FreeBSD firewall using IP Filter via PPPoE

原创 2004年10月17日 16:11:00
 
U N I X C I R C L E

FreeBSD firewall using IP Filter via PPPoE

by Hoang Q. Tran

It is really simple to build FreeBSD gateway for a private network. You only need to do several tasks. Details are given below.

Lock down the box

The first step in setting up a firewall is to disable any unused services. This helps minimize potential local and remote exploits. Edit /etc/rc.conf and make sure inetd, portmap, sendmail daemons are all disabled.
inetd_enable="NO"
sendmail_enable="NONE"
check_quotas="NO"
If you don't need remote logon, make sure sshd_enable="NO".

Once you disabled unnecessary services, go to unixcircle.com portscan to remotely port scan your own box from the outside. Be careful when you do this behind a NAT/firewall box as the port scan script will scan the NAT/firewall instead. If you have another box, use nmap to scan the box from the inside.

Get the latest FreeBSD security patches manually and apply them from here:

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/
or use CVSup to synchronize the stable release and build.

For more information on security vulnerabilities, read SANS The Twenty Most Critical Internet Security Vulnerabilities (Updated)

Setup network interfaces

Assume this box has 2 3com 509B network cards and their FreeBSD driver are named as ep0 and ep1 for first and second card. First network card will use the non-routable private address according to rfc1918. The second will be assigned either static or dynamic via DHCP IP address.

Non-routable IP addresses for private networks:

10.0.0.1 - 10.255.255.254      netmask 255.0.0.0
172.16.0.1 - 172.31.255.254    netmask 255.240.0.0
192.168.0.1 - 192.168.255.254  netmask 255.255.0.0
Assume you choose 192.168.0.1 range, enable the first network interface in /etc/rc.conf:
ifconfig_ep0="inet 192.168.1.1 netmask 255.255.255.0"

Customize the kernel

To compile the new kernel you need the kernel source (part of kernel developer distribution). If you haven't done that, run /stand/sysinstall and make sure to install the kernel source.
# cd /sys/i386/conf
I usually name the kernel to the machine hostname, but you can give it any name. Edit the kernel config file:
# cp GENERIC firewall
# vi firewall
In the options section, add these lines for PPPoE:
options     NETGRAPH
options     NETGRAPH_ETHER
options     NETGRAPH_PPPOE
options     NETGRAPH_SOCKET
Firewall and NAT:
options     IPFILTER                  # IPFilter support
options     IPFILTER_LOG              # IPFilter logging support
options     IPFILTER_DEFAULT_BLOCK    # Block all packets by default
options     RANDOM_IP_ID              # RANDOM_IP_ID causes the ID field in IP packets to be randomized
                                      # instead of incremented by 1 with each packet generated.
Remove any hardware related ``options'' that are not relevant to your machine. One way to find out what to keep is to consult the dmesg output and remove all the rest. For all available kernel options, refer to LINT in the same directory as the kernel file. Save the kernel config file and then compile and install it:
# cd /usr/src
# make buildkernel KERNCONF=firewall
( kernel building output... )
...
# make installkernel KERNCONF=firewall
# reboot
This will retain the old kernel as /kernel.old just in case something has gone awry with the new one and the box doesn't boot. If that happens you can type 'kernel.old' at the boot: prompt to boot the old kernel.

Network tunings

Add the following to /etc/sysctl.conf:

To enable packet forwarding:

net.inet.ip.forwarding=1
To verify that an incoming packet arrives on an interface that has an address matching the packet's destination address:
net.inet.ip.check_interface=1
To drop SYN packets destine to non-listening tcp/udp port. This will create a blackhole and protect against stealth port scans:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
To enable high performance data transfers on hosts according to Enabling High Performance Data Transfers:
# 1. Path MTU discovery: enabled by default
# 2. TCP Extension (RFC1323): enabled by default
# 3. Increase TCP Window size for increase in network performance
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
# 4. SACK (RFC2018): FreeBSD doesn't have a SACK implementation

PPPoE

And if you receive your public address assignment via PPPoE, edit /etc/rc.conf and add:

ifconfig_ep1="inet 0.0.0.0 mtu 1492"
ifconfig_ep1="inet 10.0.0.1 netmask 255.255.255.0"
ppp_enable="YES"
ppp_nat="NO"
ppp_mode="ddial"
ppp_profile="myisp"
Here is a working /etc/ppp/ppp.conf:
default:
 set log Phase Chat LCP IPCP CCP tun command
 set redial 15 28800
 set reconnect 15 28800
myisp:
 set log Phase Chat LCP IPCP CCP tun command
 set device PPPoE:ep1
 set authname xxxYourSecretNamexxx
 set authkey xxxYourSecretKeyxxx
 set mru 1492
 set mtu 1492
 set cd 5
 set speed sync
 set redial 15 28800
 set reconnect 15 28800
 disable lqr
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR

Firewall

Filter rule:

Since you don't know what to block yet, you need to open up ingress and outgress traffic to flow through. Edit /etc/ipf.rules and add:

pass in all
pass out all
Network Address Translation rule:

For NAT and ftp clients behind NAT to work, add the following to /etc/ipnat.rules:

Use ipfilter ftp proxy for ftp client transfers mode: active

map tun0 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
Map all tcp and udp connections from 192.168.1.0/24 to external IP address, changing the source port number to something between 40,000 and 60,000 inclusive
map tun0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
For all other IP packets, map to the external IP address
map tun0 192.168.1.0/24 -> 0.0.0.0/32
Make sure all the `proxy' lines are before any generic `portmap' lines, as the first match always wins.

To enable firewall and NAT on bootup, add the following to /etc/rc.conf:

ipfilter_enable="YES"       #Stateful firewall
ipnat_enable="YES"          #Network Address Translation
ipfs_enable="YES"           #Enable saving and restoring state tables between reboot
ipmon_enable="YES"          #Firewall logging
ipmon_flags="-Dsn"

-D: Cause ipmon to turn itself into a daemon.
-n: IP addresses and port numbers will be mapped, where possible, back into hostnames and service names.
-s: Packet information read in will be sent through syslogd rather than saved to a file.

Configure machines behind NAT

All the machines on the private network should be configured to use the address of the private interface of the FreeBSD box as the default gateway.

To set the internal boxes to the default FreeBSD gateway on various operating systems:

Assume the FreeBSD box NAT/firewall has IP address: 192.168.1.1

AIX: edit /etc/rc.net and add /usr/sbin/route add 192.168.1.1 gateway >>$LOGFILE 2>&1
FreeBSD: edit /etc/rc.conf and add defaultrouter="192.168.1.1"
HP-UX: edit /etc/rc.config.d/netconf and add ROUTE_GATEWAY[0]="192.168.1.1"
Linux Redhat: edit /etc/sysconfig/network and add GATEWAY=192.168.1.1
NetBSD:  echo "192.168.1.1" > /etc/mygate
OpenBSD: echo "192.168.1.1" > /etc/mygate
Solaris: echo "192.168.1.1" > /etc/defaultrouter
Win2k: Start-Settings->Control Panel->Network and Dial-up Connections->Local Area Network->
       Properties->Internet Protocol (TCP/IP)->Default Gateway->192.168.1.1
If you don't want to reboot to pick up the IP address for the default gateway, use ``route'' to manually add the default route.

AIX: route add 0 192.168.1.1

HP-UX: route add 192.168.1.1

FreeBSD,NetBSD,OpenBSD,Solaris: route add default 192.168.1.1

Linux Redhat: route add default gw 192.168.1.1

2. /etc/resolv.conf on unix client hosts need to edit/add to have nameserver statements in order to resolve hostnames.

UNIX clients:

$ cat /etc/resolv.conf
nameserver      <ISP DNS IP>
nameserver      <ISP DNS IP>
Win2k :
Start-Settings->Control Panel->Network and Dial-up Connections->Local Area Network->
       Properties->Internet Protocol (TCP/IP)->->Advanced TCP/IP Settings->DNS
and add the ISP DNS IPs.

Familiarize with IPFilter

Once your NAT/firewall is online, you should start reading the IP Filter Howto and add more blocking/passing rules to /etc/ipf.rules. Some other useful links can also be found on IP Filter home page. Each time /etc/ipf.rules or /etc/ipnat.rules is modified, you need to flush the rules as:
# /sbin/ipf -Fa -f /etc/ipf.rules
# /sbin/ipnat -CF -f /etc/ipnat.rules
You can use ipfstat to display firewall statistics a la ``top" command:
# /sbin/ipfstat -t

           firewall.muine.org - IP Filter: v3.4.29 - state top           23:01:10

Src = 0.0.0.0  Dest = 0.0.0.0  Proto = any  Sorted by = # bytes

Source IP             Destination IP         ST   PR   #pkts    #bytes       ttl
192.168.1.200,1415    65.92.100.89,6699     4/4  tcp    8245   6923504  42:14:06
23.234.234.2,24064    208.31.160.30,22      4/4  tcp     576    199843 119:59:59
192.168.1.200,2091    64.124.41.191,8888    4/4  tcp     157    118770  51:36:40
192.168.1.200,1094    64.124.41.161,8888    4/4  tcp     125     94190  46:37:34
To find out the ipfilter version:
# /sbin/ipf -V
ipf: IP Filter: v3.4.29 (264)
Kernel: IP Filter: v3.4.29
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
Notice the ``block all" setting from our options IPFILTER_DEFAULT_BLOCK in the kernel.

To display the current list of active MAP/Redirect filters and active sessions:

# /sbin/ipnat -l
To find out the ``hit" statistic for each individual rule in /etc/ipf.rules:
# /sbin/ipfstat -hio
See also ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(8), ipfstat(8), ipmon(8), ipnat(8) for details.

Reference

IPFilter home page:
   http://www.ipfilter.org
IPFilter how-to:
   http://www.unixcircle.com/ipf/
Address Allocation for Private Internets:
   http://www.muine.org/rfc/rfc1918.txt
The IP Network Address Translator (NAT):
   http://www.muine.org/rfc/rfc1631.txt
Traditional IP Network Address Translator (Traditional NAT)
   http://www.muine.org/rfc/rfc3022.txt
The Twenty Most Critical Internet Security Vulnerabilities (Updated)
   http://66.129.1.101/top20.htm


last update: July 27, 2003


copyright © 2000-2003 unixcircle
Contact webmaster@unixcircle.com

FreeBSD TcpDump抓取PPPOE的包

直接用: tcpdump -i em1 -n tcp 抓取不到tcp包。 这些包是通过端口镜像 转发过来的,目的IP不是本机。 后尝试检查了vlan,确认没有设置vlan. 最终的方法是:...
  • wwlhz
  • wwlhz
  • 2016年09月23日 16:38
  • 960

FreeBSD设置IP地址、网关、DNS的方法

 说明: IP:192.168.21.173 子网掩码:255.255.255.0 网关:192.168.21.2 DNS:8.8.8.8            8.8.4.4 ...
  • willhuo
  • willhuo
  • 2015年10月27日 08:16
  • 3066

How to Setup a Linux Firewall with PPPoE/NAT/iptables

PPPoE for Linux Many Internet service providers are using the Point-to-Point Protocol over Ethernet ...
  • mephp
  • mephp
  • 2009年12月09日 01:58
  • 2636

FreeBSD设置IP地址,网关,DNS

1、设置IP地址、网关 ee  /etc/rc.conf   #编辑 ifconfig_em0="inet 192.168.1.173  netmask 255.255.255.0"  #设置IP...
  • SysProgram
  • SysProgram
  • 2016年08月05日 17:29
  • 1797

Freebsd 上用 mpd5 构建 PPTP VPN

在 Freebsd 上用 mpd5 构建 PPTP VPN 安装 MPD5 cd /usr/ports/net/mpd5 make install clean 在 /et...
  • huithe
  • huithe
  • 2011年10月04日 09:41
  • 1150

PPPOE,DHCP,静态用户区别(转)

原文链接:http://blog.sina.com.cn/s/blog_4c37d2ce01015jgt.html 1、静态IP的方式,如果是占用一个INTERNET的IP的话,上网都是很贵的,当然...
  • ffm520
  • ffm520
  • 2015年07月14日 10:32
  • 627

firewall指定某个IP访问某个端口

Linux7放通IP127.0.0.1访问1521端口 firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source add...
  • Z_linht
  • Z_linht
  • 2018年01月11日 21:59
  • 85

IP地址获取-PPPoE&DHCP

PC获取IP地址的方式有3种,手工配置、PPPoE获取、DHCP获取。PPPoE应用较多,DHCP在IPTV也有应用。  PPPoE拨号 包括PPPoE Discovery、PPPoE Se...
  • loneba
  • loneba
  • 2013年06月12日 22:11
  • 2672

Linux与BSD中TCP协议栈实现比较

作为两个最有名的开源操作系统,Linux和FreeBSD是网管们的首选。Linux以开放性和众多的驱动支持著称,而FreeBSD有着优良的UNIX传统,是公认的最稳定的操作系统。那么,在这两个操作系统...
  • fenggui
  • fenggui
  • 2015年10月13日 17:45
  • 1637

ROS做PPPoE服务器

当前面所有设置都完成后,我们可以来做一个 PPPoE 服务器了,很简单,来吧!一、创建 PPPoE servera、进入winbox,点击 主菜单 最上面的 “Interfaces”,在弹出的“Int...
  • dinglang_2009
  • dinglang_2009
  • 2010年08月10日 11:52
  • 2740
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:FreeBSD firewall using IP Filter via PPPoE
举报原因:
原因补充:

(最多只允许输入30个字)