Firewall Testing

About VESARiA

3.5 What are some reasonable filtering rules for a kernel-based packet screen?

There are four basic categories covered by the ipfwadm rules:

-A

Packet Accounting

-I

Input firewall

-O

Output firewall

-F

Forwarding firewall

ipfwadm also has masquerading (-M) capabilities. For more information on switches and options, see the ipfwadm man page.

3.5.1 Implementation

Here, our organization is using a private (RFC 1918) Class C network 192.168.1.0. Our ISP has assigned us the address 201.123.102.32 for our gateway's external interface and 201.123.102.33 for our external mail server. Organizational policy says:

• Allow all outgoing TCP connections
• Allow incoming SMTP and DNS to external mail server
• Block all other traffic

The following block of commands can be placed in a system boot file (perhaps rc.local on Unix systems).

      ipfwadm -F -f
      ipfwadm -F -p deny
      ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 25
      ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
      ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
      ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0

      /sbin/route add -host 201.123.102.33 gw 192.168.1.2

3.5.2 Explanation

• Line one flushes (-f) all forwarding (-F) rules.
• Line two sets the default policy (-p) to deny.
• Lines three through five are input rules (-i) in the following format:

  ipfwadm -F (forward) -i (input) m (masq.) -b (bi-directional) -P protocol)[protocol]-S (source)[subnet/mask] [originating ports]-D (destination)[subnet/mask][port]

• Line six appends (-a) a rule that permits all internal IP addresses out to all external addresses on all protocols, all ports.
• Line eight adds a route so that traffic going to 201.123.102.33 will be directed to the internal address 192.168.1.2.

Vesaria

3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044