  # on NetBSD
vi /etc/ipf.rules  # on FreeBSD
 
In case you just need to filter the public network interface, start right off with it instead of messing with a default global policy -- this actually prevents you from changing the configuration whatever you do with bridges, agregates and other internal virtual or physical network interfaces. It also lets the loopback free to pass.
#
# public network
#
block in log first on em0 all
block return-icmp in log first on em0 all
block return-icmp-as-dest(port-unr) in log first on em0 proto udp all
block return-rst in log first on em0 proto tcp all

block in log quick on em0 from DIRTY_HACKER_IP to any

pass in on em0 proto tcp from any to any port = 21 flags S keep state keep frags
pass in on em0 proto tcp from any to any port = 25 flags S keep state keep frags
pass in on em0 proto tcp from any to any port = 80 flags S keep state keep frags
pass in on em0 proto tcp from any to any port = 143 flags S keep state keep frags
pass in on em0 proto tcp from any to any port = 443 flags S keep state keep frags
pass in on em0 proto tcp from any to any port = 2222 flags S keep state keep frags
pass in on em0 proto tcp from any to any port 49999 >< 51000 flags S keep state keep frags
pass out on em0 all keep state

#
# applies everywhere
#
pass in quick proto icmp from any to any icmp-type echo
pass in quick proto icmp from any to any icmp-type echorep
pass out quick proto icmp from any to any icmp-type echo
pass out quick proto icmp from any to any icmp-type echorep
 
Otherwise, here's how it goes,
#
# default policy
#
block in log first all
block return-icmp in log first all
block return-icmp-as-dest(port-unr) in log first proto udp all
block return-rst in log first proto tcp all
block out all

#
# applies everywhere
#
pass in quick proto icmp from any to any icmp-type echo
pass in quick proto icmp from any to any icmp-type echorep
pass out quick proto icmp from any to any icmp-type echo
pass out quick proto icmp from any to any icmp-type echorep

#
# public network
#
pass in on em0 proto tcp from any to any port = 22 flags S keep state keep frags
pass out on em0 all keep state

#
# loopback and internal network
#
pass in quick on lo0 all
pass out quick on lo0 all

pass in quick on INTERNAL_IF all
pass ou quick on INTERNAL_IF all
 
Note. It's preferable to drop the packets as attackers' port scanners will need significantly more time to complete. But I prefer to reject them instead of dropping them so one immediately knows when the port is blocked instead of waiting for a timeout. On critical networks, don't just "return-*" and use the default blocking rule and feature.
 
Note. "keep frags" to prevent "flags S" to drop fragmented packets
 
Note. to secure even more, you may add those blocks in at the top,
block in from any to 255.255.255.255
block in from any to 127.0.0.1/32
 
Note. the "quick" string allows to force the rule whatever comes next.
 
Configuring IPnat
Configuration file locations,
vi /etc/ipnat.conf  # on NetBSD
e.g.,
map em0 10.0.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map em0 10.0.0.0/24 -> 0/32 portmap tcp/udp 10000:20000
map em0 10.0.0.0/24 -> 0/32

rdr em0 0.0.0.0/0 port 22 -> 10.0.0.X port 22 tcp
 
And enable packet forwarding (NetBSD),
sysctl -w net.inet.ip.forwarding=1
cd /etc/
cat >> /etc/sysctl.conf <<EOF9
net.inet.ip.forwarding=1
EOF9
 
Ready to go
On NetBSD, simply,
cd /etc/
cat >> rc.conf <<EOF9
ipnat=yes
ipfs=yes
ipmon=yes
ipfilter=yes
EOF9
rc.d/ipnat start
rc.d/ipfs start
rc.d/ipmon start
rc.d/ipfilter start
and reload the rules with,
#/etc/rc.d/ipfilter reload
ipf -Fa -f /etc/ipf.conf
 
On FreeBSD,
cd /etc/
cat >> rc.conf <<EOF9
ipfilter_enable="YES" # Start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
ipmon_enable="YES" # Start IP monitor log
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to names
EOF9
service ipmon start
service ipfilter start
and reload the rules with,
ipf -Fa -f /etc/ipf.rules
 
Eventually configure syslog to send the IPFilter logs to some place else,
cd /etc/
mv syslog.conf syslog.dist
cat > syslog.conf <<EOF9
*.emerg *
*.*;local0.none -/var/log/messages
local0.* -/var/log/ipfilter
EOF9
touch /var/log/ipfilter
chmod 640 /var/log/messages
chmod 640 /var/log/ipfilter
rc.d/syslogd restart
 
Additional notes
Note. to show the ruleset that is loaded,
ipfstat -hion
 
Note. on Solaris, lo0 cannot be filtered.
 
Note. for a passive capable FTP server, you need to open port 21 (not 20, used for active FTP) and a port range e.g.,
pass in on hme0 proto tcp from any to any port = 21 keep state
pass in on hme0 proto tcp from any to any port 49999 >< 51000 keep state
this means port 50000 to 50999 can be used by the FTP daemons to open passive connexion ports.
 
Ports reference
Note. NetBIOS ports,
tcp/udp 137 #netbios-ns
tcp/udp 138 #netbios-dgm
tcp/udp 139 #netbios-ssn
#tcp/udp 81 # hosts2 name server
 
Note. IKE/IPsec,
pass in quick proto udp from any to any port = ike
pass in quick proto udp from any to any port = 4500
pass in proto esp from any to any
 
Note. routing info,
pass in quick proto udp from any to port = route
pass in quick proto icmp from any to any icmp-type 9 #routeradvert
pass in quick proto igmp from any to any
 
References
Example 5-20 IP Filter Host Configuration
https://docs.oracle.com/cd/E26502_01/html/E28990/ipfad-2.html
 
Chapter 3. Configuring IPFILTER
http://www.netbsd.org/docs/network/nsps/config_ipf.html
 
30.5. The IPFILTER (IPF) Firewall
http://www.freebsd.org/doc/en/books/handbook/firewalls-ipf.html
 
Booting Options
http://doc.pfsense.org/index.php/Booting_Options
 

Last update: Jul 13, 2015
Copyright © 2007-2015 Pierre-Philipp Braun