VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us
 

Firewall Testing

About VESARiA

   

3.5 What are some reasonable filtering rules for a kernel-based packet screen?

  This example is written specifically for ipfwadm on Linux, but the principles (and even much of the syntax) applies for other kernel interfaces for packet screening on ``open source'' Unix systems.

There are four basic categories covered by the ipfwadm rules:

-A
Packet Accounting
-I
Input firewall
-O
Output firewall
-F
Forwarding firewall

ipfwadm also has masquerading (-M) capabilities. For more information on switches and options, see the ipfwadm man page.

3.5.1 Implementation

Here, our organization is using a private (RFC 1918) Class C network 192.168.1.0. Our ISP has assigned us the address 201.123.102.32 for our gateway's external interface and 201.123.102.33 for our external mail server. Organizational policy says:

  • Allow all outgoing TCP connections
  • Allow incoming SMTP and DNS to external mail server
  • Block all other traffic

The following block of commands can be placed in a system boot file (perhaps rc.local on Unix systems).

      ipfwadm -F -f
      ipfwadm -F -p deny
      ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 25
      ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
      ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
      ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0

      /sbin/route add -host 201.123.102.33 gw 192.168.1.2

3.5.2 Explanation

  • Line one flushes (-f) all forwarding (-F) rules.
  • Line two sets the default policy (-p) to deny.
  • Lines three through five are input rules (-i) in the following format:

    ipfwadm -F (forward) -i (input) m (masq.) -b (bi-directional) -P protocol)[protocol]-S (source)[subnet/mask] [originating ports]-D (destination)[subnet/mask][port]

  • Line six appends (-a) a rule that permits all internal IP addresses out to all external addresses on all protocols, all ports.
  • Line eight adds a route so that traffic going to 201.123.102.33 will be directed to the internal address 192.168.1.2.
Vesaria, LLC



Firewall FAQ
Table of Contents

Previous Section: What are some cheap packet screening tools?

Next Section: What are some reasonable filtering rules for a Cisco?

Find out more about VESARiA Firewall Testing.

 
© 2000 - 2017 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact