|
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: .ooO Linux/FreeBSD IP Firewalling by jus Ooo. :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--:: :: :: :: In FK3 Vortexia described "the poor man's firewall", that is tcp :: :: wrappers, and how to set them up and use them as basic protection against:: :: unwanted connections. The next step is to make use of Linux's ipfwadm or :: :: fBSD's ipfw to setup a proper firewall to automatically block out :: :: potential attackers and keep certain services only available to your LAN :: :: (i.e. SQUID). :: :: :: :: Most generic or standard *nix kernels should have firewalling compiled, :: :: if not you will get errors when trying to use ipfw/ipfwadm. Just rebuild :: :: your kernel to include firewalling. :: :: :: :: OK, to setup firewall rules under linux "ipfwadm" is used. "man ipfwadm" :: :: will give some further insight as to what can be done with this tool, :: :: we're gunna focus on just keeping incoming connections where we want em :: :: :: :: Typing ipfwadm -I -l will give you a list of current firewall rules in :: :: their order, you will most likely have nothing there. Lets try something :: :: simple first, like block off your ftpd to all but yourself :) :: :: :: :: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 21 will disallow all :: :: connections from anywhere to port 21. Even from 127.0.0.1, so if you :: :: want to be able to connect to your own ftpd you need to add a rule to :: :: allow 127.0.0.1 though. If you are on dialup and get a dynamic IP, fill :: :: in 0.0.0.0/0 in place of "yourip". :: :: :: :: Note, if you are working on a machine remotely and firewalling it, you :: :: could lock yourself out accidently. Then your screwed, so place a rule :: :: in your firewall to allow connections from a trusted host at all times, :: :: ie ipfwadm -I -i accept -P ip -S 196.23.2.14 -D yourip. That will allow :: :: all types of connection to all ports from host 196.23.2.14. Note that it :: :: is not always good security practice for your firewall to explicity trust:: :: any box! :: :: :: :: Remember that the firewall runs down the list of rules until it meets a :: :: match with any connection attempt, so rule 1 will have preference over :: :: rule 2, etc. Place your rules accordingly. Lets say you wanted to allow :: :: access to SQUID on 3128 to only your LAN (which owns 196.34.23.*) but :: :: not to any else out there. :: :: :: :: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 3128 :: :: ipfwadm -I -i accept -P tcp -S 196.34.23.0/24 -D yourip 3128 :: :: :: :: Easy huh? Use -a instead of -i to add a rule at the end of the rules :: :: chain instead of at the front. :: :: :: :: Under fBSD its even simpler using ipfw. "ipfw list" will give you a list :: :: of currently existing rules. More than likely there is nothing except :: :: the last rule which allows all traffic through. ipfw allows us to specify:: :: a number for each rule thats created, making it easier to work with :: :: rules' order of preference. To add a rule like above for the ftpd, type :: :: ipfw add 1000 deny tcp from any to youripgoeshere 21 That will disallow :: :: any connections to your ftpd. The "1000" is the rule number, use ipfw :: :: list to decide an appropriate number, but remember you have all the :: :: numbers available down to approx 65k :) :: :: :: :: Similarily, the SQUID setup as above is done by using a rule to block :: :: all access to port 3128, an then a rule before that to allow access from :: :: our subnet. ipfw add 500 deny tcp from any to youripgoeshere 3128 :: :: disallows all connections, and ipfw add 450 allow tcp from 196.34.23.0/24:: :: to youripgoeshere 3128 will allow connections from our subnet :: :: 196.34.23.0/24. :: :: :: :: RTFM for more. -jus :: :: :: ::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::