ipf er ‘just another firewall™’, en hvað hefur hann fram fyrir þá sem fyrir
eru? Svosem iptables eða ipfw?
Til að byrja með, þá er ipf með mjög þægilegan, human readable, syntax. Langtum
þægilegri(að mínu mati) en sá sem iptables hefur.
Ég nenni ekki að tala neitt mikið meira um kosti/galla ipf samanborið við aðra,
þetta er fyrst og síðast undir smekk manna komið og ég ætla ekkert að vera að
sannfæra fólk um að ipf sé hinn eini rétti guð og að þú skulir ekki nota neinn
annan.
Svo við skulum bara henda oss í að smíða eldvegg!
Ég miða næstu línur við <a href=”http://www.freebsd.org“>FreeBSD stýrikerfið</a>, hef einfaldlega ekki sett upp
ipf á öðrum.
Við byrjum á því að ‘þýða’ inn stuðning fyrir ipf í kjarnann(getur lesið meira um
kernel-configging <a href=”http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html">hérna.</a>
Það gerum við með opna kernel config skrána(sjá link að ofan) í uppáhalds ritlinum
þínum og bæta við eftirfarandi línum:
#IPF
options IPFILTER #ip firewall
options IPFILTER_LOG #við viljum logga..
options IPFILTER_DEFAULT_BLOCK #block er default reglan, accept eru undantekningarnar.
options RANDOM_IP_ID #Leyfum ekki hverjum sem er að sjá hraðann á packet-generation
options ICMP_BANDLIM #Verjum maskínuna fyrir DOS icmp pökkum..(amk á að gera það :)
options IPSTEALTH #Felum eldvegginn, gerum hann transparent.(felur hann t.d. fyrir traceroute)
options IPDIVERT
Svo lestu leiðbeiningarnar hér að ofan og byrjar að þýða kjarnann. Eftir smástund munt þú hafa ipf stuðning.
Þegar því er lokið endurræsiru vélina(mátt nú samt bíða með það þartil í lok þessarar greinar, fyrir mér
er það móðgun við arfleifð UNIX að endurræsa of oft. :))
Því næst viljum við skemma /etc/rc.conf, aftur notaru uppáhalds ritilinn þinn og ræðst á skrána,
í hana setur þú:
ipfilter_enable=“YES” #við viljum kveikja á ipfilter.
ipfilter_program=“/sbin/ipf” #slóðin að ipf, ef þú, af einhverjum ástæðum, hefur ipf annarsstaðar, lagaðu þessa línu.
ipfilter_rules=“/etc/firewall/ipf.rules” #slóðin að ipf reglunum þínum, getur breytt þessu eftir smekk og/eða þörf.
ipfilter_flags=“” #þarsem ipf er þýtt inn í kjarnann, þá á þetta að vera ‘empty’(á að vera set ef ipf er módúll)
ipmon_program=“/sbin/ipmon” #ipf ipmonitor forritið.
ipmon_flags=“-Dsvn” #flögg sem pössuð eru til ipmon, man ipmon fyrir meira info.
ipnat_enable=“YES” #kveikjum á ipnat, ipf nat dótinu.
ipnat_rules=“/etc/firewall/ipnat.rules” #slóðin að ipnat regluskránni.
ipnat_flags=“” #flögg sem þú villt passa til ipnat, aftur, man ipnat.
Eins og þið máské sáuð að ofan, þá vill ég geyma eldveggina mína í sér möppu, /etc/firewall.
Þetta getið þið auðvitað haft öðruvísi að vild og í raun staðsett eldveggjar- og natreglurnar
hvar sem er.
Nú er FreeBSD specific kaflanum lokið, næstu línur ættu að eiga við öll stýrikerfi, ef þau geta
þá keyrt ipf.
Svona myndi þá sýni-skrá af /etc/firewall/ipf.rules líta út:
# Innra ethernet interfacið er xl1,
#það sem snýr út er xl0.
#!/sbin/ipf -f -
# Lok lok og læs á ljóta pakka!
# Short merkir að pakkinn er fáránlega stuttur, of stuttur.
# Þess vegna hendum við honum í hausinn á sendanda aftur.
block in log quick from any to any with ipopts
block in log quick proto tcp all with short
block in log quick on xl0 all with opt lsrr
block in log quick on xl0 all with opt ssrr
# Ruglum remote OS fingerprinting identification
block return-rst in log quick on xl0 proto tcp all flags FUP
block return-rst in log quick on xl0 proto tcp all flags FSRPAU
# blokkum allt by-default, jafnvel þó þetta sé þýtt inn í kjarnann.
# Skaðar engann að hafa þetta hér.
block in on xl0 all
# ‘Quickly’ lokað á bersýnilega spoofed dót, jafnvel það sem annars gæti sýnst valid.
block in on xl0 proto tcp all #tcp..
block in quick on xl0 proto tcp from 2.0.0.0/8 to any
block in quick on xl0 proto tcp from 5.0.0.0/8 to any
block in quick on xl0 proto tcp from 10.0.0.0/8 to any
block in quick on xl0 proto tcp from 23.0.0.0/8 to any
block in quick on xl0 proto tcp from 27.0.0.0/8 to any
block in quick on xl0 proto tcp from 31.0.0.0/8 to any
block in quick on xl0 proto tcp from 67.0.0.0/8 to any
block in quick on xl0 proto tcp from 68.0.0.0/6 to any
block in quick on xl0 proto tcp from 72.0.0.0/5 to any
block in quick on xl0 proto tcp from 80.0.0.0/4 to any
block in quick on xl0 proto tcp from 96.0.0.0/3 to any
block in quick on xl0 proto tcp from 127.0.0.0/8 to any
block in quick on xl0 proto tcp from 128.0.0.0/16 to any
block in quick on xl0 proto tcp from 128.66.0.0/16 to any
block in quick on xl0 proto tcp from 169.254.0.0/16 to any
block in quick on xl0 proto tcp from 172.16.0.0/12 to any
block in quick on xl0 proto tcp from 191.255.0.0/16 to any
block in quick on xl0 proto tcp from 192.0.0.0/16 to any
block in quick on xl0 proto tcp from 192.168.0.0/16 to any
block in quick on xl0 proto tcp from 197.0.0.0/8 to any
block in quick on xl0 proto tcp from 201.0.0.0/8 to any
block in quick on xl0 proto tcp from 204.152.64.0/23 to any
block in quick on xl0 proto tcp from 224.0.0.0/3 to any
block in on xl0 proto udp all #og udp..
block in quick on xl0 proto udp from 2.0.0.0/8 to any
block in quick on xl0 proto udp from 5.0.0.0/8 to any
block in quick on xl0 proto udp from 10.0.0.0/8 to any
block in quick on xl0 proto udp from 23.0.0.0/8 to any
block in quick on xl0 proto udp from 27.0.0.0/8 to any
block in quick on xl0 proto udp from 31.0.0.0/8 to any
block in quick on xl0 proto udp from 67.0.0.0/8 to any
block in quick on xl0 proto udp from 68.0.0.0/6 to any
block in quick on xl0 proto udp from 72.0.0.0/5 to any
block in quick on xl0 proto udp from 80.0.0.0/4 to any
block in quick on xl0 proto udp from 96.0.0.0/3 to any
block in quick on xl0 proto udp from 127.0.0.0/8 to any
block in quick on xl0 proto udp from 128.0.0.0/16 to any
block in quick on xl0 proto udp from 128.66.0.0/16 to any
block in quick on xl0 proto udp from 169.254.0.0/16 to any
block in quick on xl0 proto udp from 172.16.0.0/12 to any
block in quick on xl0 proto udp from 191.255.0.0/16 to any
block in quick on xl0 proto udp from 192.0.0.0/16 to any
block in quick on xl0 proto udp from 192.168.0.0/16 to any
block in quick on xl0 proto udp from 197.0.0.0/8 to any
block in quick on xl0 proto udp from 201.0.0.0/8 to any
block in quick on xl0 proto udp from 204.152.64.0/23 to any
block in quick on xl0 proto udp from 224.0.0.0/3 to any
# Núna, hleypum einhverju skemmtilegu inn og út.
pass out quick on lo0
pass in quick on lo0
# Type 0 = Echo reply.
pass in quick on xl0 proto icmp all icmp-type 0
# Type 3 = Network/Host/Protocol Unreachable, etc.
pass in quick on xl0 proto icmp all icmp-type 3
# Type 11 = TTL = 0 í sendingu, eða TTL = 0 meðan á endurröðun stendur.
pass in quick on xl0 proto icmp all icmp-type 11
# Type 8 er þá ping.
pass in quick on xl0 proto icmp all icmp-type 8
# Leyfum bara SSH traffík til FIREWALL frá ‘trusted’ hostum. Væntanlega áttu að laga þetta að þínum þörfum
# ellegar commenta út.
pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 192.168.0.1 port = ssh flags S keep state keep frags
pass in quick on xl0 proto tcp from yyy.yyy.yyy.yyy to 192.168.0.1 port = ssh flags S keep state keep frags
pass in quick on xl0 proto tcp from zzz.zzz.zzz.zzz/24 to 192.168.0.1 port = ssh flags S keep state keep frags
# Leyfum líka SSH traffík til véla á innra netinu, auðvitað bara frá trusted hosts.
pass in quick on xl0 proto tcp from xxx.xxx.xxx.xxx to 192.168.0.2 port = ssh flags S keep state keep frags
pass in quick on xl0 proto tcp from yyy.yyy.yyy.yyy to 192.168.0.2 port = ssh flags S keep state keep frags
pass in quick on xl0 proto tcp from zzz.zzz.zzz.zzz/24 to 192.168.0.2 port = ssh flags S keep state keep frags
# Og ef við erum með vefþjón á innra netinu sem á að vera opinn út, HTTP og HTTPS:
pass in quick on xl0 proto tcp from any to 192.168.0.2 port = http flags S keep state keep frags
pass in quick on xl0 proto tcp from any to 192.168.0.2 port = https flags S keep state keep frags
# Líka ef við höfum póstþjón.. Ath. Tvær neðri línurnar eru commentaðar út.
pass in quick on xl0 proto tcp from any to 192.168.0.2 port = smtp flags S keep state keep frags
#pass in quick on xl0 proto tcp from any to 192.168.0.2 port = pop3s flags S keep state keep frags
#pass in quick on xl0 proto tcp from any to 192.168.0.2 port = imaps flags S keep state keep frags
# FTP traffík, active og passive mode. FTP er samt óöruggt, forðastu það eins og heitan eld! :)
pass in quick on xl0 proto tcp from any to any port = ftp flags S keep state keep frags
pass in quick on xl0 proto tcp from any to any port = ftp-data flags S keep state keep frags
pass in quick on xl0 proto tcp from any to any port >= 1023 flags S/ARSF keep state keep frags
# Dót sem kemur frá innra neti okkar er hleypt út..
pass in quick on xl1 proto tcp from any to 192.168.0.254 flags S keep state
pass in quick on xl1 proto udp from any to 192.168.0.254 keep state
pass in quick on xl1 proto icmp from any to 192.168.0.254 keep state
# síðan við erum með ofsóknarbrjálæði, þá viljum við ekki leyfa okkar LAN-notendum hvað sem er..
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = ftp-data to any port > 1023 keep state #FTP-DATA
# Svo viljum við leyfa mér að gera hvað sem er. Nema hvað? :)
pass in quick on xl1 proto tcp from 192.168.0.20 to any flags S keep state
pass in quick on xl1 proto udp from 192.168.0.20 to any keep state
pass in quick on xl1 proto tcp from 192.168.0.20 to any flags S keep state
pass in quick on xl1 proto udp from 192.168.0.20 to any keep state
# Reglur fyrir lan notendur, alveg óþarfi að leyfa þeim að gera eitthvað annað en þetta,
# nema þeir komi og biðji mig fallega :P
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 80 flags S keep state keep frags #HTTP
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 443 flags S keep state keep frags #HTTPS
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 25 flags S keep state keep frags #SMTP
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 21 flags S keep state keep frags #FTP
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 5999 flags S keep state keep frags #CVSUP
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 110 flags S keep state keep frags #POP3
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 143 flags S keep state keep frags #IMAP
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 993 flags S keep state keep frags #IMAPS
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 995 flags S keep state keep frags #POP3S
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 2009 flags S keep state keep frags #NEWS
pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 22 flags S keep state keep frags #SSH
#pass in quick on xl1 proto tcp from 192.168.0.0/24 to any port = 23 flags S keep state keep frags #TELNET
pass in quick on xl1 proto icmp from 192.168.0.0/24 to any icmp-type 0 keep state
pass in quick on xl1 proto icmp from 192.168.0.0/24 to any icmp-type 3 keep state
pass in quick on xl1 proto icmp from 192.168.0.0/24 to any icmp-type 8 keep state
pass in quick on xl1 proto icmp from 192.168.0.0/24 to any icmp-type 11 keep state
pass in quick on xl1 proto udp from 192.168.0.0/24 to any port = domain keep state #DOMAIN
pass out quick on xl1 proto tcp all flags S keep state keep frags
pass out quick on xl1 proto udp all keep state
pass out quick on xl1 proto icmp all keep state
# lokum fyrir ljóta spoofed traffík á leiðinni út.
block in on xl1 all
block return-rst in quick on xl1 proto tcp from !192.168.0.0/24 to any
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 2.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 5.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 10.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 23.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 27.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 31.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 67.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 68.0.0.0/6
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 72.0.0.0/5
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 80.0.0.0/4
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 96.0.0.0/3
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 127.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 128.0.0.0/16
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 128.66.0.0/16
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 169.254.0.0/16
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 172.16.0.0/12
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 191.255.0.0/16
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 192.0.0.0/16
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 192.168.0.0/16
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 197.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 201.0.0.0/8
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 204.152.64.0/23
block return-rst in quick on xl1 proto tcp from 192.168.0.0/24 to 224.0.0.0/3
block in on xl1 proto udp all
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from !192.168.0.0/24 to any
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 2.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 5.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 10.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 23.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 27.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 31.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 67.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 68.0.0.0/6
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 72.0.0.0/5
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 80.0.0.0/4
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 96.0.0.0/3
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 127.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 128.0.0.0/16
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 128.66.0.0/16
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 169.254.0.0/16
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 172.16.0.0/12
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 191.255.0.0/16
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 192.0.0.0/16
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 192.168.0.0/16
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 197.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 201.0.0.0/8
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 204.152.64.0/23
block return-icmp-as-dest(port-unr) in quick on xl1 proto udp from 192.168.0.0/24 to 224.0.0.0/3
# og leyfum eldveggnum líka að spjalla við umheiminn.
pass out quick on xl0 proto tcp from any to any flags S keep state keep frags
pass out quick on xl0 proto udp from any to any keep state keep frags
pass out quick on xl0 proto icmp from any to any keep state keep frags
# Ví, finido!
Jæja, þá erum við kominn með fallegan eldvegg!
Því næst viljum við stilla natið okkar.
Við opnum þá enn eina skrána í uppáhalds ritlinum okkar: /etc/firewall/ipnat.rules
Eftirfarandi setjum við í hana:
# Til að fá ftp til þess að virka á innra netinu, þá notum við lítinn proxy.
# xl0 er external.
# xxx.yyy.zzz.xxx er ip addressan(external) á internet gatewayinu okkar.
# Fyrst proxíjum við ftp. Hversu gáfulegt það kann að virðast..
map xl0 192.168.0.0/24 -> xxx.yyy.zzz.xxx/32 proxy port ftp/tcp
# Því næst er allt annað nattað.
map xl0 192.168.0.0/24 -> xxx.yyy.zzz.xxx/32
# Svo viljum við forwarda hinum og þessum þjónustum á localnetið.
rdr xl0 xxx.yyy.zzz.xxx/32 port 80 -> 192.168.0.2 port 80 tcp #HTTP
rdr xl0 xxx.yyy.zzz.xxx/32 port 443 -> 192.168.0.2 port 443 tcp #HTTPS
rdr xl0 xxx.yyy.zzz.xxx/32 port 22 -> 192.168.0.2 port 22 tcp #ssh
rdr xl0 xxx.yyy.zzz.xxx/32 port 25 -> 192.168.0.2 port 25 tcp #SMTP
# Svo bætið þið við álíka línum til að forwarda fleiri þjónustum, ef þið
# viljið þess háttar.
Og svo er að reboota:
shutdown -r now
Done!
Þá er það ekki fleira, fleim o.þ.h velkomið.
Mikið af þessu er byggt á docum sem ég hef lesið á netinu um ipf, þannig að þetta er ekki algerlega mín sköpun.
man ipf og <a href="http://www.google.com“>google.com</a> eru vinir ykkar.
- <a href=”mailto: solvi@hugbunadur.is“>Sölvi Páll Ásgeirsson</a> / kleppari á IRCnet.
- <a href=”http://www.hugbunadur.is">Hugbúnaður.is</a
Sölvi Páll Ásgeirsson