IP firewall configuration
FreeBSD 5.2.1-RELEASE comes with two packet filtering tools: IP firewall (ipfw,ip6fw) and
IP Filter (ipf). The two are both options. They cannot be used with the standard
GENERIC kernel. You need to reconstruct the kernel to use either of them. IP firewall
began IPv6 support earlier, and easy to use with sample files for IPv6 filtering.
We wll use IP firewall in this article.
Filter setting
/etc/rc.firewall (for IPv4) and /etc/rc.firewall6 (for IPv6) are the filter
samples. We will copy this for use:
# cp /etc/rc.firewall /etc/rc.firewall.kuri
# cp /etc/rc.firewall6 /etc/rc.firewall6.kuri |
With the sample configuration file, we can use the following firewall types:
open :
|
pass all packets |
| client : |
restrict packets received by own host |
| simple : |
act as gateway to restrict packets between external and internal
segments |
| closed : |
allows only packets from lo0 (local loopback) interface |
This time, we need only to protect the server itself, so we base our configuration
on client type. Copied configuration file contains IP addresses, so rewrite them
according to your network configuration. Also, standard client filtering configuration
does not allow connection to DNS and Web services from outside, so you need to
change this.
We have also added other configuration such as returning TCP reset (RST) to avoid
connecting node to wait for time out when requesting IDENT, ICMP –related
rules not included in the sample, and deny and log all packets which do not match
any of the filtering rules, as follows:
|
Excerpt from /etc/rc.firewall.kuri
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.
############
# set these to your network and netmask and ip
net="172.16.100.0"
mask="255.255.255.0"
ip="172.16.100.120
setup_loopback
# Allow any traffic to or from my own net.
${fwcmd} add pass all from ${ip} to ${net}:${mask}
${fwcmd} add pass all from ${net}:${mask} to ${ip}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${ip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${ip} 53 setup
${fwcmd} add pass udp from any to ${ip} 53
${fwcmd} add pass udp from ${ip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${ip} 80 setup
# Return TCP reset to ident
${fwcmd} add reset tcp from any to ${ip} 113
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fwcmd} add deny log tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${ip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${ip} to any 123 keep-state
# Allow ICMP echo_reply, unreach, echo_request
${fwcmd} add pass log icmp from any to any icmptypes 0,3,8
# logging all denied packets
${fwcmd} add deny log all from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
|
|
|
|
We will
add configurations on DNS, Web, IDENT, and packets which do not match any
of the filtering rules. We also allow access from internal network.
|
|
|
Excerpt from /etc/rc.firewall6.kuri
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.
############
# set these to your network and prefixlen and ip
#
# This needs more work
#
net="2001:218:44f:100::"
prefixlen="64"
ip="2001:218:44f:100::1025"
inet="2001:218:44f:200::"
setup_local
# Allow any traffic to or from my own net.
${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen}
${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip}
# Allow any traffic to or from our internal network.
${fw6cmd} add pass all from ${ip} to ${inet}/${prefixlen}
${fw6cmd} add pass all from ${inet}/${prefixlen} to ${ip}
# Allow any link-local multicast traffic
${fw6cmd} add pass all from fe80::/10 to ff02::/16
${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16
# Allow TCP through if setup succeeded
${fw6cmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fw6cmd} add pass all from any to any frag
# Allow setup of incoming email
${fw6cmd} add pass tcp from any to ${ip} 25 setup
# Allow access to our DNS
${fw6cmd} add pass tcp from any to ${ip} 53 setup
${fw6cmd} add pass udp from any to ${ip} 53
${fw6cmd} add pass udp from ${ip} 53 to any
# Allow access to our WWW
${fw6cmd} add pass tcp from any to ${ip} 80 setup
# Return TCP reset to ident
${fw6cmd} add reset tcp from any to ${ip} 113
# Allow setup of outgoing TCP connections only
${fw6cmd} add pass tcp from ${ip} to any setup
# Disallow setup of all other TCP connections
${fw6cmd} add deny log tcp from any to any setup
# Allow DNS queries out in the world
${fw6cmd} add pass udp from any 53 to ${ip}
${fw6cmd} add pass udp from ${ip} to any 53
# Allow NTP queries out in the world
${fw6cmd} add pass udp from any 123 to ${ip}
${fw6cmd} add pass udp from ${ip} to any 123
# Allow ICMPv6 destination unreach
${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
# Allow NS/NA/toobig (don't filter it out)
${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
# Logging all denied packets
${fw6cmd} add deny log all from any to any
# Everything else is denied by default, unless the
# IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file. |
|
|
|
When the configuration is done add the following lines to /etc/rc.conf:
|
|
|
firewall_enable="YES"
firewall_script="/etc/rc.firewall.kuri" #specifies IPv4 configuration
file
firewall_type="client"
ipv6_firewall_enable="YES"
ipv6_firewall_script="/etc/rc.firewall6.kuri" #specifies IPv4 configuration
file
ipv6_firewall_type="client" |
|
|
|
Rebuilding kernel
Now, we rebuild the kernel with IP filter option enabled. First, we create kernel
configuration file under /usr/src/sys/i386/conf/. GENERIC file in this directory
is a configuration file used to build GENERIC kernel. We will add options to this
file. You’d better name the file the same as host name (KURI, in this article).
|
|
|
Contents of /usr/src/sys/i386/conf/KURI
include "GENERIC" #GENERIC kernel configuration file
ident "KURI" # kernel ID. Better be the same as file name.
options IPFIREWALL # Enable IPv4 IP firewall
options IPFIREWALL_VERBOSE # Output log via syslog
options IPFIREWALL_VERBOSE_LIMIT=0 # No limit to log count
options IPV6FIREWALL # Enable IPv6 IP firewall
options IPV6FIREWALL_VERBOSE # Output log via syslog
options IPV6FIREWALL_VERBOSE_LIMIT=0 # No Limit to log count |
|
|
|
All
options and devices supported by kernel configuration file can be found in NOTES
file. /usr/src/sys/conf/NOTES includes architecture independent ones (such as
IP firewall), and /usr/src/sys/i386/conf/NOTES contains ones i386 specific ones.
You’d better read them through once.
Move to /usr/src, and specify kernel configuration files to rebuild kernel. When
the compilation is done successfully, conduct install.
# cd /usr/src
# make buildkernel KERNCONF=KURI
# make installkernel KERNCONF=KURI |
Restart the server and packet filtering gets enabled. confirm that the filtering
rules are in effect, by doing the following:
Add the lines below to /etc/make.conf. This is to use kernel configuration file
KURI as default in make buildkernelÅAmake installkerneland other operations.
Now, we are ready to install server application at last. In PART 2, we will install
IPv6-enabled DNS, Web server and mail server applications.
|
|
|
|
この記事のトラックバックURL
http://www.ipv6style.jp/trackback/593
