Locked down outbound rules close inbound ports????
Russell Morrison
------ =_NextPart_000_01C0BE81.8D275E40
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To the list;
I have been using OpenBSD 2.8 (with stock IPFilter) and it has been
working great with carefully defined inbound traffic (3 inbound
ports open 25, 80, 110 with only TCP connections allowed) and wide
open outbound traffic (TCP, UDP, ICMP). The inbound traffic is
redirected by IPFilter to a DMZ stationed email/web server using
IPNat.
I now want to tighten down the outbound traffic so only FTP, SMTP,
DNS, HTTP, POP3, HTTPS go out. I redefined my outbound rules to
specifically allow the above protocols in TCP and UDP. I also
redefined my IPNat rules to account for the FTP (passive) problems.
However, when I bring the new rules online, a couple things
happen....
1) I do a port scan on the exterior and find that all is well
except for the 3 ports that should be open are now listed as
closed; and,
2) The correct outbound traffic as defined above is going out but
there is a hesitation for about a minute or more on all outbound
passive FTP connections and the download/upload speeds are very,
very slow.
I have attached the new rules I created for both IPFilter and IPNat
below. If someone can see where I've made an error (or errors) and
point them out, it would be much appreciated!
TIA!
Russell
------ =_NextPart_000_01C0BE81.8D275E40
Content-Type: text/plain; name="testIPFrules.txt"
Content-Transfer-Encoding: 7bit
# Block all packets by default.
# inside interface is xl0
# outside (internet) interface is rl0
#
# Block all spoofing and multicast stuff from internet
#
Block in quick on rl0 from 192.168.0.0/16 to any
Block in quick on rl0 from 172.16.0.0/12 to any
Block in quick on rl0 from 10.0.0.0/8 to any
Block in quick on rl0 from any to 224.0.0.0/8
Block in quick on rl0 from 224.0.0.0/24 to any
Block in quick on rl0 from any to 0.0.0.0/32
Block in quick on rl0 from 0.0.0.0/32 to any
Block in quick on rl0 from any to 255.255.255.255/32
Block in quick on rl0 from 255.255.255.255/32 to any
Block in quick on xl0 from 192.168.0.0/16 to any
Block in quick on xl0 from 172.16.0.0/12 to any
Block in quick on xl0 from 224.0.0.0/8 to any
Block in quick on xl0 from 0.0.0.0/32 to any
Block in quick on xl0 from any to 0.0.0.0/32
Block out quick on rl0 from 192.168.0.0/16 to any
Block out quick on rl0 from 172.16.0.0/12 to any
Block out quick on rl0 from 224.0.0.0/8 to any
Block out quick on rl0 from 0.0.0.0/32 to any
Block out quick on rl0 from 255.255.255.255/32 to any
#
# Block all questionable packets from internet
#
Block in quick on rl0 proto icmp from any to any
Block in quick on rl0 all with short
Block in quick on rl0 all with opt lsrr
Block in quick on rl0 all with opt ssrr
#
# Block by default all traffic from internet
#
Block in on rl0 all
#
# Pass in certain TCP traffic from internet but watch it
#
Pass in quick on rl0 proto tcp from any to any port = 25 flags S keep state keep frags
Pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state keep frags
Pass in quick on rl0 proto tcp from any to any port = 110 flags S keep state keep frags
Pass out quick on xl0 proto tcp from any to 10.10.10.2/32 keep state
#
# Control traffic from inside but watch it
#
Pass in quick on xl0 proto tcp from 10.10.10.0/24 to any port = 20 keep state
Pass in quick on xl0 proto tcp from 10.10.10.0/24 to any port = 21 keep state
Pass in quick on xl0 proto tcp from 10.10.10.0/24 to any port = 25 keep state
Pass in quick on xl0 proto tcp from 10.10.10.0/24 to any port = 53 keep state
Pass in quick on xl0 proto tcp from 10.10.10.0/24 to any port = 80 keep state
Pass in quick on xl0 proto tcp from 10.10.10.0/24 to any port = 110 keep state
Pass in quick on xl0 proto tcp from 10.10.10.0/24 to any port = 443 keep state
Pass in quick on xl0 proto udp from 10.10.10.0/24 to any port = 20 keep state
Pass in quick on xl0 proto udp from 10.10.10.0/24 to any port = 21 keep state
Pass in quick on xl0 proto udp from 10.10.10.0/24 to any port = 53 keep state
Pass in quick on xl0 proto udp from 10.10.10.0/24 to any port = 80 keep state
Pass in quick on xl0 proto udp from 10.10.10.0/24 to any port = 110 keep state
Pass in quick on xl0 proto udp from 10.10.10.0/24 to any port = 443 keep state
Pass in quick on xl0 proto icmp from 10.10.10.3/24 to any keep state
Pass out quick on rl0 proto tcp from any to any keep state
Pass out quick on rl0 proto udp from any to any keep state
Pass out quick on rl0 proto icmp from any to any keep state
#
# Finish with a block again to ensure unknown traffic stops
#
Block in quick on rl0 all
Block out quick on rl0 all
Block in quick on xl0 all
Block out quick on xl0 all
#
# End of File
#
------ =_NextPart_000_01C0BE81.8D275E40
Content-Type: text/plain; name="testIPNatrules.txt"
Content-Transfer-Encoding: 7bit
rdr rl0 0/32 port 25 -> 10.10.10.2 port 25
rdr rl0 0/32 port 80 -> 10.10.10.2 port 80
rdr rl0 0/32 port 110 -> 10.10.10.2 port 110
map rl0 10.10.10.0/24 -> 0/32 proxy port ftp ftp/tcp
map rl0 10.10.10.0/24 -> 0/32 portmap tcp/udp 10000:20000
map rl0 10.10.10.0/24 -> 0/32
------ =_NextPart_000_01C0BE81.8D275E40--
Paul Armstrong
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mi...@docserver.cac.washington.edu for more info.
------ =_NextPart_000_01C0BE81.8D275E40
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.GSO.4.21.01...@peanut.office.cyber.com.au>
A few points to note:
- You only need the udp traffic there fro port 53 (i.e. Domain). The rest only
truely do traffic over tcp. (I know they're allowed to do it over udp but
AFAIK there are no servers that support the use of it.)
- A quick explination of FTP follows:
Active:
Client:
port > 1023 -> port 21
Server:
port 20 -> port > 1023
Passive:
Client:
port > 1023 -> port 21
port > 1023 -> port > 1023
Server:
none
Also look into using groups, using flags for your own networks traffic and not
trusting your network to send out legal traffic (there's a lot more you can do
as far as untrused traffic going in and out.)
If you haven't already, read the FAQ and HOWTO.
Paul.
On Fri, 6 Apr 2001, Russell Morrison wrote:
> To the list;
>
> I have been using OpenBSD 2.8 (with stock IPFilter) and it has been
> working great with carefully defined inbound traffic (3 inbound
> ports open 25, 80, 110 with only TCP connections allowed) and wide
> open outbound traffic (TCP, UDP, ICMP). The inbound traffic is
> redirected by IPFilter to a DMZ stationed email/web server using
> IPNat.
>
> I now want to tighten down the outbound traffic so only FTP, SMTP,
> DNS, HTTP, POP3, HTTPS go out. I redefined my outbound rules to
> specifically allow the above protocols in TCP and UDP. I also
> redefined my IPNat rules to account for the FTP (passive) problems.
>
> However, when I bring the new rules online, a couple things
> happen....
>
> 1) I do a port scan on the exterior and find that all is well
> except for the 3 ports that should be open are now listed as
> closed; and,
>
> 2) The correct outbound traffic as defined above is going out but
> there is a hesitation for about a minute or more on all outbound
> passive FTP connections and the download/upload speeds are very,
> very slow.
>
> I have attached the new rules I created for both IPFilter and IPNat
> below. If someone can see where I've made an error (or errors) and
> point them out, it would be much appreciated!
--
Paul Armstrong <ar...@cyber.com.au>
Cybersource Pty/Ltd. Unix system administration and web development.
Floor 9 / 140 Queen St. Melbourne. Ph: 9624 5997 Fax: 9642 5998
------ =_NextPart_000_01C0BE81.8D275E40
Content-Type: TEXT/PLAIN; NAME="testIPFrules.txt"
Content-ID: <Pine.GSO.4.21.01...@peanut.office.cyber.com.au>
Content-Description:
Content-Type: TEXT/PLAIN; NAME="testIPNatrules.txt"
Content-ID: <Pine.GSO.4.21.01...@peanut.office.cyber.com.au>
Content-Description:
Seth
sure and set ftp client to
PASV mode.
hth, (hope this helps)
SSS
> TIA!
>
> Russell
> #> rdr rl0 0/32 port 25 -> 10.10.10.2 port 25
> rdr rl0 0/32 port 80 -> 10.10.10.2 port 80
> rdr rl0 0/32 port 110 -> 10.10.10.2 port 110
> map rl0 10.10.10.0/24 -> 0/32 proxy port ftp ftp/tcp
> map rl0 10.10.10.0/24 -> 0/32 portmap tcp/udp
> 10000:20000
> map rl0 10.10.10.0/24 -> 0/32
=====
SRR
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/