FreeBSD firewall using IP Filter via PPPoE
U N I X C I R C L E
FreeBSD firewall using IP Filter via PPPoEby Hoang Q. Tran
It is really simple to build FreeBSD gateway for a private network. You only need to do several tasks. Details are given below.
- Lock down the box
- Setup network interfaces
- Customize the kernel
- Network tunings
- Configure machines behind NAT
- Familiarize with IPFilter
Lock down the boxThe first step in setting up a firewall is to disable any unused services. This helps minimize potential local and remote exploits. Edit /etc/rc.conf and make sure inetd, portmap, sendmail daemons are all disabled.
inetd_enable="NO" sendmail_enable="NONE" check_quotas="NO"If you don't need remote logon, make sure sshd_enable="NO".
Once you disabled unnecessary services, go to unixcircle.com portscan to remotely port scan your own box from the outside. Be careful when you do this behind a NAT/firewall box as the port scan script will scan the NAT/firewall instead. If you have another box, use nmap to scan the box from the inside.
Get the latest FreeBSD security patches manually and apply them from here:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/or use CVSup to synchronize the stable release and build.
For more information on security vulnerabilities, read SANS The Twenty Most Critical Internet Security Vulnerabilities (Updated)
Setup network interfacesAssume this box has 2 3com 509B network cards and their FreeBSD driver are named as ep0 and ep1 for first and second card. First network card will use the non-routable private address according to rfc1918. The second will be assigned either static or dynamic via DHCP IP address.
Non-routable IP addresses for private networks:
10.0.0.1 - 10.255.255.254 netmask 255.0.0.0 172.16.0.1 - 172.31.255.254 netmask 255.240.0.0 192.168.0.1 - 192.168.255.254 netmask 255.255.0.0Assume you choose 192.168.0.1 range, enable the first network interface in /etc/rc.conf:
ifconfig_ep0="inet 192.168.1.1 netmask 255.255.255.0"
Customize the kernelTo compile the new kernel you need the kernel source (part of kernel developer distribution). If you haven't done that, run /stand/sysinstall and make sure to install the kernel source.
# cd /sys/i386/confI usually name the kernel to the machine hostname, but you can give it any name. Edit the kernel config file:
# cp GENERIC firewall # vi firewallIn the options section, add these lines for PPPoE:
options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_PPPOE options NETGRAPH_SOCKETFirewall and NAT:
options IPFILTER # IPFilter support options IPFILTER_LOG # IPFilter logging support options IPFILTER_DEFAULT_BLOCK # Block all packets by default options RANDOM_IP_ID # RANDOM_IP_ID causes the ID field in IP packets to be randomized # instead of incremented by 1 with each packet generated.Remove any hardware related ``options'' that are not relevant to your machine. One way to find out what to keep is to consult the dmesg output and remove all the rest. For all available kernel options, refer to LINT in the same directory as the kernel file. Save the kernel config file and then compile and install it:
# cd /usr/src # make buildkernel KERNCONF=firewall ( kernel building output... ) ... # make installkernel KERNCONF=firewall # rebootThis will retain the old kernel as /kernel.old just in case something has gone awry with the new one and the box doesn't boot. If that happens you can type 'kernel.old' at the boot: prompt to boot the old kernel.
Network tuningsAdd the following to /etc/sysctl.conf:
To enable packet forwarding:
net.inet.ip.forwarding=1To verify that an incoming packet arrives on an interface that has an address matching the packet's destination address:
net.inet.ip.check_interface=1To drop SYN packets destine to non-listening tcp/udp port. This will create a blackhole and protect against stealth port scans:
net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1To enable high performance data transfers on hosts according to Enabling High Performance Data Transfers:
# 1. Path MTU discovery: enabled by default # 2. TCP Extension (RFC1323): enabled by default # 3. Increase TCP Window size for increase in network performance net.inet.tcp.recvspace=65535 net.inet.tcp.sendspace=65535 # 4. SACK (RFC2018): FreeBSD doesn't have a SACK implementation
And if you receive your public address assignment via PPPoE, edit /etc/rc.conf and add:
ifconfig_ep1="inet 0.0.0.0 mtu 1492" ifconfig_ep1="inet 10.0.0.1 netmask 255.255.255.0" ppp_enable="YES" ppp_nat="NO" ppp_mode="ddial" ppp_profile="myisp"Here is a working /etc/ppp/ppp.conf:
default: set log Phase Chat LCP IPCP CCP tun command set redial 15 28800 set reconnect 15 28800 myisp: set log Phase Chat LCP IPCP CCP tun command set device PPPoE:ep1 set authname xxxYourSecretNamexxx set authkey xxxYourSecretKeyxxx set mru 1492 set mtu 1492 set cd 5 set speed sync set redial 15 28800 set reconnect 15 28800 disable lqr set timeout 120 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR
Since you don't know what to block yet, you need to open up ingress and outgress traffic to flow through. Edit /etc/ipf.rules and add:
pass in all pass out allNetwork Address Translation rule:
For NAT and ftp clients behind NAT to work, add the following to /etc/ipnat.rules:
Use ipfilter ftp proxy for ftp client transfers mode: active
map tun0 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcpMap all tcp and udp connections from 192.168.1.0/24 to external IP address, changing the source port number to something between 40,000 and 60,000 inclusive
map tun0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000For all other IP packets, map to the external IP address
map tun0 192.168.1.0/24 -> 0.0.0.0/32Make sure all the `proxy' lines are before any generic `portmap' lines, as the first match always wins.
To enable firewall and NAT on bootup, add the following to /etc/rc.conf:
ipfilter_enable="YES" #Stateful firewall ipnat_enable="YES" #Network Address Translation ipfs_enable="YES" #Enable saving and restoring state tables between reboot ipmon_enable="YES" #Firewall logging ipmon_flags="-Dsn" -D: Cause ipmon to turn itself into a daemon. -n: IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. -s: Packet information read in will be sent through syslogd rather than saved to a file.
Configure machines behind NATAll the machines on the private network should be configured to use the address of the private interface of the FreeBSD box as the default gateway.
To set the internal boxes to the default FreeBSD gateway on various operating systems:
Assume the FreeBSD box NAT/firewall has IP address: 192.168.1.1
AIX: edit /etc/rc.net and add /usr/sbin/route add 192.168.1.1 gateway >>$LOGFILE 2>&1 FreeBSD: edit /etc/rc.conf and add defaultrouter="192.168.1.1" HP-UX: edit /etc/rc.config.d/netconf and add ROUTE_GATEWAY="192.168.1.1" Linux Redhat: edit /etc/sysconfig/network and add GATEWAY=192.168.1.1 NetBSD: echo "192.168.1.1" > /etc/mygate OpenBSD: echo "192.168.1.1" > /etc/mygate Solaris: echo "192.168.1.1" > /etc/defaultrouter Win2k: Start-Settings->Control Panel->Network and Dial-up Connections->Local Area Network-> Properties->Internet Protocol (TCP/IP)->Default Gateway->192.168.1.1If you don't want to reboot to pick up the IP address for the default gateway, use ``route'' to manually add the default route.
AIX: route add 0 192.168.1.1
HP-UX: route add 192.168.1.1
FreeBSD,NetBSD,OpenBSD,Solaris: route add default 192.168.1.1
Linux Redhat: route add default gw 192.168.1.1
2. /etc/resolv.conf on unix client hosts need to edit/add to have nameserver statements in order to resolve hostnames.
$ cat /etc/resolv.conf nameserver <ISP DNS IP> nameserver <ISP DNS IP>Win2k :
Start-Settings->Control Panel->Network and Dial-up Connections->Local Area Network-> Properties->Internet Protocol (TCP/IP)->->Advanced TCP/IP Settings->DNSand add the ISP DNS IPs.
Familiarize with IPFilterOnce your NAT/firewall is online, you should start reading the IP Filter Howto and add more blocking/passing rules to /etc/ipf.rules. Some other useful links can also be found on IP Filter home page. Each time /etc/ipf.rules or /etc/ipnat.rules is modified, you need to flush the rules as:
# /sbin/ipf -Fa -f /etc/ipf.rules # /sbin/ipnat -CF -f /etc/ipnat.rulesYou can use ipfstat to display firewall statistics a la ``top" command:
# /sbin/ipfstat -t firewall.muine.org - IP Filter: v3.4.29 - state top 23:01:10 Src = 0.0.0.0 Dest = 0.0.0.0 Proto = any Sorted by = # bytes Source IP Destination IP ST PR #pkts #bytes ttl 192.168.1.200,1415 184.108.40.206,6699 4/4 tcp 8245 6923504 42:14:06 220.127.116.11,24064 18.104.22.168,22 4/4 tcp 576 199843 119:59:59 192.168.1.200,2091 22.214.171.124,8888 4/4 tcp 157 118770 51:36:40 192.168.1.200,1094 126.96.36.199,8888 4/4 tcp 125 94190 46:37:34To find out the ipfilter version:
# /sbin/ipf -V ipf: IP Filter: v3.4.29 (264) Kernel: IP Filter: v3.4.29 Running: yes Log Flags: 0 = none set Default: block all, Logging: available Active list: 0Notice the ``block all" setting from our options IPFILTER_DEFAULT_BLOCK in the kernel.
To display the current list of active MAP/Redirect filters and active sessions:
# /sbin/ipnat -lTo find out the ``hit" statistic for each individual rule in /etc/ipf.rules:
# /sbin/ipfstat -hioSee also ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(8), ipfstat(8), ipmon(8), ipnat(8) for details.
IPFilter home page: http://www.ipfilter.org IPFilter how-to: http://www.unixcircle.com/ipf/ Address Allocation for Private Internets: http://www.muine.org/rfc/rfc1918.txt The IP Network Address Translator (NAT): http://www.muine.org/rfc/rfc1631.txt Traditional IP Network Address Translator (Traditional NAT) http://www.muine.org/rfc/rfc3022.txt The Twenty Most Critical Internet Security Vulnerabilities (Updated) http://188.8.131.52/top20.htm
last update: July 27, 2003