[1895] in linux-security and linux-alert archive
[linux-security] Re: Linux and IPFWADM
daemon@ATHENA.MIT.EDU (Avery Pennarun)
Wed Jun 17 03:47:22 1998
Date: Tue, 16 Jun 1998 11:22:35 -0400
From: Avery Pennarun <apenwarr@worldvisions.ca>
To: S Hedges <shedges@shaw.wave.ca>, linux-security@redhat.com
In-Reply-To: <3583404E.3DC5C8F@shaw.wave.ca>; from S Hedges on Sat, Jun 13, 1998 at 09:15:26PM -0600
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Sat, Jun 13, 1998 at 09:15:26PM -0600, S Hedges wrote:
> I have been perusing the various linux security sources looking for a
> reliable, proven, source for ipfwadm firewall rules.
Here is the script I use on my home IP masquerade system. It is designed to
deny everything except what is specifically allowed in some of the
definitions near the top. Note that there is one fatal problem -- the input
firewall is changed to allow incoming data back to ports 1024 through 65535,
because any of those might have been used to create an _outgoing_ connection
(and thus might have data been sent back to them). NFS servers might run on
one of these high port numbers, so watch out.
Note that it's still impossible to open any connections at all to a
masqueraded host.
Enjoy. I'd be especially interested in hearing about any security problems
I've missed, or a solution to the one I know about.
Have fun,
Avery
P.S. WARNING: do not run this script on an active system! Test it out
carefully first, preferably in single-user mode!
#!/bin/bash
# Put these in the right order!
#
# Set the following to the list of services (names from /etc/services,
# or port numbers) which should be allowed as incoming connections.
#
ALLOW="ftp telnet auth domain"
ICMP_ALLOW=true
# set default policies
ipfwadm -Ip reject
ipfwadm -Op accept
ipfwadm -Fp deny
# flush the table contents
ipfwadm -Of
ipfwadm -If
ipfwadm -Ff
# localhost communications are allowed
ipfwadm -Ia accept -S 127.0.0.0/8 -D 127.0.0.0/8 -W lo
ipfwadm -Fa accept -S 127.0.0.0/8 -D 127.0.0.0/8 -W lo
# Forward between private networks but masquerade when sending their
# connections out. Never deny anything from one of our private networks.
#
ipfwadm -Fa accept -S 192.168.0.0/16 -D 192.168.0.0/16
ipfwadm -Ia accept -S 192.168.0.0/16 -D 0/0
ipfwadm -Fa masq -S 192.168.0.0/16 -D 0/0
# We need to allow TCP UDP back in on all ports that might have been used to
# make an outgoing connection. I don't really like doing this, but...
#
ipfwadm -Ia accept -P tcp -S 0/0 -D 0/0 1024:65535
ipfwadm -Ia accept -P udp -S 0/0 -D 0/0 1024:65535
# Allow ICMP (eg. ping) if specified
#
if [ -n "$ICMP_ALLOW" ]; then
if $ICMP_ALLOW; then
ipfwadm -Ia accept -P icmp -S 0/0 -D 0/0
fi
fi
# Allow incoming connections for the specified port numbers
#
function portnum
{
sed 's/\(#.*$\|\/tcp\|\/udp\)//g' /etc/services \
| awk '/([ ]+|^)'$1'([ /]+|$)/ {print $2; exit 0}'
}
echo -e "Open ports: "\\c
for d in $ALLOW; do
p=`portnum $d`
if [ -z "$p" ]; then continue; fi
echo -e "$d($p) "\\c
ipfwadm -Ia accept -P tcp -S 0/0 -D 0/0 $p
ipfwadm -Ia accept -P udp -S 0/0 -D 0/0 $p
ipfwadm -Ia accept -P tcp -S 0/0 $p -D 0/0
ipfwadm -Ia accept -P udp -S 0/0 $p -D 0/0
done
echo
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null