The following is an example
static filter configuration, appropriate for a system using pppd
to create a PPP/SLIP link between the system 192.168.199.1 and a
peer, 10.0.0.1, that is acting as the gateway to the Internet.
The complete filter, minus the comments, follows this section.
The filter design reflects a fail-safe, or closed, policy.
Default
default
pass !all # block all other packets
log rejected # packets rejected by packet filter |
First, we define a default ruleset that is very restrictive.
This is a failsafe ruleset that will not pass any packets through
the filter, but will notify you of all traffic you are missing.
This ruleset will be applied to any packet crossing the link
connecting this host to the peer (10.0.0.1).
bringup
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO service (513/udp)
!route # routed/gated RIP service (520/udp)
!ntp # Network Time service (123/udp)
all # all other packets |
If the link is configured for 'dial on demand'
connections, the 'bringup' filter describes those
packets that causes a call to be placed and a connection to be initiated.
The 'bringup' filter should be used to prevent
the connection from being brought up inappropriately. It is a good
idea to block packets that are responses to "bad" inbound packets,
such as ICMP Destination unreachable messages, because they aren't
"interesting" enough to dial the modem. You should also block services,
such as the WHO service, that send packets at a regular intervals
and would therefore never permit the link to stay down long. Any
other sort of traffic initiates a dial connection.
pass
!recv/ip-opt=srcrt/unreach=srcfail # Block SRCRT attacks |
Do not allow any incoming packets with the Source Route option
set in the IP header. Respond with an ICMP Destination Unreachable
message with the Source Route Failed code value.
!192.168.199.0/recv/src/unreach=net # Block IP spoofing attacks
!192.168.199.0/send/dst/unreach=net # Block IP spoofing attacks |
Block any incoming packets that claim to be from your net,
and block any outgoing packets that claim to be destined for your
net. Respond with an ICMP Destination Unreachable message with
the Bad Net code value.
!127.0.0.0;8 # Block IP spoofing attacks |
Silently block all packets that claim to be either to or from
the loopback network.
dstport=nntp/dstaddr=192.168.199.10/srcaddr=10.0.5.6
dstport=nntp/srcaddr=192.168.199.10/dstaddr=10.0.5.6
dstport=nntp/dstaddr=192.168.199.10/srcaddr=172.31.12.13
dstport=nntp/srcaddr=192.168.199.10/dstaddr=172.31.12.13
!nntp/unreach=rst |
Allow Network News (Usenet) exchanges with only your known
news neighbors (10.0.5.6 and 172.31.12.13) and your news server
192.168.199.10). Block any other NNTP traffic, and respond with
a TCP RST message.
domain/tcp/192.168.199.11/dst/syn/recv # (53/tcp)
!domain/tcp/syn/recv
domain/tcp/192.168.199.11 |
Allow outside hosts to obtain Domain Name Service zone transfers
only if your end of the stream is really being handled by your domain
name server. In this example, you first permit inbound requests
to the domain name server, then block all other inbound requests,
and finally allow any TCP packets to pass over the link if they
are to or from the host 192.168.199.11 and to or from the domain
port to pass over the link. The sender will not be notified that
the packets are being dropped.
dstport=domain/udp/192.168.199.11 # permit domain queries (53/udp)
!domain # block domain (53/tcp, 53/udp) |
Allow Domain Name Service (DNS) queries to and from the DNS
server. Block all other domain requests. This second rule is not
strictly necessary, since the final rule is '!all',
however adding this rule makes it failsafe.
smtp/192.168.199.14/dst/syn/recv # (25/tcp)
!smtp/syn/recv
smtp |
Allow incoming electronic mail connection requests to reach
your SMTP server, allow no other incoming SMTP connection requests,
and allow yourself unlimited outbound SMTP access.
www/syn/recv/192.168.199.13/dst # (80/tcp)
!www/syn/recv/unreach=host #
www # |
Allow incoming World Wide Web connection requests to reach
your WWW server. Allow no other incoming WWW connection requests.
And allow yourself unlimited outbound WWW access.
!dstport=ident/recv/unreach=rst # block IDENT service (113/tcp) |
You do not use the RFC 1413 identification services, so you
might as well bounce the queries at the gateway instead of having
inetd refuse the connection. Respond
with a TCP RST message. This does not improve the security of your
packet filter, since the packets would be blocked by the final '!all',
but it does reduce the delay in services that make use of 'ident'.
!telnet/syn/recv/unreach=prohibited # block inbound TELNET
# requests
telnet # permit TELNET messages |
Allow outbound telnet connections from your network to anywhere
else.
!finger/syn/recv/unreach=prohibited # block inbound FINGER
# requests
finger # permit FINGER messages |
Block incoming finger requests until you install a safe finger
daemon.
ftp/syn/recv/dst/192.168.199.12 # permit inbound FTP for anon FTP
!ftp/syn/recv/unreach=host # block inbound FTP
# requests |
Allow incoming FTP (file transfer) traffic that uses your
Anonymous FTP server system, but block any other incoming FTP requests.
Respond with an ICMP Destination Unreachable message with the Bad
Host code value.
ftp # permit FTP messages
srcport=ftp-data/dstport=1024-65536/syn
!ftp-data/syn # block other FTP-DATA connections
ftp-data # permit FTP-DATA messages |
After blocking the traffic specified above, allow both FTP
command streams and FTP data streams to cross the link, both inbound
and outbound.
dstport=33410-33515/udp/send # permit outbound traceroute operation |
The traceroute tool probes high-numbered UDP ports and is
so useful that you should let it through.
!5/icmp # block ICMP_REDIRECT
8/icmp/192.168.199.1 # permit ping of gateway
8/icmp/192.168.199.10 # permit ping of NNTP server
8/icmp/192.168.199.11 # permit ping of DNS server
8/icmp/192.168.199.12 # permit ping of FTP server
8/icmp/192.168.199.13 # permit ping of WWW server
8/icmp/192.168.199.14 # permit ping of SMTP server
!8/icmp/recv # block inbound ping address
# scanning
icmp # permit ICMP messages |
Block ICMP redirect messages since the routing on an internal
node should not be changed by an external site. Permit ICMP echo
request packets, sent by 'ping', to reach all
hosts providing external services. Block all other inbound ping
packets to prevent IP address probes. Finally, allow other ICMP
messages to pass freely.
!all # block all other packets |
Silently block all traffic not explicitly permitted to pass.
Pass through the firewall only those packets explicitly permitted
to pass.
keepup
!send # outbound traffic
!3/icmp # ICMP unreachable messages
!5/icmp # ICMP redirect messages
!11/icmp # ICMP time exceeded messages
!who # WHO protocol
!route # routed/gated RIP protocol
!ntp # Network Time Protocol
all # permit all other packets |
The link is considered active (non-idle) if any packet passes
that is not specified in the keepup filter as being blocked. Since
there are certain link failure modes that allow your system to continue
sending even though the peer is unresponsive, no outbound packets
are permitted to reset the idle timer.
log
!8/icmp # ICMP ECHO packets
rejected # packets rejected by packet
# filter
tcp/syn # all TCP connection requests
!all # block all other packets |
Log any packet blocked by the 'pass' filter
above, except ICMP Echo messages. Also log all TCP connection requests.
Printable version
