<
frenchie@magusnet.gilbert.az.us> wrote:
> [...]
> See my complete firewall /etc/inetd.conf below:
> ======================================
> auth stream tcp nowait.32768 nobody /usr/sbin/in.identd
in.identd -l -e -o -i -n
Why run auth, or are there users on the firewall itself using IRC and such?
Wouldn't they be behind the firewall?
> cfinger stream tcp nowait root /usr/sbin/tcpd /bin/cat
/home/frenchie/Mail/info
> finger stream tcp nowait root /usr/sbin/tcpd /bin/cat
/home/frenchie/Mail/info
So what's in /home/frenchie/Mail/info? While cat is probably not a risk,
does it need to run as root?
> ssh stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/sshd.new -i
This one, I get! :)
I'm just curious about these things. I've had a lot of fun with firewalls
over the last couple of years and am always looking for "new ways" to secure
my stuff.
One thing I had running for a bit was a DMZ config using port redirection
under Linux. I had a 3rd NIC specifically for DMZ traffic. Nothing
terminated on the firewall itself. All "inbound" services were redirected to
a DMZ box. I had the firewall set up so that only ESTABLISHED connections on
select services were allowed from the DMZ interface. No DMZ host could
initiate a connection. It could answer calls, but not make them.
Since this was controlled by the firewall machine, and it didn't answer a
thing itself, I considered it a good protection in the event a DMZ host were
compromised. They might get to it, but they couldn't get anywhere else from
there, nor harm others. The firewall was essentially invisible, not even
answering icmp queries. The internal interface was hidden via
masquerade(NAT) and also protected.
The only thing that made me scrap this was not being able to figure out how
to allow an internal machine to periodically poll the DMZ mail host. I had
internal users connecting straight to the DMZ mail host for reading mail
(IMAP). IMAP was restricted from the outside via the firewall, but even so,
I didn't want that exposure or user mailboxes in a potentially exposed area
for any length of time. I suppose I could've set the mailhost to accept SMTP
mail from the outside, but used UUCP to batch it to the internal mail host,
but my head pretty much exploded after trying to sort through the O'Reilly
Sendmail (Bat) book.
Of course, I had the benefit of not having to serve external users. This
sure makes security a hell of a lot easier. I sympathize with those working
in ISP scenarios!
I've attached my firewall init scrit below for anyone that's interested. Be
forewarned that it's not an example of excellent shell scripting, nor do the
'stop' and 'restart' portions work correctly in handling the masq modules.
It did work though, it just generated some ugly messags. For the curious,
the IPs shown are NO LONGER CORRECT for my system (thanks to @Home recently
upgrading my cable modem) so please do NOT poke at them! There are also
probably some broken parts as I was in the middle of working on it when I
wound up with a Cisco router to play with instead. I think I've fixed all
the obvious problems. It's also a RedHat environment, though it could easily
be modified for any other distribution.
Any feedback appreciated!
- Bob
#!/bin/sh
# *************************************************************
# Intialize a full-time Ethernet link to the Internet via cable
# modem. I'm doing all initialization of the ports, and default
# security here.
#
# The following diagram illustrates the pyhsical network:
#
# +---------+ 192.168.100.0
# 24.1.193.48 | |- eth0 - internal --
# -- external -- eth2 -| Gateway |
# | |- eth1 - DMZ -------
# +---------+ 192.168.10.0
#
# eth2 is our external interface at 24.1.193.48, providing
# a connection to the Cox@Home network via cable modem. This
# network is considered 'untrusted' for all purposes.
#
# eth1 is our 'Demilitarized Zone' (DMZ) network, providing
# a location for limited access from the outside world. This
# network is assigned the 192.168.10.0/24 subnet. This network
# is also considered 'untrusted', with the assumption
# that exposed resources will reside here. If they're com-
# promised, we will restrict what can be accessed from there.
# Note that a DMZ is probably overkill for the average home
# configuration.
#
# eth0 is our internal network, providing network access to
# individual desktop workstations. It is assigned the
# 192.168.100.0/24 network subnet, and is considered 'trusted'
# from the perspective of physical access.
# *************************************************************
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# *************************************************************
# Configuration Parameters
# *************************************************************
ANYWHERE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
# Initialize our EXTERNAL network settings.
# I'm using fixed addressing for now, but need
# to eventually work all this with DHCP.
EXTERN_IF="eth2"
EXTERN_IP="24.1.193.48"
EXTERN_NET="24.1.192.0"
EXTERN_MASK="255.255.248.0"
EXTERN_BCAST="24.1.199.255"
EXTERN_GW="24.1.192.1"
# Initialize our INTERNAL network settings.
# This is in "private" network space per RFC1918.
# We will use masquerade (N:1 NAT) for these stations.
INTERN_IF="eth1"
INTERN_IP="192.168.100.1"
INTERN_NET="192.168.100.0"
INTERN_MASK="255.255.255.0"
INTERN_BCAST="192.168.100.255"
# Initialize our DMZ network settings.
# This is in "private" network space per RFC1918.
# We will use masquerade (N:1 NAT) for these stations.
DMZ_IF="eth0"
DMZ_IP="192.168.10.2"
DMZ_NET="192.168.10.0"
DMZ_MASK="255.255.255.0"
DMZ_BCAST="192.168.10.255"
# Source function library.
. /etc/rc.d/init.d/functions
# Unload support modules for IP Masquerade (N:1 NAT)
unload_modules() {
modprobe -r ip_masq_ftp
modprobe -r ip_masq_irc
modprobe -r ip_masq_raudio
modprobe -r ip_masq_user
modprobe -r ip_masq_vdolive
}
# Load support modules for IP Masquerade (N:1 NAT)
load_modules() {
if [ -e /var/lock/subsys/firewall ]; then
unload_modules
fi
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
modprobe ip_masq_user
modprobe ip_masq_vdolive
}
# Delete firewall chains
clear_all_chains() {
if [ -e /var/lock/subsys/firewall ]; then
# ipmasqadm mfw -F
ipmasqadm portfw -d -P tcp -L 24.1.193.48 80 -R 192.168.10.10 80
ipchains -F int-in
ipchains -X int-in
ipchains -F int-out
ipchains -X int-out
ipchains -F int-fwd
ipchains -X int-fwd
ipchains -F ext-in
ipchains -X ext-in
ipchains -F ext-out
ipchains -X ext-out
ipchains -F ext-fwd
ipchains -X ext-fwd
ipchains -F dmz-in
ipchains -X dmz-in
ipchains -F dmz-out
ipchains -X dmz-out
ipchains -F dmz-fwd
ipchains -X dmz-fwd
rm -f /var/lock/subsys/firewall
ipchains -F icmp-acc
ipchains -X icmp-acc
fi
}
if [ ! -f /etc/sysconfig/network ]; then
exit 0
fi
. /etc/sysconfig/network
[ -f /sbin/ipchains ] || exit 0
# See how we were called.
case "$1" in
start)
echo -n "Setting firewall: "
# Flush and set default policy of DENY for in, out and
# forwarded packets. We are enforcing a restrictive policy under
# which only that which is EXPLICITLY permitted is allowed.
ipchains -F input
ipchains -P input DENY
ipchains -F output
ipchains -P output DENY
ipchains -F forward
ipchains -P forward DENY
load_modules
clear_all_chains
# *************************************************************
# Define Packet Handling Chains
# *************************************************************
# =============================================================
# icmp-acc: ICMP traffic handler
# =============================================================
ipchains -N icmp-acc
ipchains -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j
ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
# Silently drop multicast icmp traffic
ipchains -A icmp-acc -d 224.0.0.0/8 -j DENY
# Verbosely log remaining traffic for debugging purposes
ipchains -A icmp-acc -l -j DENY
# =============================================================
# external interface input
# =============================================================
ipchains -N ext-in
# -------------------------------------------------------------
# General traffic
# -------------------------------------------------------------
# Accept inbound on unprivileged ports
ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP
$UNPRIVPORTS -j ACCEPT
ipchains -A ext-in -i $EXTERN_IF -p udp -d $EXTERN_IP
$UNPRIVPORTS -j ACCEPT
# ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP --dport
61000:65096 -j ACCEPT
# ipchains -A ext-in -i $EXTERN_IF -p udp -d $EXTERN_IP --dport
61000:65096 -j ACCEPT
# -------------------------------------------------------------
# Special handling (Friends & Family)
# -------------------------------------------------------------
ipchains -A ext-in -i $EXTERN_IF -p tcp -s <trusted net> -d
$EXTERN_IP -j ACCEPT
# -------------------------------------------------------------
# Public-accessable services
# SSH should go here!
# -------------------------------------------------------------
# Accept limited inbound traffic on external interface
# ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP <port> -j
ACCEPT
# Redirect selected services to DMZ server
# http (www)
ipmasqadm portfw -a -P tcp -L 24.1.193.48 80 -R 192.168.10.10 80
# smtp (mail)
ipmasqadm portfw -a -P tcp -L 24.1.193.48 25 -R 192.168.10.10 25
# ipchains -A ext-in -i $EXTERN_IF -p icmp -j icmp-acc
# Allow DHCP server responses. Only required if we use DHCP to
# intialize our WAN interface (i.e. cable modem connection)
# ipchains -A ext-in -i $EXTERN_IF -p udp -d $EXTERN_IP --dport
bootpc -j ACCEPT
# ipchains -A ext-in -i $EXTERN_IF -p tcp -d $EXTERN_IP --dport
bootpc -j ACCEPT
# Hand icmp traffic off to appropriate chain
ipchains -A ext-in -p icmp -j icmp-acc
# -------------------------------------------------------------
# Silently dump broadcasts and other traffic not addressed to
# us. This keeps misconfigured neighbors from cluttering up our
# system log.
# -------------------------------------------------------------
ipchains -A ext-in -i $EXTERN_IF -d ! $EXTERN_IP -j DENY
# Silently dump multicast traffic
ipchains -A ext-in -i $EXTERN_IF -d 224.0.0.0/8 -j DENY
# Verbosely log remaining traffic for debugging purposes
ipchains -A ext-in -l -j DENY
# =============================================================
# external interface output
# =============================================================
ipchains -N ext-out
# Accept outbound traffic on external (WAN) interface
ipchains -A ext-out -i $EXTERN_IF -s $EXTERN_IP -d $ANYWHERE -j ACCE
PT
# ipchains -A ext-out -i $EXTERN_IF -j ACCEPT
# Allow DHCP server requests. Only required if we use DHCP to
# intialize our WAN interface (i.e. cable modem connection)
ipchains -A ext-out -i $EXTERN_IF -p udp --dport bootpc -j ACCEPT
ipchains -A ext-out -i $EXTERN_IF -p tcp --dport bootpc -j ACCEPT
# Verbosely log remaining traffic for debugging purposes
ipchains -A ext-out -l -j DENY
# =============================================================
# external interface forwarded
# =============================================================
ipchains -N ext-fwd
# Forward (masq) traffic routed via external interface
ipchains -A ext-fwd -i $EXTERN_IF -s $INTERN_NET/$INTERN_MASK -d !
$DMZ_NET/$DMZ_MASK -j MASQ
ipchains -A ext-fwd -i $EXTERN_IF -s $DMZ_NET/$DMZ_MASK -d !
$INTERN_NET/$INTERN_MASK -j MASQ
# Required for internal routing
# ipchains -A ext-fwd -i $EXTERN_IF -j ACCEPT
# Verbosely log remaining traffic for debugging purposes
ipchains -A ext-fwd -l -j DENY
# =============================================================
# internal interface input
# =============================================================
ipchains -N int-in
# Accept inbound traffic from LAN on LAN interface
ipchains -A int-in -i $INTERN_IF -s $INTERN_NET/$INTERN_MASK -j
ACCEPT
# Allow DHCP queries from LAN
ipchains -A int-in -i $INTERN_IF -p tcp --source-port
bootpc --destination-port bootps -j ACCEPT
ipchains -A int-in -i $INTERN_IF -p udp --source-port
bootpc --destination-port bootps -j ACCEPT
# Hand icmp traffic off to appropriate chain
ipchains -A int-in -p icmp -j icmp-acc
# Verbosely log remaining traffic for debugging purposes
ipchains -A int-in -l -j DENY
# =============================================================
# internal interface output
# =============================================================
ipchains -N int-out
# Accept outbound traffic to LAN on LAN interface
ipchains -A int-out -i $INTERN_IF -d $INTERN_NET/$INTERN_MASK -j
ACCEPT
# Accept inbound traffic from LAN on LAN interface
ipchains -A int-out -i $INTERN_IF -s $INTERN_NET/$INTERN_MASK -j
ACCEPT
# Allow DHCP responses to LAN
ipchains -A int-out -i $INTERN_IF -p tcp --source-port
bootps --destination-port bootpc -j ACCEPT
ipchains -A int-out -i $INTERN_IF -p udp --source-port
bootps --destination-port bootpc -j ACCEPT
# Verbosely log remaining traffic for debugging purposes
ipchains -A int-out -l -j DENY
# =============================================================
# internal interface forward
# =============================================================
ipchains -N int-fwd
# Forward (route) local traffic
ipchains -A int-fwd -d $INTERN_NET/$INTERN_MASK -j ACCEPT
# Verbosely log remaining traffic for debugging purposes
ipchains -A int-fwd -l -j DENY
# =============================================================
# DMZ interface input
# =============================================================
ipchains -N dmz-in
# Accept restricted inbound traffic from DMZ on DMZ interface
# These handled DNS on firewall.
# ipchains -A dmz-in -i $DMZ_IF -p udp -s $DMZ_NET/$DMZ_MASK --dport
domain -j ACCEPT
# ipchains -A dmz-in -i $DMZ_IF -p tcp -s $DMZ_NET/$DMZ_MASK --dport
domain -j ACCEPT
# Accept Windows networking traffic
# ipchains -A dmz-in -i $DMZ_IF -p tcp -s
$DMZ_NET/$DMZ_MASK --dport 137:139 -j ACCEPT
# ipchains -A dmz-in -i $DMZ_IF -p udp -s
$DMZ_NET/$DMZ_MASK --dport 137:139 -j ACCEPT
# Allow non-syn (established) outbound connections from DMZ network
ipchains -A dmz-in -i $DMZ_IF -p tcp ! -y -s $DMZ_NET/$DMZ_MASK -j
ACCEPT
# ipchains -A dmz-in -i $DMZ_IF -s $DMZ_NET/$DMZ_MASK -j ACCEPT
# Allow ftp connections from external locations
ipchains -A dmz-in -i $DMZ_IF -p tcp -s $DMZ_NET/$DMZ_MASK
ftp-data -j ACCEPT
# Allow outbound udp traffic to internal network
ipchains -A dmz-in -i $DMZ_IF -p udp -s $DMZ_NET/$DMZ_MASK -d
$INTERN_NET/$INTERN_MASK -j ACCEPT
# Handle ICMP from DMZ
# ipchains -A dmz-in -i $DMZ_IF -p icmp -s $DMZ_NET/$DMZ_MASK -d
$INTERN_NET/$INTERN_MASK -j ACCEPT
# Disallow ICMP to DMZ interface
ipchains -A dmz-in -i $DMZ_IF -p icmp -s $DMZ_NET/$DMZ_MASK -d
$DMZ_IP -l -j DENY
# Disallow ICMP to our internal network
ipchains -A dmz-in -i $DMZ_IF -p icmp -s $DMZ_NET/$DMZ_MASK -d
$INTERN_NET/$INTERN_MASK -l -j DENY
# Hand icmp traffic off to appropriate chain
ipchains -A dmz-in -p icmp -j icmp-acc
# -------------------------------------------------------------
# Silently dump broadcasts and other traffic not addressed to
# us. This keeps misconfigured neighbors from cluttering up our
# system log.
# -------------------------------------------------------------
ipchains -A dmz-in -i $DMZ_IF -d ! $DMZ_IP -j DENY
# Verbosely log remaining traffic for debugging purposes
ipchains -A dmz-in -l -j DENY
# =============================================================
# DMZ interface output
# =============================================================
ipchains -N dmz-out
# Accept outbound traffic to DMZ on DMZ interface
ipchains -A dmz-out -i $DMZ_IF -d $DMZ_NET/$DMZ_MASK -j ACCEPT
# Verbosely log remaining traffic for debugging purposes
ipchains -A dmz-out -l -j DENY
# =============================================================
# DMZ interface forward
# =============================================================
ipchains -N dmz-fwd
# Forward (route) local traffic
ipchains -A dmz-fwd -i $DMZ_IF -d $DMZ_NET/$DMZ_MASK -j ACCEPT
# Verbosely log remaining traffic for debugging purposes
ipchains -A dmz-fwd -l -j DENY
# *************************************************************
# Main packet processing chain
# *************************************************************
# =============================================================
# loopback interface
# =============================================================
ipchains -A input -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT
ipchains -A output -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT
ipchains -A forward -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT
# =============================================================
# Direct traffic through chains based on interface
# =============================================================
ipchains -A input -i $EXTERN_IF -j ext-in
ipchains -A output -i $EXTERN_IF -j ext-out
ipchains -A forward -i $EXTERN_IF -j ext-fwd
ipchains -A input -i $INTERN_IF -j int-in
ipchains -A output -i $INTERN_IF -j int-out
ipchains -A forward -i $INTERN_IF -j int-fwd
ipchains -A input -i $DMZ_IF -j dmz-in
ipchains -A output -i $DMZ_IF -j dmz-out
ipchains -A forward -i $DMZ_IF -j dmz-fwd
# -------------------------------------------------------------
# Verbosely log remaining TCP, UDP and ICMP for debugging
# purposes, silently dump all others using default policy
# -------------------------------------------------------------
ipchains -A input -l -j DENY
ipchains -A output -l -j DENY
ipchains -A forward -l -j DENY
touch /var/lock/subsys/firewall
echo "done"
;;
stop)
echo -n "Stopping firewall (secure): "
# =============================================================
# stop: Shut down and enter SECURE mode. Stops all forwarding
# thru gateway.
# =============================================================
# -------------------------------------------------------------
# Flush and set default policy of deny for in, out and
# forwarded packets.
# -------------------------------------------------------------
ipchains -F input
ipchains -P input DENY
ipchains -F output
ipchains -P output DENY
ipchains -F forward
ipchains -P forward DENY
# DEBUG: Will receive error messages if in 'loose' mode,
# chains don't exist!
unload_modules
clear_all_chains
echo "done"
;;
loose)
echo -n "Starting gateway (insecure): "
# =============================================================
# clear: Stop all packet filtering and enter INSECURE mode.
# Allow all traffic thru gateway.
# =============================================================
# -------------------------------------------------------------
# Flush and set default policy of ACCEPT for in, out and
# forwarded packets.
# -------------------------------------------------------------
ipchains -F input
ipchains -P input ACCEPT
ipchains -F output
ipchains -P output ACCEPT
ipchains -F forward
ipchains -P forward ACCEPT
load_modules
clear_all_chains
ipchains -A forward -i $EXTERN_IF -s $INTERN_NET/$INTERN_MASK -j
MASQ
ipchains -A forward -i $EXTERN_IF -s $DMZ_NET/$DMZ_MASK -j MASQ
touch /var/lock/subsys/firewall
echo "done"
;;
*)
echo "Usage: firewall {start|stop|loose}"
exit 1
esac
exit 0
This actually worked quite well, but
(text/plain)