Cleanup sample ruleset.

Move stuff that applies to all firewalls to Concepts section.

Sponsored by: iXsystems

1 files changed, 97 insertions, 203 deletions

diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
index 51b0d08ce4..5e282d6a76 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@@ -170,6 +170,15 @@
 	selection criteria to create rules which will pass or block
 	services.</para>
 
+      <para>To lookup unknown port numbers, refer to
+	<filename>/etc/services</filename>.  Alternatively, visit <uri
+	  xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
+	and do a port number lookup to find the purpose of a
+	particular port number.</para>
+
+      <para>Check out this link for port numbers used by Trojans <uri
+	  xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
+
     <para>A firewall ruleset can be either
       <quote>exclusive</quote> or <quote>inclusive</quote>.  An
       exclusive firewall allows all traffic through except for the
@@ -1699,7 +1708,7 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
     </sect2>
 
     <sect2>
-      <title><application>IPF</application> Rulesets</title>
+      <title><application>IPF</application> Rule Syntax</title>
 
       <indexterm>
 	<primary><application>IPFILTER</application></primary>
@@ -1988,198 +1997,98 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
     </sect2>
 
     <sect2>
-      <!-- XXX: This section needs a rewrite -->
-
-      <title>Inclusive Ruleset Example</title>
-
-      <para>The following ruleset is an example of an inclusive type
-	of firewall which only allows services matching
-	<literal>pass</literal> rules and blocks all others by
-	default.  Network firewalls intended to protect other machines
-	should have at least two interfaces, and are generally
-	configured to trust the <acronym>LAN</acronym> and to not
-	trust the public Internet.  Alternatively, a host based
-	firewall might be configured to protect only the system it is
-	running on, and is appropriate for servers on an untrusted
-	network or a desktop system not protected by firewall on the
-	network.</para>
-
-      <para>&os; uses interface <filename>lo0</filename> and IP
-	address <systemitem class="ipaddress">127.0.0.1</systemitem>
-	for internal communication within the operating system.  The
-	firewall rules must contain rules to allow free movement of
-	these internally used packets.</para>
+      <title>Example Ruleset</title>
 
-      <para>The interface which faces the public Internet is the one
-	specified in the rules that authorize and control access of
-	the outbound and inbound connections.</para>
+      <para>This section demonstrates how to create an example ruleset
+	which only allows services matching
+	<literal>pass</literal> rules and blocks all others.</para>
 
-      <para>In cases where one or more NICs are cabled to private
-	network segments, those interfaces may require rules to allow
-	packets originating from those LAN interfaces transit to each
-	other or to the Internet.</para>
-
-      <para>The rules should be organized into three major
-	sections: the trusted interfaces, then the public
-	interface outbound, and lastly, the public untrusted interface
-	inbound.</para>
+      <para>&os; uses the loopback interface (<filename>lo0</filename>) and the <acronym>IP</acronym>
+	address <systemitem class="ipaddress">127.0.0.1</systemitem>
+	for internal communication.  The
+	firewall ruleset must contain rules to allow free movement of
+	these internally used packets:</para>
 
-      <para>The rules in each of the public interface sections should
+      <programlisting># no restrictions on loopback interface
+pass in quick on lo0 all
+pass out quick on lo0 all</programlisting>
+
+      <para>The public interface connected to the Internet is used to
+	authorize and control access of
+	all outbound and inbound connections.  If one or more interfaces are cabled to private
+	networks, those internal interfaces may require rules to allow
+	packets originating from the <acronym>LAN</acronym> to flow between the internal networks
+	or to the interface attached to the Internet.  The ruleset should be organized into three major
+	sections: any trusted internal interfaces, outbound connections through the public
+	interface, and inbound connections through the public interface.</para>
+
+      <para>These two rules allow all traffic to pass through a trusted
+	<acronym>LAN</acronym> interface named <filename>xl0</filename>:</para>
+
+      <programlisting># no restrictions on inside LAN interface for private network
+pass out quick on xl0 all
+pass in quick on xl0 all</programlisting>
+  
+      <para>The rules for the public interface's outbound and inbound sections should
 	have the most frequently matched rules placed before less
 	commonly matched rules, with the last rule in the section
-	blocking and logging all packets on that interface and
+	blocking and logging all packets for that interface and
 	direction.</para>
 
-      <para>The outbound section in the following ruleset only
-	contains <literal>pass</literal> rules which uniquely identify
-	the services that are authorized for public Internet access.
-	All the rules use <literal>quick</literal>,
-	<literal>on</literal>, <literal>proto</literal>,
-	<literal>port</literal>, and <literal>keep state</literal>.
-	The <literal>proto tcp</literal> rules include
-	<literal>flag</literal> to identify the session start request
-	as the triggering packet to activate the stateful
-	facility.</para>
-
-      <para>The inbound section blocks undesirable packets first, for
-	two different reasons.  The first is that malicious packets
-	may be partial matches for legitimate traffic.  These packets
-	have to be discarded rather than allowed, based on their
-	partial matches against the <literal>allow</literal> rules.
-	The second reason is that known and uninteresting rejects may
-	be blocked silently, rather than being logged by the last rule
-	in the section.</para>
-
-      <para>The ruleset should ensure that there is no response
-	returned for any undesirable traffic.  Invalid packets should
-	be silently dropped so that the attacker has no knowledge if
-	the packets reached the system.  Rules that include a
-	<literal>log first</literal> option, will only log the event
-	the first time they are triggered.  This option is included in
-	the sample <literal>nmap OS fingerprint</literal> rule.  The
-	<package>security/nmap</package> utility is
-	commonly used by attackers who attempt to identify the
-	operating system of the server.</para>
-
-      <para>Any time there are logged messages on a rule with
-	the <literal>log first</literal> option,
-	<command>ipfstat -hio</command> should be executed
-	to evaluate how many times the rule has been matched.  A
-	large number of matches usually indicates that the system is
-	being flooded or is under attack.</para>
-
-      <para>To lookup unknown port numbers, refer to
-	<filename>/etc/services</filename>.  Alternatively, visit <uri
-	  xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
-	and do a port number lookup to find the purpose of a
-	particular port number.</para>
-
-      <para>Check out this link for port numbers used by Trojans <uri
-	  xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
-
-      <para>The following ruleset creates an
-	<literal>inclusive</literal> firewall ruleset which can be
-	easily customized by commenting out
-	<literal>pass</literal> rules for services that should not
-	be authorized.</para>
-
-      <para>To avoid logging unwanted messages, add a
-	<literal>block</literal> rule in the inbound section.</para>
-
-      <para>Change the <filename>dc0</filename> interface name in
-	every rule to the interface name that connects the system to
-	the public Internet.</para>
-
-      <para>The following statements were added to
-	<filename>/etc/ipf.rules</filename>:</para>
-
-      <programlisting>#################################################################
-# No restrictions on Inside LAN Interface for private network
-# Not needed unless you have LAN
-#################################################################
-
-#pass out quick on xl0 all
-#pass in quick on xl0 all
-
-#################################################################
-# No restrictions on Loopback Interface
-#################################################################
-pass in quick on lo0 all
-pass out quick on lo0 all
+      <para>This set of rules defines the outbound section of the
+	public interface named <filename>dc0</filename>.
+	These rules keep state and identify
+	the specific services that internal systems are authorized for public Internet access.
+	All the rules use <literal>quick</literal> and specify the
+	appropriate port numbers and, where applicable, destination
+	addresses.</para>
 
-#################################################################
-# Interface facing Public Internet (Outbound Section)
-# Match session start requests originating from behind the
-# firewall on the private network
-# or from this gateway server destined for the public Internet.
-#################################################################
+ <programlisting># interface facing Internet (outbound)
+# Matches session start requests originating from or behind the
+# firewall, destined for the Internet.
 
-# Allow out access to my ISP's Domain name server.
-# xxx must be the IP address of your ISP's DNS.
-# Dup these lines if your ISP has more than one DNS server
-# Get the IP addresses from /etc/resolv.conf file
-pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state
+# Allow outbound access to public DNS servers.
+# Replace x.x.x. with address listed in /etc/resolv.conf.
+# Repeat for each DNS server.
+pass out quick on dc0 proto tcp from any to x.x.x. port = 53 flags S keep state
 pass out quick on dc0 proto udp from any to xxx port = 53 keep state
 
-# Allow out access to my ISP's DHCP server for cable or DSL networks.
-# This rule is not needed for 'user ppp' type connection to the
-# public Internet, so you can delete this whole group.
-# Use the following rule and check log for IP address.
-# Then put IP address in commented out rule &amp; delete first rule
+# Allow access to ISP's specified DHCP server for cable or DSL networks.
+# Use the first rule, then check log for the IP address of DHCP server.
+# Then, uncomment the second rule, replace z.z.z.z with the IP address,
+# and comment out the first rule
 pass out log quick on dc0 proto udp from any to any port = 67 keep state
 #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state
 
-
-# Allow out non-secure standard www function
+# Allow HTTP and HTTPS
 pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
-
-# Allow out secure www function https over TLS SSL
 pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state
 
-# Allow out send &amp; get email function
+# Allow email
 pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
 pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state
 
-# Allow out Time
+# Allow NTP
 pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state
 
-# Allow out nntp news
-pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state
-
-# Allow out gateway &amp; LAN users' non-secure FTP ( both passive &amp; active modes)
-# This function uses the IP<acronym>NAT</acronym> built in FTP proxy function coded in
-# the nat rules file to make this single rule function correctly.
-# If you want to use the pkg_add command to install application packages
-# on your gateway system you need this rule.
+# Allow FTP
 pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
 
-# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements)
-# This function is using SSH (secure shell)
+# Allow SSH
 pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state
 
-# Allow out insecure Telnet
-pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state
-
-# Allow out FreeBSD CVSup
-pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state
-
-# Allow out ping to public Internet
+# Allow ping
 pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
 
-# Allow out whois from LAN to public Internet
-pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state
-
-# Block and log only the first occurrence of everything
-# else that's trying to get out.
-# This rule implements the default block
-block out log first quick on dc0 all
-
-#################################################################
-# Interface facing Public Internet (Inbound Section)
-# Match packets originating from the public Internet
-# destined for this gateway server or the private network.
-#################################################################
+# Block and log everything else
+block out log first quick on dc0 all</programlisting>
+	
+      <para>This example of the rules in the inbound section of the
+	public interface blocks all undesirable packets first.
+	This reduces the number of packets that are
+	logged by the last rule.</para>
 
+      <programlisting># interface facing Internet (inbound)
 # Block all inbound traffic from non-routable or reserved address spaces
 block in quick on dc0 from 192.168.0.0/16 to any    #RFC 1918 private IP
 block in quick on dc0 from 172.16.0.0/12 to any     #RFC 1918 private IP
@@ -2191,67 +2100,52 @@ block in quick on dc0 from 192.0.2.0/24 to any      #reserved for docs
 block in quick on dc0 from 204.152.64.0/23 to any   #Sun cluster interconnect
 block in quick on dc0 from 224.0.0.0/3 to any       #Class D &amp; E multicast
 
-##### Block a bunch of different nasty things. ############
-# That I do not want to see in the log
-
-# Block frags
+# Block fragments and too short tcp packets
 block in quick on dc0 all with frags
-
-# Block short tcp packets
 block in quick on dc0 proto tcp all with short
 
 # block source routed packets
 block in quick on dc0 all with opt lsrr
 block in quick on dc0 all with opt ssrr
 
-# Block nmap OS fingerprint attempts
-# Log first occurrence of these so I can get their IP address
+# Block OS fingerprint attempts and log first occurrence
 block in log first quick on dc0 proto tcp from any to any flags FUP
 
 # Block anything with special options
 block in quick on dc0 all with ipopts
 
-# Block public pings
+# Block public pings and ident
 block in quick on dc0 proto icmp all icmp-type 8
-
-# Block ident
 block in quick on dc0 proto tcp from any to any port = 113
 
-# Block all Netbios service. 137=name, 138=datagram, 139=session
-# Netbios is MS/Windows sharing services.
-# Block MS/Windows hosts2 name server requests 81
+# Block incoming Netbios services
 block in log first quick on dc0 proto tcp/udp from any to any port = 137
 block in log first quick on dc0 proto tcp/udp from any to any port = 138
 block in log first quick on dc0 proto tcp/udp from any to any port = 139
-block in log first quick on dc0 proto tcp/udp from any to any port = 81
+block in log first quick on dc0 proto tcp/udp from any to any port = 81</programlisting>
 
-# Allow traffic in from ISP's DHCP server. This rule must contain
-# the IP address of your ISP's DHCP server as it is the only
-# authorized source to send this packet type. Only necessary for
-# cable or DSL configurations. This rule is not needed for
-# 'user ppp' type connection to the public Internet.
-# This is the same IP address you captured and
-# used in the outbound section.
-pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state
+      <para>Any time there are logged messages on a rule with
+	the <literal>log first</literal> option, run
+	<command>ipfstat -hio</command>
+	to evaluate how many times the rule has been matched.  A
+	large number of matches may indicate that the system is
+	under attack.</para>
 
-# Allow in standard www function because I have apache server
-pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
+      <para>The rest of the rules in the inbound section define which
+	connections are allowed to be initiated from the Internet.
+	The last rule denies all connections which were not explicitly
+	allowed by previous rules in this section.</para>
 
-# Allow in non-secure Telnet session from public Internet
-# labeled non-secure because ID/PW passed over public Internet as clear text.
-# Delete this sample group if you do not have telnet server enabled.
-#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state
+      <programlisting>
+# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
+# the same IP address used in the outbound section.
+pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state
 
-# Allow in secure FTP, Telnet, and SCP from public Internet
-# This function is using SSH (secure shell)
-pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state
-
-# Block and log only first occurrence of all remaining traffic
-# coming into the firewall. The logging of only the first
-# occurrence avoids filling up disk with Denial of Service logs.
-# This rule implements the default block.
-block in log first quick on dc0 all
-################### End of rules file #####################################</programlisting>
+# Allow public connections to specified internal web server
+pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state
+
+# Block and log only first occurrence of all remaining traffic.
+block in log first quick on dc0 all</programlisting>
     </sect2>
 
     <sect2 xml:id="firewalls-ipf-rules-script">