ipfwadm - I don't get it

ipfwadm - I don't get it

Post by Tobias Reckhard (jest » Tue, 03 Nov 1998 04:00:00





>I just don't get it.
>How should I configure my firewall/masquerading to be hacker proof?

Oh no, you don't. Don't even ask about 'hacker *proof*'. Short answer: can't
be done.

Quote:>I have read the ipfwadm manual over and over again..

>I use 10.0.0.x for local net
>I use 181.100.100.99 & .100 for net between router & Linux (router deliv. default)

Is this an official net, registered with the NIC? If not, I suggest you
reconfigure your router and Linux box to use private addresses, if only to be
on the safe side. And it could be you actually want to connect to a
181.100.100.x host as well, who knows? ;)

Quote:>Linux: RH 5.0, 3 Modems+ppp+mgetty, 2 eth's
>       eth0 10.0.0.1 (to hub)
>       eth1 181.100.100.99 (crossed TP-cable to router)
>       Default route: 181.100.100.100
>       DNS: our ISP

>Router: Ascend Pipeline 25-Px ISDN router (autom. connects to ISP when needed)
>    eth0: Dynamic IP from ISP at connect
>    eth1: 181.100.100.100 (net to linux box, crossed TP-cable)

>PC's:  WinNT, Win95, Win98, modems and/or eth (10.0.0.2 -> .100)
>       Gateway: 10.0.0.1
>       DNS: our ISP

OK.

Quote:>Today: It works. (almost, and not secure enough)
>ok:  Linux can access the Internet and the local net
>ok:  All PC's can access the Internet
>ok:  All PC's can access the local net (ethernetted as well as modem connected)

Modem connected?

Quote:>not ok: When a Win95 starts up, i can see (using tcpdump) netbios-*
>        traffic going out trough the router.. (I just cant stop this!)

The ports used are 137 through 139. To block them, use these rules on the
Linux box to block NetBIOS traffic:

ipfwadm -O -a deny -P tcp -S 181.100.100.99/32 -D 0/0 137:139 \
  -V 181.100.100.99
ipfwadm -O -a deny -P udp -S 181.100.100.99/32 -D 0/0 137:139 \
  -V 181.100.100.99

Quote:>Tomorrow:
>- Same as above, but fixed netbios-traffic

See above.

Quote:>- Denying of incoming packets initiated from the outside

Either deny any SYN packets or accept only ACK packets from the outside.

Quote:>- Allowing incoming "response packets", responses to inside-initiated traffic

Write rules for all protocols you want to support and include the 'ACK bit
must be set' flag (-k) in any inbound TCP response rules. For UDP this can't
be done, since it doesn't know the concept of response packets, since it's a
connectionless protocol. You won't want UDP traffic to be allowed in general,
though.

Quote:>- I want the PC's be able to use all/most facilities of Internet (masquerading)

This is contradictory to your security requirement, I'm afraid. You can only
allow what you know is safe. And write appropriate rules. It's a complicated
task.

Quote:>- I do not want M$-NW traffic (broadcasts etc.) going out the router.

Broadcasts do not cross routers, they'll even stop at the Linux box. Turn off
IPX support in the Linux kernel to be absolutely safe it won't route any IPX
traffic. It won't be able to do that unless you install an IPX routing daemon
anyhow, though.

Quote:>  (Connection to ISP established every time a PC starts up/browses M$-net = money)

Hmm.. could be you need to block DNS lookups then. Coming from port 137 and
going to port 53 on the DNS server, UDP. Maybe followed by a TCP query on the
same ports if unsuccessful, but I'm not sure about that. Log some packets to
see (use '-o' in ipfwadm and check /var/log/messages on the Linux box)

Quote:>- I want to block unwanted traffic from the Internet

What is unwanted? Remember though, that ipfwadm can only distinguish packets
by OSI levels 3 and 4, i.e. TCP/IP. For higher-level checks you need proxy
servers running as bastion hosts.

Quote:>- I want PC's dialing into Linux modems to access the local net (TCP/IP & M$-nw)

Haven't done that yet, sorry. Should work with mgetty, though.

Quote:>I also tried the fwconfig program (web-based) but I don't understand the
>generated rules... (It seems as if they took it away.. it used to be at
>http://www.openpro.org/fwconfig but it's not there anymore..!)

I suggest you learn ipfwadm itself, it isn't that hard after a short while.
The ruleset can become very complicated, but no front end will be able to help
you about that, you absolutely need to understand your rules.

Quote:>Please, could any kind soul help me to generate a (well commented) script?

Sure, email me and tell me exactly what you want to do if you run into
difficulties. But read the ipfwadm and ipfw man pages first and gather some
information about the protocols you want to allow.

regards
Tobias