https://coderonline.de/security/firewalls/ Recent content in firewalls on CoderOnline Hugo en Fri, 08 Nov 2024 19:51:19 +0100 https://coderonline.de/security/firewalls/pfctl-cheat-sheet/ Sat, 03 Oct 2015 19:09:40 +0200 https://coderonline.de/security/firewalls/pfctl-cheat-sheet/ <h3 id="generic"> Generic <a class="anchor" href="#generic">#</a> </h3> <p>Only those commands, which you will probably require for setting pf up.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>pfctl -s Tables ;<span style="color:#75715e"># lists all tables currently loaded</span> </span></span><span style="display:flex;"><span>pfctl -t <span style="color:#f92672">[</span>TABLENAME<span style="color:#f92672">]</span> -T show ;<span style="color:#75715e"># shows content of table [TABLENAME]</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>tcpdump -n -e -ttt -r /var/log/pflog </span></span><span style="display:flex;"><span>tcpdump -n -e -ttt -i pflog0 </span></span></code></pre></div><h3 id="anchors"> Anchors <a class="anchor" href="#anchors">#</a> </h3> <p><a href="https://coderonline.de/security/intrusion-prevention/fail2ban/">Fail2ban</a> has recently switched to using anchors to avoid unnecessary reloading of the whole rule set. That was the first time I had to do with anchors and since I could not figure out a simple way to display the contents of all private tables (<em>which can be described as subtables of anchors</em>), I came up with this solution for my collectd monitoring:</p> https://coderonline.de/security/firewalls/ipfw/ Thu, 27 Aug 2015 21:51:26 +0200 https://coderonline.de/security/firewalls/ipfw/ <p>Here comes an ipfw-configuration on which I was working on. It should redirect some ports to the host system, others into jails and on top of that limit on which ports jails and host are allowed to communicate with outside. Additionally I have configured a one second delay for the initial SSH connection, which is supposed to render brute force attacks less attractive.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#75715e"># /usr/local/etc/2015-10-01.ipfw</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ================================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># clean up/ reset everything...</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">flush</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">queue flush</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">pipe flush</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">table all flush</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">resetlog</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ================================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># table 1: dns</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">table 1 add 213.133.99.99 </span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">table 1 add 213.133.100.100 </span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">table 1 add 213.133.98.98 </span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># table 2: jails</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">table 2 add 10.0.0.0/24</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># nat </span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">nat 1 config if vtnet0 redirect_port tcp 10.0.0.100:8080 172.31.1.100:80</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># pipes (requires kldload dummynet)</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">pipe 1 config delay 1000</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">pipe 2 config delay 200</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ================================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 100 pass all from any to any via lo0</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 200 deny all from any to 127.0.0.0/8</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 300 deny ip from 127.0.0.0/8 to any // ipv4 lo0 oubound</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 400 deny all from any to ::1 // ipv6 lo0 inbound</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 500 deny all from ::1 to any // ipv6 lo0 outbound</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 1000 set 0 allow icmp from any to me in via vtnet0 // icmp4 incoming</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 1100 set 1 allow ipv6-icmp from any to me6 in via vtnet0 // icmp6 incoming </span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 1200 set 0 allow icmp from me to any out via vtnet0 // icmp4 outgoing</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ================================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 1400 allow udp from me to table(1) 53 out // allow dns</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># slow down first ssh connection (setup) by using pipe 1...</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 1500 allow tcp from me 22 to any // ssh-&gt;any</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 1600 allow tcp from any to me 22 not setup // any-&gt;me(22), not setup</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 1700 pipe 1 tcp from any to me 22 setup // any-&gt;me(22), setup</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ================================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 2000 check-state</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 2100 allow ip from me to any setup keep-state out // outgoing connections</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ================================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 64000 nat 1 udp from any to any // udp-&gt;nat</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 64000 nat 1 tcp from any to me dst-port 80 in // tcp-&gt;nat</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 64000 nat 1 tcp from me to any out // nat-&gt;any</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ================================================================================</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">add 65000 deny log ip from any to any // deny everything else, but log it</span> </span></span></code></pre></div> https://coderonline.de/security/firewalls/iptables/ Thu, 26 Mar 2015 05:14:26 +0100 https://coderonline.de/security/firewalls/iptables/ <p>iptables is used to configure the linux kernel based firewall. Quite substatial is its ability to open and close ports, which I will discuss here. One should also be aware that iptables can be used to route traffic as well.</p> <h2 id="view-active-rules"> View active rules <a class="anchor" href="#view-active-rules">#</a> </h2> <p>To view the rules in action <code>watch</code> can be used like so:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>watch -d -n.1 iptables -L -v -n --line-numbers </span></span></code></pre></div><p>This will output a number of tables, called <code>CHAIN</code>, which are usually named <code>INPUT</code>, <code>OUTPUT</code> and <code>FORWARD</code>. As that name suggests these indicate the direction the traffic comes from or goes to.</p>