[TuT] Instalacja IP Filter + IP FW

躉 EST · 5 Marca 2012

Źródło :

http://freebsd.kie.pl/?q=ipf

Witajcie drodzy użytkownicy !

W dzisiejszym temacie przedstawię wam instalację IP FW + IP Filter .

Przejdźmy do sedna :

_____________________________________________

Instalacje dzielimy na dwie części .

1 . - Edytujemy zawartość rc.conf

Robimy to następującą czynnością:

ee /etc/rc.conf

Edytuj

Następnie gdy jesteśmy w edycji configu dodajemy owe linijki :

ipfilter_enable="YES"
ipfilter_flags=""
Oraz :
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

Jeśli chcemy używać ipf skompilowanego jako modułu to nie trzeba nic więcej w tym miejscu robić. Jeśli jednak chcemy wkompilować obsługę ipfilter w kernel'a to musimy dodać następującą opcję do naszego jądra:

options IPFILTER

__________________________________________________________

2. Konfiguracja /etc/ipf.rules

Standardowo reguły firwall'a dla ipfilter umieszcza się w /etc/ipf.rules. My również tak postąpimy. A o to nasz przykładowy plik konfiguracyjny:

# Puszczamy cały ruch wychodzący na rl0 dla tcp, udp oraz icmp

pass out quick on rl0 proto tcp from any to any keep state

pass out quick on rl0 proto udp from any to any keep state

pass out quick on rl0 proto icmp from any to any keep state

block out quick on rl0 all

# Puszczamy usługi dla interfesju zewnętrznego, które wcześniej ustaliliśmy

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = ssh flags S keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = smtp flags S keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = domain flags S keep state keep frags

pass in quick on rl0 proto udp from any to 217.97.175.97 port = domain keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = http flags S keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = pop3 flags S keep state keep frags

# Blokujemy całą resztę

block in quick on rl0 all

# Puszczamy cały ruch wyjściowy na interfejsie wewnętrznym xl0

pass out quick on xl0 proto tcp from any to any keep state

pass out quick on xl0 proto udp from any to any keep state

pass out quick on xl0 proto icmp from any to any keep state

block out quick on xl0 all

# Puszczamy cały ruch wejściowy na interfejsie wewnętrznym xl0

pass in quick on ep0 proto tcp from any to any keep state

pass in quick on ep0 proto udp from any to any keep state

pass in quick on ep0 proto icmp from any to any keep state

block in quick on ep0 all

# Na koniec puszczamy wszystko na interfejsie pętli zwrotnej czyli lo0

pass in quick on lo0 all

pass out quick on lo0 all

__________________________________________________

Następnym krokiem jest dodanie rulek :

Dodajemy je następującym zapytaniem :

ee /etc/ipfw.rules

Rulki :

IPF="ipfw -q add"
ipfw -q -f flush[/center]

[center]#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag[/center]

[center]# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any[/center]

[center]# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out[/center]

[center]# deny and log everything
$IPF 500 deny log all from any to any

Gdy chcemy dodać do IP FW nowy port dodajemy go następującym zapytaniem :

$IPF 200 allow all from any to any NR PORTU in
$IPF 210 allow all from any to any NR PORTU out
_____________________________________________
NP
$IPF 200 allow all from any to any 13002 in
$IPF 210 allow all from any to any 13002 out

______________________

Teraz musimy nadać chmody :

chmod -R 777 /etc/ipfw.rules

Komendy IP FW :

/etc/rc.d/ipfw start
/etc/rc.d/ipfw restart
/etc/rc.d/ipfw stop

________________________________________________________

W tej części zajmiemy się czymś bardziej rozbudowanym:

- stworzymy szczelniejsze reguły firewall'a

- uaktywnimy logowanie

- utrudnimy skanowanie portów na naszym serwerze

- dołączymy do tego jeszcze translacje adresów sieci lokalnej, czyli ipnat

1. Początek

Na początek proponuje siąść do lektury i przeczytać sobie następujące rzeczy:

- man 8 ipf

- man 5 ipf

- man 8 ipnat

- man 5 ipnat

2. Logowanie

1) Kernel

Jeśli korzystamy z modułu to nie musi w tym miejscu nic zmieniać. Natomiast gdy mamy ipfilter wkompilowane w jądro to musimy dodać jeszcze opcję:

options IPFILTER_LOG

2) /etc/rc.conf

Dodajemy następujące opcję, co zapewni nam logowanie przy użyciu syslogd.

ipmon_enable="YES"

ipmon_flags="-Dsvn"

3) /etc/syslog.conf

local0.* /var/log/firewall/firewall_logs

W ten sposób logowane pakiety pojawią się w tym pliku.

4) /etc/newsyslog.conf

/var/log/firewall/firewall_logs 600 14 1000 * Z

3. /etc/ipf.rules

Nasze regułki będą już miały teraz więcej linijek:

# Puszczamy ruch wychodzący na rl0

pass out quick on rl0 proto tcp from any to any keep state

pass out quick on rl0 proto udp from any to any keep state

pass out quick on rl0 proto icmp from any to any keep state

block out quick on rl0 all

# Blokujemy adresy IP, które nie powinny się u nas pojawić

block in quick on rl0 from 192.168.0.0/16 to any #RFC 1918 private IP

block in quick on rl0 from 172.16.0.0/12 to any #RFC 1918 private IP

block in quick on rl0 from 10.0.0.0/8 to any #RFC 1918 private IP

block in quick on rl0 from 127.0.0.0/8 to any #loopback

block in quick on rl0 from 0.0.0.0/8 to any #loopback

block in quick on rl0 from 169.254.0.0/16 to any #DHCP auto- config

block in quick on rl0 from 192.0.2.0/24 to any #reserved for doc's

block in quick on rl0 from 204.152.64.0/23 to any #Sun cluster interconnect

block in quick on rl0 from 224.0.0.0/3 to any #Class D & E multicast

# Puszczamy interesujące nasz usługi

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = ssh flags S keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = smtp flags S keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = domain flags S keep state keep frags

pass in quick on rl0 proto udp from any to 217.97.175.97 port = domain keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = http flags S keep state keep frags

pass in quick on rl0 proto tcp from any to 217.97.175.97 port = pop3 flags S keep state keep frags

# Dla pozostałych połaczeń tcp zwracamy RST i loguje ten fakt

block return-rst in log quick on rl0 proto tcp from any to any

# Dla udp zwracamy komunikat o nieosiągalności portu i logujemy

block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from any to any

# Reszcze blokujemy i logujemy

block in log quick on rl0 all

# Puszczamy cały ruch na interfejsie wewnętrznym

pass out quick on xl0 proto tcp from any to any keep state

pass out quick on xl0 proto udp from any to any keep state

pass out quick on xl0 proto icmp from any to any keep state

block out quick on xl0 all

pass in quick on xl0 proto tcp from any to any keep state

pass in quick on xl0 proto udp from any to any keep state

pass in quick on xl0 proto icmp from any to any keep state

block in quick on xl0 all

# Oraz na interfejsie pętli zwrotnej

pass in quick on lo0 all

pass out quick on lo0 all

4. Dodatkowe zabezpieczenia

Do /etc/sysctl.conf dorzucamy następujące linijki:

net.inet.tcp.blackhole=2

net.inet.udp.blackhole=1

Spowoduje to znaczące spowolnienie skanowania portów.

5. Ipnat

I na koniec została nam translacja adresów dla sieci lokalnej żeby można było korzystać z internetu.

Do /etc/rc.conf dodajemy więc:

ipnat_enable="YES"

A do /etc/ipnat.rules :

map rl0 169.255.0.0/16 -> 217.97.175.97/32

I już użytkownicy sieci lokalnej będą mieli dostęp do internetu.

No i oczywiście jeszcze trzeba zrobić reboot, no chyba że ktoś korzysta z modułu i poczytał manuale.

Gotowe PORTY :

IPF="ipfw -q add"
ipfw -q -f flush
#podstawowe
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
$IPF 121 allow all from any to any 3306 out
$IPF 122 allow all from any to any 3306 in
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 211 allow tcp from any to any 12345 in
$IPF 212 allow tcp from any to any 12345 out
$IPF 213 allow tcp from any to any 110 in
$IPF 214 allow tcp from any to any 110 out
$IPF 500 deny log all from any to any[/center]

# TeamSpeak3
$IPF 220 allow udp from any to any 9987 in
$IPF 230 allow udp from any to any 9987 out
$IPF 240 allow tcp from any to any 10011 in
$IPF 250 allow tcp from any to any 10011 out
$IPF 260 allow tcp from any to any 30033 in
$IPF 270 allow tcp from any to any 30033 out
#Porty Metin2
$IPF 300 allow tcp from any to any 11002 in
$IPF 301 allow tcp from any to any 11002 out
$IPF 302 allow udp from any to any 11002 in
$IPF 303 allow udp from any to any 11002 out
$IPF 304 allow tcp from any to any 13000 in
$IPF 305 allow tcp from any to any 13000 out
$IPF 306 allow udp from any to any 13000 in
$IPF 307 allow udp from any to any 13000 out
$IPF 308 allow tcp from any to any 13001 in
$IPF 309 allow tcp from any to any 13001 out
$IPF 310 allow udp from any to any 13001 in
$IPF 311 allow udp from any to any 13001 out
$IPF 312 allow tcp from any to any 13002 in
$IPF 313 allow tcp from any to any 13002 out
$IPF 314 allow udp from any to any 13002 in
$IPF 315 allow udp from any to any 13002 out
$IPF 316 allow tcp from any to any 13003 in
$IPF 317 allow tcp from any to any 13003 out
$IPF 318 allow udp from any to any 13003 in
$IPF 319 allow udp from any to any 13003 out
$IPF 320 allow tcp from any to any 13021 in
$IPF 321 allow tcp from any to any 13021 out
$IPF 322 allow udp from any to any 13021 in
$IPF 323 allow udp from any to any 13021 out
$IPF 324 allow tcp from any to any 13023 in
$IPF 325 allow tcp from any to any 13023 out
$IPF 326 allow udp from any to any 13023 in
$IPF 327 allow udp from any to any 13023 out
$IPF 328 allow tcp from any to any 13041 in
$IPF 329 allow tcp from any to any 13041 out
$IPF 330 allow udp from any to any 13041 in
$IPF 331 allow udp from any to any 13041 out
$IPF 332 allow tcp from any to any 13043 in
$IPF 333 allow tcp from any to any 13043 out
$IPF 334 allow udp from any to any 13043 in
$IPF 335 allow udp from any to any 13043 out
$IPF 336 allow tcp from any to any 13061 in
$IPF 337 allow tcp from any to any 13061 out
$IPF 338 allow udp from any to any 13061 in
$IPF 339 allow udp from any to any 13061 out
$IPF 340 allow tcp from any to any 13062 in
$IPF 341 allow tcp from any to any 13062 out
$IPF 342 allow udp from any to any 13062 in
$IPF 343 allow udp from any to any 13062 out
$IPF 344 allow tcp from any to any 13063 in
$IPF 345 allow tcp from any to any 13063 out
$IPF 346 allow udp from any to any 13063 in
$IPF 347 allow udp from any to any 13063 out
$IPF 348 allow tcp from any to any 13064 in
$IPF 349 allow tcp from any to any 13064 out
$IPF 350 allow udp from any to any 13064 in
$IPF 351 allow udp from any to any 13064 out
$IPF 352 allow tcp from any to any 13065 in
$IPF 353 allow tcp from any to any 13065 out
$IPF 354 allow udp from any to any 13065 in
$IPF 355 allow udp from any to any 13065 out
$IPF 356 allow tcp from any to any 13066 in
$IPF 357 allow tcp from any to any 13066 out
$IPF 358 allow udp from any to any 13066 in
$IPF 359 allow udp from any to any 13066 out
$IPF 360 allow tcp from any to any 13067 in
$IPF 361 allow tcp from any to any 13067 out
$IPF 362 allow udp from any to any 13067 in
$IPF 363 allow udp from any to any 13067 out
$IPF 364 allow tcp from any to any 13068 in
$IPF 365 allow tcp from any to any 13068 out
$IPF 366 allow udp from any to any 13068 in
$IPF 367 allow udp from any to any 13068 out
$IPF 368 allow tcp from any to any 13069 in
$IPF 369 allow tcp from any to any 13069 out
$IPF 370 allow udp from any to any 13069 in
$IPF 371 allow udp from any to any 13069 out
$IPF 372 allow tcp from any to any 13070 in
$IPF 373 allow tcp from any to any 13070 out
$IPF 374 allow udp from any to any 13070 in
$IPF 375 allow udp from any to any 13070 out
$IPF 376 allow tcp from any to any 13081 in
$IPF 377 allow tcp from any to any 13081 out
$IPF 378 allow udp from any to any 13081 in
$IPF 379 allow udp from any to any 13081 out
$IPF 380 allow tcp from any to any 13113 in
$IPF 381 allow tcp from any to any 13113 out
$IPF 382 allow udp from any to any 13113 in
$IPF 383 allow udp from any to any 13113 out
$IPF 384 allow tcp from any to any 13114 in
$IPF 385 allow tcp from any to any 13114 out
$IPF 386 allow udp from any to any 13114 in
$IPF 387 allow udp from any to any 13114 out
$IPF 388 allow tcp from any to any 13115 in
$IPF 389 allow tcp from any to any 13115 out
$IPF 390 allow udp from any to any 13115 in
$IPF 391 allow udp from any to any 13115 out
$IPF 392 allow tcp from any to any 13116 in
$IPF 393 allow tcp from any to any 13116 out
$IPF 394 allow udp from any to any 13116 in
$IPF 395 allow udp from any to any 13116 out
$IPF 396 allow tcp from any to any 13117 in
$IPF 397 allow tcp from any to any 13117 out
$IPF 398 allow udp from any to any 13117 in
$IPF 399 allow udp from any to any 13117 out
$IPF 401 allow tcp from any to any 13118 in
$IPF 402 allow tcp from any to any 13118 out
$IPF 403 allow udp from any to any 13118 in
$IPF 404 allow udp from any to any 13118 out
$IPF 405 allow tcp from any to any 13119 in
$IPF 406 allow tcp from any to any 13119 out
$IPF 407 allow udp from any to any 13119 in
$IPF 408 allow udp from any to any 13119 out
$IPF 409 allow tcp from any to any 13120 in
$IPF 410 allow tcp from any to any 13120 out
$IPF 411 allow udp from any to any 13120 in
$IPF 412 allow udp from any to any 13120 out
$IPF 413 allow tcp from any to any 13121 in
$IPF 414 allow tcp from any to any 13121 out
$IPF 415 allow udp from any to any 13121 in
$IPF 416 allow udp from any to any 13121 out
$IPF 417 allow tcp from any to any 13121 in
$IPF 418 allow tcp from any to any 13121 out
$IPF 419 allow udp from any to any 13121 in
$IPF 420 allow udp from any to any 13121 out
$IPF 421 allow tcp from any to any 13123 in
$IPF 422 allow tcp from any to any 13123 out
$IPF 423 allow udp from any to any 13123 in
$IPF 424 allow udp from any to any 13123 out
$IPF 425 allow tcp from any to any 13124 in
$IPF 426 allow tcp from any to any 13124 out
$IPF 427 allow udp from any to any 13124 in
$IPF 428 allow udp from any to any 13124 out
$IPF 429 allow tcp from any to any 13125 in
$IPF 430 allow tcp from any to any 13125 out
$IPF 431 allow udp from any to any 13125 in
$IPF 432 allow udp from any to any 13125 out
$IPF 433 allow tcp from any to any 13126 in
$IPF 434 allow tcp from any to any 13126 out
$IPF 435 allow udp from any to any 13126 in
$IPF 436 allow udp from any to any 13126 out
$IPF 437 allow tcp from any to any 13127 in
$IPF 438 allow tcp from any to any 13127 out
$IPF 439 allow udp from any to any 13127 in
$IPF 440 allow udp from any to any 13127 out
$IPF 441 allow tcp from any to any 13023 in
$IPF 442 allow tcp from any to any 13023 out
$IPF 443 allow udp from any to any 13023 in
$IPF 444 allow udp from any to any 13023 out
$IPF 445 allow tcp from any to any 13004 in
$IPF 446 allow tcp from any to any 13004 out
$IPF 447 allow udp from any to any 13004 in
$IPF 448 allow udp from any to any 13004 out
$IPF 449 allow tcp from any to any 13023 in
$IPF 450 allow tcp from any to any 13023 out
$IPF 451 allow udp from any to any 13023 in
$IPF 452 allow udp from any to any 13023 out
$IPF 453 allow tcp from any to any 16000 in
$IPF 454 allow tcp from any to any 16000 out
$IPF 455 allow udp from any to any 16000 in
$IPF 456 allow udp from any to any 16000 out
$IPF 457 allow tcp from any to any 18000 in
$IPF 458 allow tcp from any to any 18000 out
$IPF 459 allow udp from any to any 18000 in
$IPF 460 allow udp from any to any 18000 out
$IPF 461 allow tcp from any to any 20000 in
$IPF 462 allow tcp from any to any 20000 out
$IPF 463 allow udp from any to any 20000 in
$IPF 464 allow udp from any to any 20000 out
$IPF 465 allow tcp from any to any 16001 in
$IPF 466 allow tcp from any to any 16001 out
$IPF 467 allow udp from any to any 16001 in
$IPF 468 allow udp from any to any 16001 out
$IPF 469 allow tcp from any to any 18001 in
$IPF 470 allow tcp from any to any 18001 out
$IPF 471 allow udp from any to any 18001 in
$IPF 472 allow udp from any to any 18001 out
$IPF 473 allow tcp from any to any 20001 in
$IPF 474 allow tcp from any to any 20001 out
$IPF 475 allow udp from any to any 20001 in
$IPF 476 allow udp from any to any 20001 out
$IPF 477 allow tcp from any to any 20022 in
$IPF 478 allow tcp from any to any 20022 out
$IPF 479 allow udp from any to any 20022 in
$IPF 480 allow udp from any to any 20022 out
$IPF 481 allow tcp from any to any 16022 in
$IPF 482 allow tcp from any to any 16022 out
$IPF 483 allow udp from any to any 16022 in
$IPF 484 allow udp from any to any 16022 out
$IPF 485 allow tcp from any to any 18022 in
$IPF 486 allow tcp from any to any 18022 out
$IPF 487 allow udp from any to any 18022 in
$IPF 488 allow udp from any to any 18022 out
$IPF 489 allow tcp from any to any 20022 in
$IPF 490 allow tcp from any to any 20022 out
$IPF 491 allow udp from any to any 20022 in
$IPF 492 allow udp from any to any 20022 out

SejBes · 5 Marca 2012

No no fajny tutek wwale to na dedyka i zobaczymy jak to będzie.

Łapaj Lajka

躉 EST · 5 Marca 2012

@Up. Dziękuję.

Lexor · 5 Marca 2012

Nie jestem pewien ale było ale i tak zmiare tut wystarczy trochę poprawić . Opisz lepiej trochę dla nowych . Like.

Badar · 5 Marca 2012

Było już o IPFW i IPF -.-

[url="http://www.mpcforum.pl/topic/418937-tutkompilacja-konfiguracja-ipf-aka-ipfilter/"]http://www.mpcforum.pl/topic/418937-tutkompilacja-konfiguracja-ipf-aka-ipfilter/[/url]

[url="http://www.mpcforum.pl/topic/375003-tut-instalacja-ipfw/"]http://www.mpcforum.pl/topic/375003-tut-instalacja-ipfw/[/url]

Ładnie to tak ... ?

Aaaa no i dodaj źródło, bo prawie identyczne teksty =).

[url="http://freebsd.kie.pl/?q=ipf"]http://freebsd.kie.pl/?q=ipf[/url]

Zaznacz też, że nie każdy ma karte "Rl0"

@down - hejciku ?

@☼ -- może i Cię nie lubię, ale obecnie popieram .

Ja go wyręczyłem z źródłem .

Nie spinam się, ale to plagiat z źródła, które dałem UP + już było + mój sposób jest poprawnym sposobem, hę ?

Zaraz modek to rozstrzygnie .

躉 EST · 5 Marca 2012

@Up , twój sposób jest inny

I się nie spinaj w każdym temacie hejciku.

Popisujesz się , a gamy wszystko fałszywe .

☼ · 5 Marca 2012

Było i daj źródło złodzieju

Złodziejem jesteś dopóki nie dodasz źródła

I napisz co to jest,bo piszesz coś o czym nie masz pojęcia

@Badar Może czasami też Cie nie trawię,ale bywa że mówisz do rzeczy,gdy tu przebywam nie posiadam uczuć,krytykuję wszystko co mi się nie podoba.W życiu prywatny i po za tym forum jestem inny.

躉 EST · 5 Marca 2012

@ Up

Złodzieju xD xD

Ty nawet opcji szukaj nie potrafisz dodać .

@ Badar dodałem źródło. Lecz wzorowałem się na tym.

Ŧalse · 11 Marca 2012

@up

sam jestes zlodziej i ps zgloszona juz www ^ ^

@topic

zniknal moj post ? tut nie potrzebny sa juz od tego dobre poradniki.

KoSuU · 3 Lutego 2013

Sorry za wykop. mam pytanie dot. ipf (nie chodzi mi o ipfw) bo mamy tutaj podane regułki lecz jak pisać nowe na inne porty ?

Zaloguj się

👋 Witaj na MPCForum!

[TuT] Instalacja IP Filter + IP FW

Rekomendowane odpowiedzi

躉 EST

躉 EST

SejBes

SejBes

躉 EST

躉 EST

Lexor

Lexor

Badar

Badar

躉 EST

躉 EST

☼

☼

躉 EST

躉 EST

Ŧalse

Ŧalse

KoSuU

KoSuU

Zarchiwizowany