Re: 'Generic' Firewall Rulesets?

To: Scott Bigham <dsb@killerbunnies.org>
Cc: debian-security@lists.debian.org
Subject: Re: 'Generic' Firewall Rulesets?
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Tue, 14 Nov 2000 10:26:25 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0011141008350.2323-100000@capitanata.ca.astro.it>
In-reply-to: <[🔎] Pine.LNX.4.20.0011131958460.851-100000@rover>

On Mon, 13 Nov 2000, Scott Bigham wrote:

> On Nov 13, 2000, Giacomo Mulas wrote:
> 
> > [...] But there is a very nice user space tool available, named spf
> > (for "stateful packet filter") and available as a package for debian
> > unstable (woody), which can make your packet filter stateful.
> 
> I've examined that package and it certainly looks interesting, but it
> seems to be sorely lacking in documentation.  Can you suggest any
> on-line resources to that end?

No, unfortunately. However, I can give you some advice based on direct
experience: the spf configuration file is just a list of ipchains
commands, without "ipchains" in front, i.e. a list of arguments for
ipchains. I will send you an example configuration file in this email, I
used something like this on my laptop. Just be aware that spf, for some
reason that beats me, is unable to create new chains, so that if you want
to use a complex setup you have to first run a script that creates new,
empty chains, then start spf. In the spf configuration file you only have
to take care to allow the "new" connections that you want to allow, spf
takes care to allow packets belonging to already established (and thus
allowed in the beginning) connections. One more thing: be very careful not
to mess up with the input chain once spf is started, as it is dynamically
changed all the time by spf. I had to carefully craft ipmasq scripts to
let it coexist peacefully with spf...

Here goes the example file. This was devised to let the laptop establish
any connection, while letting very little in from the outside.

# Place your static rules in this file, so spf can install them when it starts.
# See /usr/share/doc/spf/basic-rules for an example.

#
# The following rules allow all incoming traffic,
# spf takes care of outgoing traffic
# That means with this set of rules you should allow the same connections
# as without spf. You have to change this file to get increased security!
#

# anything from to localhost on loopback
-I input 1 -i lo -j ACCEPT

# allow icmp packets
-A input -p icmp -j ACCEPT
# allow incoming AH and ESP packets
-A input -p ah -j ACCEPT
-A input -p esp -j ACCEPT
# allow icmp-ipv6 packets
-A input -p ipv6-icmp -j ACCEPT
# Allow Pluto packets from astrca
-A input -p udp -s 192.168.8.2/32 500 --dport 500 -j ACCEPT
# allow incoming X connections tunnelled through ssh
-A input -p tcp --dport 6010:6019 -j ACCEPT
# allow incoming ssh, smtp, auth, sftp, talk, ntalk, route, ssmtp 
# connections
-A input -p tcp --dport ssh -j ACCEPT
-A input -p udp --dport ssh -j ACCEPT
-A input -p tcp --dport smtp -j ACCEPT
-A input -p tcp --dport auth -j ACCEPT
-A input -p tcp --dport sftp -j ACCEPT
-A input -p udp --dport talk -j ACCEPT
-A input -p udp --dport ntalk -j ACCEPT
-A input -p udp --dport route -j ACCEPT
-A input -p tcp --dport ssmtp -j ACCEPT
# silently drop noisy Microsoft network broadcasts
-A input -p udp -s 192.168.8.0/24 -d 192.168.8.255/32 137 -j DENY
-A input -p udp -s 192.168.8.0/24 -d 192.168.8.255/32 138 -j DENY
# silently drop also snmp broadcasts from serveramm
-A input -p udp -s 192.168.8.24/32 -d 255.255.255.255/32 161 -j DENY
# accepts tcp packets with the SYN flag cleared, provided they are not
# directed to sensitive ports. Since spf keeps open only ports with 
# active traffic, and since in (active or passive) ftp data travel in a
# separate connection from the control connection, upon downloading
# a large file (linux kernel tarballs...) the control connection 
# was closed. Comment out the next two lines if you are really paranoid
# and don't quite trust the TCP/IP stack of your kernel...
-A input -p tcp ! -y --dport 1024:5999 -j ACCEPT
-A input -p tcp ! -y --dport 6020: -j ACCEPT

#
# Note that spf flushs the chains when it ends, so killing spf brings back
# the situation as it was before the start. Manual changes to the chains
# will not be kept. However, you can specify the policy here which won't be
# changed upon end. This does not work for the input chain though.
#

I hope this helps you. Bye
Giacomo

________________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it, gmulas@eso.org>
________________________________________________________________________

OSSERVATORIO  ASTRONOMICO                                                
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
________________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
________________________________________________________________________

Reply to:

References:
- Re: 'Generic' Firewall Rulesets?
  - From: Scott Bigham <dsb@killerbunnies.org>

Prev by Date: Re: 'Generic' Firewall Rulesets?
Next by Date: restricted bash (rbash)
Previous by thread: Re: 'Generic' Firewall Rulesets?
Next by thread: RE: 'Generic' Firewall Rulesets?
Index(es):
- Date
- Thread