wrote: > [...] > See my complete firewall /etc/inetd.conf below: > ====================================== > auth stream tcp nowait.32768 nobody /usr/sbin/in.identd in.identd -l -e -o -i -n Why run auth, or are there users on the firewall itself using IRC and such? Wouldn't they be behind the firewall? > cfinger stream tcp nowait root /usr/sbin/tcpd /bin/cat /home/frenchie/Mail/info > finger stream tcp nowait root /usr/sbin/tcpd /bin/cat /home/frenchie/Mail/info So what's in /home/frenchie/Mail/info? While cat is probably not a risk, does it need to run as root? > ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd.new -i This one, I get! :) I'm just curious about these things. I've had a lot of fun with firewalls over the last couple of years and am always looking for "new ways" to secure my stuff. One thing I had running for a bit was a DMZ config using port redirection under Linux. I had a 3rd NIC specifically for DMZ traffic. Nothing terminated on the firewall itself. All "inbound" services were redirected to a DMZ box. I had the firewall set up so that only ESTABLISHED connections on select services were allowed from the DMZ interface. No DMZ host could initiate a connection. It could answer calls, but not make them. Since this was controlled by the firewall machine, and it didn't answer a thing itself, I considered it a good protection in the event a DMZ host were compromised. They might get to it, but they couldn't get anywhere else from there, nor harm others. The firewall was essentially invisible, not even answering icmp queries. The internal interface was hidden via masquerade(NAT) and also protected. The only thing that made me scrap this was not being able to figure out how to allow an internal machine to periodically poll the DMZ mail host. I had internal users connecting straight to the DMZ mail host for reading mail (IMAP). IMAP was restricted from the outside via the firewall, but even so, I didn't want that exposure or user mailboxes in a potentially exposed area for any length of time. I suppose I could've set the mailhost to accept SMTP mail from the outside, but used UUCP to batch it to the internal mail host, but my head pretty much exploded after trying to sort through the O'Reilly Sendmail (Bat) book. Of course, I had the benefit of not having to serve external users. This sure makes security a hell of a lot easier. I sympathize with those working in ISP scenarios! I've attached my firewall init scrit below for anyone that's interested. Be forewarned that it's not an example of excellent shell scripting, nor do the 'stop' and 'restart' portions work correctly in handling the masq modules. It did work though, it just generated some ugly messags. For the curious, the IPs shown are NO LONGER CORRECT for my system (thanks to @Home recently upgrading my cable modem) so please do NOT poke at them! There are also probably some broken parts as I was in the middle of working on it when I wound up with a Cisco router to play with instead. I think I've fixed all the obvious problems. It's also a RedHat environment, though it could easily be modified for any other distribution. Any feedback appreciated! - Bob #!/bin/sh # ************************************************************* # Intialize a full-time Ethernet link to the Internet via cable # modem. I'm doing all initialization of the ports, and default # security here. # # The following diagram illustrates the pyhsical network: # # +---------+ 192.168.100.0 # 24.1.193.48 | |- eth0 - internal -- # -- external -- eth2 -| Gateway | # | |- eth1 - DMZ ------- # +---------+ 192.168.10.0 # # eth2 is our external interface at 24.1.193.48, providing # a connection to the Cox@Home network via cable modem. This # network is considered 'untrusted' for all purposes. # # eth1 is our 'Demilitarized Zone' (DMZ) network, providing # a location for limited access from the outside world. This # network is assigned the 192.168.10.0/24 subnet. This network # is also considered 'untrusted', with the assumption # that exposed resources will reside here. If they're com- # promised, we will restrict what can be accessed from there. # Note that a DMZ is probably overkill for the average home # configuration. # # eth0 is our internal network, providing network access to # individual desktop workstations. It is assigned the # 192.168.100.0/24 network subnet, and is considered 'trusted' # from the perspective of physical access. # ************************************************************* PATH=/sbin:/bin:/usr/sbin:/usr/bin # ************************************************************* # Configuration Parameters # ************************************************************* ANYWHERE="0.0.0.0/0" UNPRIVPORTS="1024:65535" # Initialize our EXTERNAL network settings. # I'm using fixed addressing for now, but need # to eventually work all this with DHCP. EXTERN_IF="eth2" EXTERN_IP="24.1.193.48" EXTERN_NET="24.1.192.0" EXTERN_MASK="255.255.248.0" EXTERN_BCAST="24.1.199.255" EXTERN_GW="24.1.192.1" # Initialize our INTERNAL network settings. # This is in "private" network space per RFC1918. # We will use masquerade (N:1 NAT) for these stations. INTERN_IF="eth1" INTERN_IP="192.168.100.1" INTERN_NET="192.168.100.0" INTERN_MASK="255.255.255.0" INTERN_BCAST="192.168.100.255" # Initialize our DMZ network settings. # This is in "private" network space per RFC1918. # We will use masquerade (N:1 NAT) for these stations. DMZ_IF="eth0" DMZ_IP="192.168.10.2" DMZ_NET="192.168.10.0" DMZ_MASK="255.255.255.0" DMZ_BCAST="192.168.10.255" # Source function library. . /etc/rc.d/init.d/functions # Unload support modules for IP Masquerade (N:1 NAT) unload_modules() { modprobe -r ip_masq_ftp modprobe -r ip_masq_irc modprobe -r ip_masq_raudio modprobe -r ip_masq_user modprobe -r ip_masq_vdolive } # Load support modules for IP Masquerade (N:1 NAT) load_modules() { if [ -e /var/lock/subsys/firewall ]; then unload_modules fi modprobe ip_masq_ftp modprobe ip_masq_irc modprobe ip_masq_raudio modprobe ip_masq_user modprobe ip_masq_vdolive } # Delete firewall chains clear_all_chains() { if [ -e /var/lock/subsys/firewall ]; then # ipmasqadm mfw -F ipmasqadm portfw -d -P tcp -L 24.1.193.48 80 -R 192.168.10.10 80 ipchains -F int-in ipchains -X int-in ipchains -F int-out ipchains -X int-out ipchains -F int-fwd ipchains -X int-fwd ipchains -F ext-in ipchains -X ext-in ipchains -F ext-out ipchains -X ext-out ipchains -F ext-fwd ipchains -X ext-fwd ipchains -F dmz-in ipchains -X dmz-in ipchains -F dmz-out ipchains -X dmz-out ipchains -F dmz-fwd ipchains -X dmz-fwd rm -f /var/lock/subsys/firewall ipchains -F icmp-acc ipchains -X icmp-acc fi } if [ ! -f /etc/sysconfig/network ]; then exit 0 fi . /etc/sysconfig/network [ -f /sbin/ipchains ] || exit 0 # See how we were called. case "$1" in start) echo -n "Setting firewall: " # Flush and set default policy of DENY for in, out and # forwarded packets. We are enforcing a restrictive policy under # which only that which is EXPLICITLY permitted is allowed. ipchains -F input ipchains -P input DENY ipchains -F output ipchains -P output DENY ipchains -F forward ipchains -P forward DENY load_modules clear_all_chains # ************************************************************* # Define Packet Handling Chains # ************************************************************* # ============================================================= # icmp-acc: ICMP traffic handler # ============================================================= ipchains -N icmp-acc ipchains -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT # Silently drop multicast icmp traffic ipchains -A icmp-acc -d 224.0.0.0/8 -j DENY # Verbosely log remaining traffic for debugging purposes ipchains -A icmp-acc -l -j DENY # ============================================================= # external interface input # ============================================================= ipchains -N ext-in # ------------------------------------------------------------- # General traffic # ------------------------------------------------------------- # Accept inbound on unprivileged ports ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP $UNPRIVPORTS -j ACCEPT ipchains -A ext-in -i $EXTERN_IF -p udp -d $EXTERN_IP $UNPRIVPORTS -j ACCEPT # ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP --dport 61000:65096 -j ACCEPT # ipchains -A ext-in -i $EXTERN_IF -p udp -d $EXTERN_IP --dport 61000:65096 -j ACCEPT # ------------------------------------------------------------- # Special handling (Friends & Family) # ------------------------------------------------------------- ipchains -A ext-in -i $EXTERN_IF -p tcp -s -d $EXTERN_IP -j ACCEPT # ------------------------------------------------------------- # Public-accessable services # SSH should go here! # ------------------------------------------------------------- # Accept limited inbound traffic on external interface # ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP -j ACCEPT # Redirect selected services to DMZ server # http (www) ipmasqadm portfw -a -P tcp -L 24.1.193.48 80 -R 192.168.10.10 80 # smtp (mail) ipmasqadm portfw -a -P tcp -L 24.1.193.48 25 -R 192.168.10.10 25 # ipchains -A ext-in -i $EXTERN_IF -p icmp -j icmp-acc # Allow DHCP server responses. Only required if we use DHCP to # intialize our WAN interface (i.e. cable modem connection) # ipchains -A ext-in -i $EXTERN_IF -p udp -d $EXTERN_IP --dport bootpc -j ACCEPT # ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP --dport bootpc -j ACCEPT # Hand icmp traffic off to appropriate chain ipchains -A ext-in -p icmp -j icmp-acc # ------------------------------------------------------------- # Silently dump broadcasts and other traffic not addressed to # us. This keeps misconfigured neighbors from cluttering up our # system log. # ------------------------------------------------------------- ipchains -A ext-in -i $EXTERN_IF -d ! $EXTERN_IP -j DENY # Silently dump multicast traffic ipchains -A ext-in -i $EXTERN_IF -d 224.0.0.0/8 -j DENY # Verbosely log remaining traffic for debugging purposes ipchains -A ext-in -l -j DENY # ============================================================= # external interface output # ============================================================= ipchains -N ext-out # Accept outbound traffic on external (WAN) interface ipchains -A ext-out -i $EXTERN_IF -s $EXTERN_IP -d $ANYWHERE -j ACCE PT # ipchains -A ext-out -i $EXTERN_IF -j ACCEPT # Allow DHCP server requests. Only required if we use DHCP to # intialize our WAN interface (i.e. cable modem connection) ipchains -A ext-out -i $EXTERN_IF -p udp --dport bootpc -j ACCEPT ipchains -A ext-out -i $EXTERN_IF -p tcp --dport bootpc -j ACCEPT # Verbosely log remaining traffic for debugging purposes ipchains -A ext-out -l -j DENY # ============================================================= # external interface forwarded # ============================================================= ipchains -N ext-fwd # Forward (masq) traffic routed via external interface ipchains -A ext-fwd -i $EXTERN_IF -s $INTERN_NET/$INTERN_MASK -d ! $DMZ_NET/$DMZ_MASK -j MASQ ipchains -A ext-fwd -i $EXTERN_IF -s $DMZ_NET/$DMZ_MASK -d ! $INTERN_NET/$INTERN_MASK -j MASQ # Required for internal routing # ipchains -A ext-fwd -i $EXTERN_IF -j ACCEPT # Verbosely log remaining traffic for debugging purposes ipchains -A ext-fwd -l -j DENY # ============================================================= # internal interface input # ============================================================= ipchains -N int-in # Accept inbound traffic from LAN on LAN interface ipchains -A int-in -i $INTERN_IF -s $INTERN_NET/$INTERN_MASK -j ACCEPT # Allow DHCP queries from LAN ipchains -A int-in -i $INTERN_IF -p tcp --source-port bootpc --destination-port bootps -j ACCEPT ipchains -A int-in -i $INTERN_IF -p udp --source-port bootpc --destination-port bootps -j ACCEPT # Hand icmp traffic off to appropriate chain ipchains -A int-in -p icmp -j icmp-acc # Verbosely log remaining traffic for debugging purposes ipchains -A int-in -l -j DENY # ============================================================= # internal interface output # ============================================================= ipchains -N int-out # Accept outbound traffic to LAN on LAN interface ipchains -A int-out -i $INTERN_IF -d $INTERN_NET/$INTERN_MASK -j ACCEPT # Accept inbound traffic from LAN on LAN interface ipchains -A int-out -i $INTERN_IF -s $INTERN_NET/$INTERN_MASK -j ACCEPT # Allow DHCP responses to LAN ipchains -A int-out -i $INTERN_IF -p tcp --source-port bootps --destination-port bootpc -j ACCEPT ipchains -A int-out -i $INTERN_IF -p udp --source-port bootps --destination-port bootpc -j ACCEPT # Verbosely log remaining traffic for debugging purposes ipchains -A int-out -l -j DENY # ============================================================= # internal interface forward # ============================================================= ipchains -N int-fwd # Forward (route) local traffic ipchains -A int-fwd -d $INTERN_NET/$INTERN_MASK -j ACCEPT # Verbosely log remaining traffic for debugging purposes ipchains -A int-fwd -l -j DENY # ============================================================= # DMZ interface input # ============================================================= ipchains -N dmz-in # Accept restricted inbound traffic from DMZ on DMZ interface # These handled DNS on firewall. # ipchains -A dmz-in -i $DMZ_IF -p udp -s $DMZ_NET/$DMZ_MASK --dport domain -j ACCEPT # ipchains -A dmz-in -i $DMZ_IF -p tcp -s $DMZ_NET/$DMZ_MASK --dport domain -j ACCEPT # Accept Windows networking traffic # ipchains -A dmz-in -i $DMZ_IF -p tcp -s $DMZ_NET/$DMZ_MASK --dport 137:139 -j ACCEPT # ipchains -A dmz-in -i $DMZ_IF -p udp -s $DMZ_NET/$DMZ_MASK --dport 137:139 -j ACCEPT # Allow non-syn (established) outbound connections from DMZ network ipchains -A dmz-in -i $DMZ_IF -p tcp ! -y -s $DMZ_NET/$DMZ_MASK -j ACCEPT # ipchains -A dmz-in -i $DMZ_IF -s $DMZ_NET/$DMZ_MASK -j ACCEPT # Allow ftp connections from external locations ipchains -A dmz-in -i $DMZ_IF -p tcp -s $DMZ_NET/$DMZ_MASK ftp-data -j ACCEPT # Allow outbound udp traffic to internal network ipchains -A dmz-in -i $DMZ_IF -p udp -s $DMZ_NET/$DMZ_MASK -d $INTERN_NET/$INTERN_MASK -j ACCEPT # Handle ICMP from DMZ # ipchains -A dmz-in -i $DMZ_IF -p icmp -s $DMZ_NET/$DMZ_MASK -d $INTERN_NET/$INTERN_MASK -j ACCEPT # Disallow ICMP to DMZ interface ipchains -A dmz-in -i $DMZ_IF -p icmp -s $DMZ_NET/$DMZ_MASK -d $DMZ_IP -l -j DENY # Disallow ICMP to our internal network ipchains -A dmz-in -i $DMZ_IF -p icmp -s $DMZ_NET/$DMZ_MASK -d $INTERN_NET/$INTERN_MASK -l -j DENY # Hand icmp traffic off to appropriate chain ipchains -A dmz-in -p icmp -j icmp-acc # ------------------------------------------------------------- # Silently dump broadcasts and other traffic not addressed to # us. This keeps misconfigured neighbors from cluttering up our # system log. # ------------------------------------------------------------- ipchains -A dmz-in -i $DMZ_IF -d ! $DMZ_IP -j DENY # Verbosely log remaining traffic for debugging purposes ipchains -A dmz-in -l -j DENY # ============================================================= # DMZ interface output # ============================================================= ipchains -N dmz-out # Accept outbound traffic to DMZ on DMZ interface ipchains -A dmz-out -i $DMZ_IF -d $DMZ_NET/$DMZ_MASK -j ACCEPT # Verbosely log remaining traffic for debugging purposes ipchains -A dmz-out -l -j DENY # ============================================================= # DMZ interface forward # ============================================================= ipchains -N dmz-fwd # Forward (route) local traffic ipchains -A dmz-fwd -i $DMZ_IF -d $DMZ_NET/$DMZ_MASK -j ACCEPT # Verbosely log remaining traffic for debugging purposes ipchains -A dmz-fwd -l -j DENY # ************************************************************* # Main packet processing chain # ************************************************************* # ============================================================= # loopback interface # ============================================================= ipchains -A input -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT ipchains -A output -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT ipchains -A forward -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT # ============================================================= # Direct traffic through chains based on interface # ============================================================= ipchains -A input -i $EXTERN_IF -j ext-in ipchains -A output -i $EXTERN_IF -j ext-out ipchains -A forward -i $EXTERN_IF -j ext-fwd ipchains -A input -i $INTERN_IF -j int-in ipchains -A output -i $INTERN_IF -j int-out ipchains -A forward -i $INTERN_IF -j int-fwd ipchains -A input -i $DMZ_IF -j dmz-in ipchains -A output -i $DMZ_IF -j dmz-out ipchains -A forward -i $DMZ_IF -j dmz-fwd # ------------------------------------------------------------- # Verbosely log remaining TCP, UDP and ICMP for debugging # purposes, silently dump all others using default policy # ------------------------------------------------------------- ipchains -A input -l -j DENY ipchains -A output -l -j DENY ipchains -A forward -l -j DENY touch /var/lock/subsys/firewall echo "done" ;; stop) echo -n "Stopping firewall (secure): " # ============================================================= # stop: Shut down and enter SECURE mode. Stops all forwarding # thru gateway. # ============================================================= # ------------------------------------------------------------- # Flush and set default policy of deny for in, out and # forwarded packets. # ------------------------------------------------------------- ipchains -F input ipchains -P input DENY ipchains -F output ipchains -P output DENY ipchains -F forward ipchains -P forward DENY # DEBUG: Will receive error messages if in 'loose' mode, # chains don't exist! unload_modules clear_all_chains echo "done" ;; loose) echo -n "Starting gateway (insecure): " # ============================================================= # clear: Stop all packet filtering and enter INSECURE mode. # Allow all traffic thru gateway. # ============================================================= # ------------------------------------------------------------- # Flush and set default policy of ACCEPT for in, out and # forwarded packets. # ------------------------------------------------------------- ipchains -F input ipchains -P input ACCEPT ipchains -F output ipchains -P output ACCEPT ipchains -F forward ipchains -P forward ACCEPT load_modules clear_all_chains ipchains -A forward -i $EXTERN_IF -s $INTERN_NET/$INTERN_MASK -j MASQ ipchains -A forward -i $EXTERN_IF -s $DMZ_NET/$DMZ_MASK -j MASQ touch /var/lock/subsys/firewall echo "done" ;; *) echo "Usage: firewall {start|stop|loose}" exit 1 esac exit 0 This actually worked quite well, but