diff options
Diffstat (limited to 'en_US.ISO8859-1/articles/dialup-firewall/article.sgml')
-rw-r--r-- | en_US.ISO8859-1/articles/dialup-firewall/article.sgml | 299 |
1 files changed, 0 insertions, 299 deletions
diff --git a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml deleted file mode 100644 index 85d4a159b6..0000000000 --- a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml +++ /dev/null @@ -1,299 +0,0 @@ -<!-- - The FreeBSD Documentation Project - - $FreeBSD: doc/en_US.ISO_8859-1/articles/dialup-firewall/article.sgml,v 1.3 2000/07/11 10:21:49 nbm Exp $ ---> - -<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V3.1-Based Extension//EN" [ -<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN"> -%man; -]> - -<article> - <artheader> - <title>Dialup firewalling with FreeBSD</title> - - <authorgroup> - <author> - <firstname>Marc</firstname> - <surname>Silver</surname> - - <affiliation> - <address><email>marcs@draenor.org</email></address> - </affiliation> - </author> - </authorgroup> - - <pubdate>$Date: 2000-08-19 20:51:20 $</pubdate> - - <abstract> - <para>This article documents how to setup a firewall using a PPP - dialup with FreeBSD and IPFW, and specifically with firewalling over - a dialup with a dynamically assigned IP address. This document does - not cover setting up your PPP connection in the first place.</para> - </abstract> - </artheader> - - <sect1 id="preface"> - <title>Preface</title> - - <para>Dialup Firewalling with FreeBSD</para> - - <para>This document aims to cover the process that is required in - order to setup firewalling with FreeBSD when are dynamically - assigned an IP address by your ISP. While every effort has been - made to make this document as informative and correct as possible, - you are welcome to mail your comments/suggestions to the - <ulink URL="mailto:marcs@draenor.org">maintainer</ulink>.</para> - </sect1> - - <sect1 id="kernel"> - <title>Kernel Options</title> - - <para>The first thing you'll need to do is recompile your kernel in - FreeBSD. If you need more information on how to recompile the kernel, - then the best place to start is the <ulink - URL="http://www.freebsd.org/handbook/kernelconfig.html">kernel - configuration section in the Handbook</ulink>. You need to compile the - following options into the kernel: </para> - - <variablelist> - <varlistentry> - <term><literal>options IPFIREWALL</literal></term> - - <listitem> - <para>Enables the kernel's firewall code.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>options IPFIREWALL_VERBOSE</literal></term> - - <listitem> - <para>Sends logged packets to the system logger.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>options - IPFIREWALL_VERBOSE_LIMIT=<replaceable>100</replaceable></literal></term> - - <listitem> - <para>Limits the number of times a matching entry is logged. This - stops your log files filling up with lots of repetitive entries. - <replaceable>100</replaceable> is a reasonable number to use, but - you can adjust it based on your requirements.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>options IPDIVERT</literal></term> - - <listitem> - <para>Enables <emphasis>divert</emphasis> sockets, which will be - shown later.</para> - </listitem> - </varlistentry> - </variablelist> - - <para>There are also some other OPTIONAL items that you can compile - into the kernel for some added security. These are not required in - order to get firewalling to work, but some more paranoid users may - want to use them.</para> - - <variablelist> - <varlistentry> - <term><literal>options TCP_RESTRICT_RST</literal></term> - - <listitem> - <para>This option blocks all TCP RST packets. This is - best used for systems that might be exposed to SYN - flooding (IRC Servers are a good example) or for those who - do not want to be easily portscannable.</para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>options TCP_DROP_SYNFIN</literal></term> - - <listitem> - <para>This option ignores TCP packets with SYN and FIN. This - prevents tools such as nmap etc from identifying the TCP/IP - stack of the machine, but breaks support for RFC1644 - extensions. This is NOT recommended if the machine will be - running web server.</para> - </listitem> - </varlistentry> - </variablelist> - - <para>Don't reboot once you have recompiled the kernel. Hopefully, we will - need to reboot just once in order to complete the installing of the - firewall.</para> - </sect1> - - <sect1 id="rcconf"> - <title>Changing <filename>/etc/rc.conf</filename> to load the - firewall</title> - - <para>We now need to make some changes to - <filename>/etc/rc.conf</filename> in order to tell it about the - firewall. Simply add the following lines:</para> - - <programlisting>firewall_enable="YES" -firewall_script="/etc/firewall/fwrules" -natd_enable="YES" -natd_interface="tun0" -natd_flags="-dynamic"</programlisting> - - <para>For more information on what the above do take a look at - <filename>/etc/defaults/rc.conf</filename> and read - &man.rc.conf.5;</para> - </sect1> - - <sect1> - <title>Disable PPP's network address translation</title> - - <para>You may already be using PPP's built in network address - translation (NAT). If that is the case you will have to disable it, - as these examples use &man.natd.8; to do the same.</para> - - <para>If you already have a block of entries to - automatically start PPP it probably looks like this:</para> - - <programlisting>ppp_enable="YES" -ppp_mode="auto" -ppp_nat="YES" -ppp_profile="<replaceable>profile</replaceable>"</programlisting> - - <para>If so, remove the <literal>ppp_nat="YES"</literal> line. You will - also need to remove any <literal>nat enable yes</literal> or - <literal>alias enable yes</literal> in - <filename>/etc/ppp/ppp.conf</filename>.</para> - </sect1> - - <sect1 id="rules"> - <title>The ruleset for the firewall</title> - - <para>We're nearly done now. All that remains now is to define the - firewall rules and then we can reboot and the firewall should be up and - running. I realise that everyone will want something slightly different - when it comes to their rulebase. What I've tried to do is write a - rulebase that suits most dialup users. You can obviously modify it to - your needs by simply using the following rules as the foundation for - your own rulebase. First, let's start with the basics of closed - firewalling. What you want to do is deny everything by default and then - only open up for the things you really need. Rules should be in the - order of allow first and then deny. The premis is that you add the - rules for your allows, and then everything else is denied. :)</para> - - <para>Now, let's make the dir /etc/firewall. Change into the directory and - edit the file fwrules as we specified in rc.conf. Please note that you - can change this filename to be anything you wish. This guide just gives - an example of a filename. </para> - - <para>Now, let's look at a sample firewall file, and we'll detail - everything in it. </para> - - <programlisting># Firewall rules -# Written by Marc Silver (marcs@draenor.org) -# http://draenor.org/ipfw -# Freely distributable - - -# Define the firewall command (as in /etc/rc.firewall) for easy -# reference. Helps to make it easier to read. -fwcmd="/sbin/ipfw" - -# Force a flushing of the current rules before we reload. -$fwcmd -f flush - -# Divert all packets through the tunnel interface. -$fwcmd add divert natd all from any to any via tun0 - -# Allow all data from my network card and localhost. Make sure you -# change your network card (mine was fxp0) before you reboot. :) -$fwcmd add allow ip from any to any via lo0 -$fwcmd add allow ip from any to any via fxp0 - -# Allow all connections that I initiate. -$fwcmd add allow tcp from any to any out xmit tun0 setup - -# Once connections are made, allow them to stay open. -$fwcmd add allow tcp from any to any via tun0 established - -# Everyone on the internet is allowed to connect to the following -# services on the machine. This example shows that people may connect -# to ssh and apache. -$fwcmd add allow tcp from any to any 80 setup -$fwcmd add allow tcp from any to any 22 setup - -# This sends a RESET to all ident packets. -$fwcmd add reset log tcp from any to any 113 in recv tun0 - -# Allow outgoing DNS queries ONLY to the specified servers. -$fwcmd add allow udp from any to <replaceable>x.x.x.x</replaceable> 53 out xmit tun0 - -# Allow them back in with the answers... :) -$fwcmd add allow udp from <replaceable>x.x.x.x</replaceable> 53 to any in recv tun0 - -# Allow ICMP (for ping and traceroute to work). You may wish to -# disallow this, but I feel it suits my needs to keep them in. -$fwcmd add 65435 allow icmp from any to any - -# Deny all the rest. -$fwcmd add 65435 deny log ip from any to any</programlisting> - - <para>You now have a fully functional firewall that will allow on - connections to ports 80 and 22 and will log any other connection - attempts. Now, you should be able to safely reboot and your firewall - should come up fine. If you find this incorrect in anyway or experience - any problems, or have any suggestions to improve this page, please - email me.</para> - </sect1> - - <sect1> - <title>Questions</title> - - <qandaset> - <qandaentry> - <question> - <para>Why are you using natd and ipfw when you could be using - the built in ppp-filters?</para> - </question> - - <answer> - <para>I'll have to be honest and say there's no definitive reason - why I use ipfw and natd instead of the built in ppp filters. From - the discussions I've had with people the consensus seems to be - that while ipfw is certainly more powerful and more configurable - than the ppp filters, what it makes up for in functionality it - loses in being easy to customise. One of the reasons I use it is - because I prefer firewalling to be done at a kernel level rather - than by a userland program.</para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para>If I'm using private addresses internally, such as in the - 192.168.0.0 range, Could I add a command like <literal>$fwcmd add - deny all from any to 192.168.0.0:255.255.0.0 via tun0</literal> - to the firewall rules to prevent outside attempts to connect to - internal machines?</para> - </question> - - <answer> - <para>The simple answer is no. The reason for this is that natd is - doing address translation for <emphasis>anything</emphasis> being - diverted through the tun0 device. As far as it's concerned - incoming packets will speak only to the dynamically assigned IP - address and NOT to the internal network. Note though that you can - add a rule like <literal>$fwcmd add deny all from - 192.168.0.4:255.255.0.0 to any via tun0</literal> which would - limit a host on your internal network from going out via the - firewall.</para> - </answer> - </qandaentry> - </qandaset> - </sect1> -</article> |