# Firewall design by E.J. van Westen # Released under GPL # # ipfilter firewalling script # based on the documentation that can be found on www.obfuscation.org/ipf # # This script is meant as a start to create a packet filtering firewall that is # effectively blocking unwanted traffic, yet relatively easy to understand # However: this script comes with No Warranty Whatsoever # # Outside world connected on ppp0/tun0 (incoming group 1, 21, outgoing group 2, 22) # outside world connected interface ed0 for adsl # WARNING with adsl # unfortunately this script has to brought down just before the pptp connection is # brought up.After starting the ppp daemon the script can be brought up again, preferably from # ppp.linkup or ip-up scripts. Do not forget to restart the ipnat as well. # # Inside free connected on we1 (incoming group 11, outgoing group 12) # Inside restricted connected on xl0 (group 21, 22) # Free has open connection to the outside world, incoming traffic # is blocked, except ports ... # Restricted has very limited connection to the outside world, # incoming traffic is blocked, except ports ... # Free cannot see Restricted vv # # In general: It is relatively easy to create compartments which can or # cannot see each other, where each compartment has its own set of rules # to access the internet. # The ipfilter tools allow for building an highspeed firewall, where the # groups can play an important role in speed optimization # # # (c) 2000-2001 by E.J. van Westen, GPL copyright license. # version 1.0 # Thanks to Patrick Fokkema for testing # Revision history # 20001031 EW added blocking lsrr,ssrr, icmp's in group 1, textual changes # 20001107 EW added allow incoming icmp type 11 # 20001121 EW added protected internal interface, changed logging to a lot..., # real life example for smurfing protection (demon) # 20001217 EW changed icmp type 11 to timex (cosmetic) # added allow incoming icmp type unreach (type 3) # 20010509 EW to version 0.6: added interface for mxstream (local dutch variation on adsl) # added increased checks on source ports/destination ports # general code cleanup, added block+log to every section (esp for logging) # 20010603 EW to version 1.0 (release) general block for 0.0.0.0 and 255.255.255.255 # make nmaps more difficult # added example for bridging firewall (the coolest option, since it completely # hides the firewall, even on layer2-3) #default policy # the default policy is deny # the default can overruled per group block in all block out all # enable accounting information count in all count out all # general blocks block in log quick from 0.0.0.0/32 to any block in log quick from 255.255.255.255/32 to any block in log quick all with short block in log quick all with frag block in log quick all with opt lsrr block in log quick all with opt ssrr block in log quick proto tcp all flags FUP # primary interface, incoming from the internet block in quick on ppp0 all head 1 # block ident requests with rst, block mail kicks from demon block return-rst in quick on ppp0 proto tcp from any to 195.11.253.28 port = 113 group 1 block return-rst in quick on ppp0 proto tcp from any to 195.11.253.28 port = 25 group 1 # block smb traffic block in log quick on ppp0 proto tcp/udp from any to any port 136 >< 140 group 1 #block spoofing attempts block in log quick on ppp0 from 192.168.0.0/16 to any group 1 block in log quick on ppp0 from 172.16.0.0/12 to any group 1 block in log quick on ppp0 from 10.0.0.0/8 to any group 1 block in log quick on ppp0 from 127.0.0.1/8 to any group 1 # block broadcasts to our network, change to outside addresses and netmasks # (smurfing) block in log quick on ppp0 from any to 194.159.73.0/32 group 1 block in log quick on ppp0 from any to 194.159.73.255/32 group 1 # and finally start permitting traffic in, if it is allowed to do so... # webserver first, for load purposes #pass in quick on ppp0 proto tcp from any port > 1023 to 195.11.253.28 port = 80 flags S keep state group 1 #pass in quick on ppp0 proto tcp from any port > 1023 to 195.11.253.28 port = 443 flags S keep state group 1 #pass in quick on ppp0 proto tcp from any to port > 1023 195.11.253.28 port = 20 flags S keep state group 1 #pass in quick on ppp0 proto tcp from any port > 1023 to 195.11.253.28 port = 21 flags S keep state group 1 #pass in quick on ppp0 proto tcp from any to any port = 22 flags S keep state group 1 # allow limited incoming pings to the firewall type echo, unreach, echorep, timex # blackhole incoming pings :-) # pass in quick on ppp0 proto icmp from any to any icmp-type echo group 1 pass in quick on ppp0 proto icmp from any to any icmp-type unreach group 1 pass in quick on ppp0 proto icmp from any to any icmp-type echorep group 1 pass in quick on ppp0 proto icmp from any to any icmp-type timex group 1 block in log on proto all group 1 # primary interface, going to the internet block out quick on ppp0 all head 2 # be permissive on what is going out from the firewall pass out on ppp0 proto tcp/udp from 195.11.253.28 to any keep state group 2 pass out on ppp0 proto icmp from 195.11.253.28 to any keep state group 2 # if udp namelookups are not allowed before # pass out quick on ppp0 proto udp from any port = 53 to any keep state group 2 block out log quick on ppp0 all group 2 # primary interface, incoming from the internet block in quick on tun0 all head 21 # block ident requests with rst, block mail kicks from demon block return-rst in quick on tun0 proto tcp from any to any port = 113 group 21 block return-rst in quick on tun0 proto tcp from any to any port = 25 group 21 # block smb traffic block in log quick on tun0 proto tcp/udp from any to any port 136 >< 140 group 21 #block spoofing attempts block in log quick on tun0 from 192.168.0.0/16 to any group 21 block in log quick on tun0 from 172.16.0.0/12 to any group 21 block in log quick on tun0 from 10.0.0.0/8 to any group 21 block in log quick on tun0 from 127.0.0.1/8 to any group 21 # block broadcasts to our network, change to outside addresses and netmasks # (smurfing) block in log quick on tun0 from any to 194.159.73.0/32 group 21 block in log quick on tun0 from any to 194.159.73.255/32 group 21 # and finally start permitting traffic in, if it is allowed to do so... # webserver first, for load purposes # NOTHING permitted! # allow limited incoming pings to the firewall type echo, unreach, echorep, timex # blackhole incoming pings :-) pass in quick on tun0 proto icmp from any to 195.11.253.28 icmp-type echo group 21 pass in quick on tun0 proto icmp from any to 195.11.253.28 icmp-type unreach group 21 pass in quick on tun0 proto icmp from any to 195.11.253.28 icmp-type echorep group 21 pass in quick on tun0 proto icmp from any to 195.11.253.28 icmp-type timex group 21 block in log quick on tun0 all group 21 # primary interface, going to the internet block out quick on tun0 all head 22 # be permissive on what is going out from the firewall pass out on tun0 proto tcp/udp from 195.11.253.28 to any keep state group 22 pass out on tun0 proto icmp from 195.11.253.28 to any keep state group 22 # if udp namelookups are not allowed before # pass out quick on tun0 proto udp from 195.11.253.28 port = 53 to any keep state group 22 block out log quick on ppp0 all group 22 # secondary interface, incoming from the local network, assume 192.168.1.0/24 block in quick on we1 all head 11 # block ident requests with rst block return-rst in quick on we1 proto tcp from any to any port = 113 group 11 # block smb traffic block in quick proto tcp/udp from any to any port 136 >< 140 group 11 # block spoofing attempts # and be careful that we do not lock out our private network segment :-) #block in quick on we1 from 192.168.0.0/16 to any group 11 block in quick on we1 from 172.16.0.0/12 to any group 11 block in log quick on we1 from 10.0.0.0/8 to any group 11 block in quick on we1 from 127.0.0.1/8 to any group 11 # block broadcasts to our network, change to outside addresses block in log quick on we1 from any to 192.168.1.0/32 group 11 block in log quick on we1 from any to 192.168.1.255/32 group 11 # and finally start permitting traffic in, if it allowed to do so... pass in quick on we1 proto tcp from any to any port = 22 flags S keep state group 11 # is a trusted network... pass in quick on we1 proto tcp/udp all keep state group 11 pass in quick on we1 proto icmp all keep state group 11 # next line commented out so the firewall can initiate traffic... block in log quick all on we1 group 11 #secondary interface outgoing to the network block out quick on we1 all head 12 # be permissive on what is going out from the firewall pass out quick on we1 proto icmp all keep state group 12 pass out quick on we1 proto tcp/udp all keep state group 12 block out log quick on ppp0 all group 12 #tertiary interface, heavily protected # assume: proxy running on port 8080 such as Squid, if so required by # redirecting port 80 and 443 to 8080 # local nameserver running on firewall, NOT accessible from the outside # xntpd daemon running on firewall, ntp only accessible on firewall # allowed to connect to ftp, ssh, telnet, smtp, finger, nntp # network address range 10.0.0.0/8, fw address 10.0.0.1 # network cannot see we1 :-) block in log quick on rl0 all head 41 block in quick on rl0 proto tcp/udp from any to any port 136 >< 140 group 41 block in quick on rl0 proto tcp/udp from any to any port 66 >< 69 group 41 block return-rst in quick on rl0 proto tcp from any to any port = 113 group 41 # allow spoofing from within the firewall (ahem) block in quick on rl0 from 192.168.0.0/16 to any group 41 block in quick on rl0 from 172.16.0.0/12 to any group 41 #block in log quick on rl0 from 10.0.0.0/8 to any group 41 block in log quick on rl0 from 127.0.0.1/8 to any group 41 block in log quick on rl0 from any to 10.0.0.0/32 group 41 block in log quick on rl0 from any to 10.255.255.255/32 group 41 pass in quick on rl0 proto tcp from 10.0.0.0/8 port > 1023 to any port = 21 keep state group 41 pass in quick on rl0 proto tcp from 10.0.0.0/8 to any port = 22 flags S keep state group 41 pass in quick on rl0 proto tcp from 10.0.0.0/8 port > 1023 to any port = 23 flags S keep state group 41 pass in quick on rl0 proto tcp from 10.0.0.0/8 port > 1023 to any port = 25 keep state group 41 # permit zone transfers (tcp) and name lookups (udp) pass in quick on rl0 proto tcp from 10.0.0.0/8 to 10.0.0.1/32 port = 53 flags S keep state group 41 pass in quick on rl0 proto udp from 10.0.0.0/8 to 10.0.0.1/32 port = 53 keep state group 41 ?? pass in quick on rl0 proto udp from 10.0.0.0/8 port = 53 to any keep state group 41 pass in quick on rl0 proto tcp from 10.0.0.0/8 to any port = 79 flags S keep state group 41 pass in quick on rl0 proto tcp from 10.8.0.0/8 to any port = 119 flags S keep state group 41 pass in quick on rl0 proto udp from 10.8.0.0/8 port = 123 to 10.0.0.1/32 port = 123 keep state group 41 pass in quick on rl0 proto tcp from 10.8.0.0/8 port > 1023 to any port = 8080 flags S keep state group 41 pass in quick on rl0 proto icmp from any to any icmp-type echo group 41 pass in quick on rl0 proto icmp from any to any icmp-type unreach group 41 pass in quick on rl0 proto icmp from any to any icmp-type echorep group 41 pass in quick on rl0 proto icmp from any to any icmp-type timex group 41 block in log quick all on rl0 group 41 block out log quick on rl0 all head 42 # from firewall to internal machines pass out quick on rl0 proto tcp from any port > 1023 to any port = 21 keep state group 42 pass out quick on rl0 proto tcp from any port to any port = 22 keep state group 42 pass out quick on rl0 proto tcp from any port > 1023 to any port = 25 keep state group 42 pass out quick on rl0 proto tcp from any to any port = 113 keep state group 42 ?? pass out quick on rl0 proto tcp from any port = 113 to any keep state group 42 pass out quick on rl0 proto udp from any port = 123 to any port = 123 keep state group 42 pass out quick on rl0 proto udp from any port > 1023 to any port = 123 keep state group 42 pass out quick on rl0 proto icmp all keep state group 42 block out log quick on rl0 all #local host block in quick on lo0 all head 51 # be very permissive on what is going out from the firewall pass in quick on lo0 all group 51 #local host block out quick on lo0 all head 52 # be very permissive on what is going out from the firewall pass out quick on lo0 all group 52 # adsl port, only allow gre and icmp in block in quick on ed0 all head 61 pass in quick on ed0 proto gre all group 61 pass in log quick on ed0 proto icmp all group 61 block in log quick on ed0 all group 61 block out on ed0 all head 62 pass out quick on ed0 proto gre all group 62 pass out quick on ed0 proto icmp all keep state group 62 pass out quick on ed0 proto tcp from 10.0.0.150 port > 1023 to 10.0.0.138i port = 23 keep state group 62 #pass out quick on ed0 proto tcp/udp all keep state group 62 block out log quick on ed0 all group 62 # Bridging is cool. Very cool. Try it. It is the close-to-perfect # packet filter # following is example for bridging # remember that you can only use incoming filtering # re-use ep0, ep1 and ep2 interfaces # interface ep0 # only use in, out rules not allowed on bridge # from internet to intranet block in on ep0 all head 100 block in quick on ep0 from 255.255.255.255/32 to any group 100 #block in quick on ep0 from 192.168.0.0/16 to any group 100 block in quick on ep0 from 172.16.0.0/12 to any group 100 block in quick on ep0 from 127.0.0.0/8 to any group 100 block in quick on ep0 from 10.0.0.0/8 to any group 100 block in quick on ep0 from 0.0.0.0/32 to any group 100 block in quick on ep0 from any to 192.168.0.0/32 group 100 block in quick on ep0 from any to 192.168.0.255/32 group 100 pass in quick on ep0 proto tcp from any to 192.168.0.2 port = 21 keep state group 100 pass in quick on ep0 proto tcp from any to 192.168.0.2 port = 22 keep state group 100 pass in quick on ep0 proto tcp from any to 192.168.0.2 port = 25 flags S keep state group 100 pass in quick on ep0 proto icmp from any to 192.168.0.2 icmp-type 0 keep state group 100 pass in quick on ep0 proto icmp from any to 192.168.0.2 icmp-type 3 keep state group 100 pass in quick on ep0 proto icmp from any to 192.168.0.2 icmp-type 8 keep state group 100 pass in quick on ep0 proto icmp from any to 192.168.0.2 icmp-type 11 keep state group 100 block in log quick on ep0 all group 100 # interface ep1 # only use in, out rules not allowed on bridge # also perform some egress filtering # from intranet to internet block in on ep1 all head 200 pass in quick on ep1 proto tcp/udp all keep state group 200 pass in quick on ep1 proto icmp all keep state group 200 block in log quick on ep0 all group 200 # interface ep2 # management block in on ep2 all head 300 block in quick on ep2 from 255.255.255.255/32 to any group 300 #block in quick on ep2 from 192.168.0.0/16 to any group 300 block in quick on ep2 from 172.16.0.0/12 to any group 300 block in quick on ep2 from 127.0.0.0/8 to any group 300 #block in quick on ep2 from 10.0.0.0/8 to any group 300 block in quick on ep2 from 0.0.0.0/32 to any group 300 block in log quick on ep2 from any to 192.168.0.0/32 group 300 pass in quick on ep2 proto icmp from any to 192.168.0.250 icmp-type 0 keep state group 300 pass in quick on ep2 proto icmp from any to 192.168.0.250 icmp-type 3 keep state group 300 pass in quick on ep2 proto icmp from any to 192.168.0.250 icmp-type 8 keep state group 300 pass in quick on ep2 proto icmp from any to 192.168.0.250 icmp-type 11 keep state group 300 pass in quick on ep2 proto tcp from any to 192.168.0.250 port = 22 flags S keep state group 300 block in log quick on ep2 all group 300 # interface ep2 outgoing # management # not part of a bridge, so out filtering is permitted block out on ep2 all head 310 block out log quick on ep2 all group 310