diff options
-rw-r--r-- | etc/ipf.rules | 9 | ||||
-rw-r--r-- | etc/netstart | 12 | ||||
-rw-r--r-- | etc/rc | 4 | ||||
-rw-r--r-- | share/ipf/Makefile | 13 | ||||
-rw-r--r-- | share/ipf/example.1 | 4 | ||||
-rw-r--r-- | share/ipf/example.10 | 12 | ||||
-rw-r--r-- | share/ipf/example.11 | 26 | ||||
-rw-r--r-- | share/ipf/example.12 | 17 | ||||
-rw-r--r-- | share/ipf/example.13 | 61 | ||||
-rw-r--r-- | share/ipf/example.14 | 10 | ||||
-rw-r--r-- | share/ipf/example.2 | 4 | ||||
-rw-r--r-- | share/ipf/example.3 | 40 | ||||
-rw-r--r-- | share/ipf/example.4 | 4 | ||||
-rw-r--r-- | share/ipf/example.5 | 25 | ||||
-rw-r--r-- | share/ipf/example.6 | 5 | ||||
-rw-r--r-- | share/ipf/example.7 | 12 | ||||
-rw-r--r-- | share/ipf/example.8 | 10 | ||||
-rw-r--r-- | share/ipf/example.9 | 12 |
18 files changed, 280 insertions, 0 deletions
diff --git a/etc/ipf.rules b/etc/ipf.rules new file mode 100644 index 00000000000..24ed030709a --- /dev/null +++ b/etc/ipf.rules @@ -0,0 +1,9 @@ +# +# IP filtering rules. See the ipf(5) man page for more +# information on the format of this file, and /usr/share/ipf +# for example configuration files. +# +# Pass all packets by default. +# +pass in from any to any +pass out from any to any diff --git a/etc/netstart b/etc/netstart index f27081374ff..083167f053f 100644 --- a/etc/netstart +++ b/etc/netstart @@ -20,12 +20,15 @@ nfs_client=NO gated=NO kerberos_server=NO amd=NO +ipfilter=NO # miscellaneous other flags # only used if the appropriate server is marked YES above gated_flags= amd_dir=/amd # AMD's mount directory amd_master=/etc/amd/master # AMD 'master' map +ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering +ipmon_flags=-s # To disable logging, use ipmon_flags=NO # /etc/myname contains my symbolic name # @@ -35,6 +38,15 @@ if [ -f /etc/defaultdomain ]; then domainname `cat /etc/defaultdomain` fi +# Configure the IP filter before configuring network interfaces +# +if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then + echo 'configuring IP filter' + ipf -Fa -f ${ipfilter_rules} -E +else + ipfilter=NO +fi + # configure all of the interfaces which we know about. # do this by reading /etc/hostname.* files, where * is the name # of a given interface. @@ -80,6 +80,10 @@ echo 'starting network' mount /usr >/dev/null 2>&1 mount /var >/dev/null 2>&1 +if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then + ipmon ${ipmon_flags} & +fi + # clean up left-over files rm -f /etc/nologin rm -f /var/spool/lock/LCK.* diff --git a/share/ipf/Makefile b/share/ipf/Makefile new file mode 100644 index 00000000000..5d009fff9c1 --- /dev/null +++ b/share/ipf/Makefile @@ -0,0 +1,13 @@ +# +# $Id: Makefile,v 1.1 1996/01/09 09:29:32 dm Exp $ +# +FILES= example.* +NOOBJ= noobj + +all clean cleandir depend lint tags: + +install: + install -d ${DESTDIR}${BINDIR}/ipf + install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/ipf + +.include <bsd.prog.mk> diff --git a/share/ipf/example.1 b/share/ipf/example.1 new file mode 100644 index 00000000000..604346e13db --- /dev/null +++ b/share/ipf/example.1 @@ -0,0 +1,4 @@ +# +# block all incoming TCP packets on le0 from host "foo" to any destination. +# +block in on le0 proto tcp from foo/32 to any diff --git a/share/ipf/example.10 b/share/ipf/example.10 new file mode 100644 index 00000000000..477c2e071a0 --- /dev/null +++ b/share/ipf/example.10 @@ -0,0 +1,12 @@ +# +# pass ack packets (ie established connection) +# +pass in proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A +pass out proto tcp 10.1.0.0/16 port = 23 10.2.0.0/16 flags A/A +# +# block incoming connection requests to my internal network from the big bad +# internet. +# +block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA +# to block the replies: +block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA diff --git a/share/ipf/example.11 b/share/ipf/example.11 new file mode 100644 index 00000000000..7fc26ebdca3 --- /dev/null +++ b/share/ipf/example.11 @@ -0,0 +1,26 @@ +# +# allow any TCP packets from the same subnet as foo is on through to host +# 10.1.1.2 if they are destined for port 6667. +# +pass in proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +# +# allow in UDP packets which are NOT from port 53 and are destined for +# localhost +# +pass in proto udp from fubar port != 53 to localhost +# +# block anything trying to get to X terminal ports, X:0 to X:9 +# +block in proto tcp from any to any port 5999 >< 6010 +# +# allow any connections to be made, except to BSD print/r-services +# this will also protect syslog. +# +block in proto tcp/udp all +pass in proto tcp/udp from any to any port 512 <> 515 +# +# allow any connections to be made, except to BSD print/r-services +# this will also protect syslog. +# +pass in proto tcp/udp all +block in proto tcp/udp from any to any port 511 >< 516 diff --git a/share/ipf/example.12 b/share/ipf/example.12 new file mode 100644 index 00000000000..c0ba1d3cdda --- /dev/null +++ b/share/ipf/example.12 @@ -0,0 +1,17 @@ +# +# get rid of all short IP fragments (too small for valid comparison) +# +block in proto tcp all with short +# +# drop and log any IP packets with options set in them. +# +block in log all with ipopts +# +# log packets with BOTH ssrr and lsrr set +# +log in all with opt lsrr,ssrr +# +# drop any source routing options +# +block in quick all with opt lsrr +block in quick all with opt ssrr diff --git a/share/ipf/example.13 b/share/ipf/example.13 new file mode 100644 index 00000000000..c4c1994030b --- /dev/null +++ b/share/ipf/example.13 @@ -0,0 +1,61 @@ +# +# log all inbound packet on le0 which has IP options present +# +log in on le0 from any to any with ipopts +# +# block any inbound packets on le0 which are fragmented and "too short" to +# do any meaningful comparison on. This actually only applies to TCP +# packets which can be missing the flags/ports (depending on which part +# of the fragment you see). +# +block in log quick on le0 from any to any with short frag +# +# log all inbound TCP packets with the SYN flag (only) set +# (NOTE: if it were an inbound TCP packet with the SYN flag set and it +# had IP options present, this rule and the above would cause it +# to be logged twice). +# +log in on le0 proto tcp from any to any flags S/SA +# +# block and log any inbound ICMP unreachables +# +block in log on le0 proto icmp from any to any icmp-type unreach +# +# block and log any inbound UDP packets on le0 which are going to port 2049 +# (the NFS port). +# +block in log on le0 proto udp from any to any port = 2049 +# +# quickly allow any packets to/from a particular pair of hosts +# +pass in quick from any to 10.1.3.2/32 +pass in quick from any to 10.1.0.13/32 +pass in quick from 10.1.3.2/32 to any +pass in quick from 10.1.0.13/32 to any +# +# block (and stop matching) any packet with IP options present. +# +block in quick on le0 from any to any with ipopts +# +# allow any packet through +# +pass in from any to any +# +# block any inbound UDP packets destined for these subnets. +# +block in on le0 proto udp from any to 10.1.3.0/24 +block in on le0 proto udp from any to 10.1.1.0/24 +block in on le0 proto udp from any to 10.1.2.0/24 +# +# block any inbound TCP packets with only the SYN flag set that are +# destined for these subnets. +# +block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA +block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA +block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA +# +# block any inbound ICMP packets destined for these subnets. +# +block in on le0 proto icmp from any to 10.1.3.0/24 +block in on le0 proto icmp from any to 10.1.1.0/24 +block in on le0 proto icmp from any to 10.1.2.0/24 diff --git a/share/ipf/example.14 b/share/ipf/example.14 new file mode 100644 index 00000000000..a7120527a28 --- /dev/null +++ b/share/ipf/example.14 @@ -0,0 +1,10 @@ +# +# For a network server, which has two interfaces, 128.1.40.1 (le0) and +# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is +# connected to the majority of the network, whilst le0 is connected to a +# leaf subnet. We're not concerned about filtering individual services. +# +pass in quick on le0 from 128.1.40.0/24 to any +block in quick log on le0 from any to any +block in quick log on le1 from 128.1.40.0/24 to any +pass in quick on le1 from any to any diff --git a/share/ipf/example.2 b/share/ipf/example.2 new file mode 100644 index 00000000000..d3333b37e9f --- /dev/null +++ b/share/ipf/example.2 @@ -0,0 +1,4 @@ +# +# block all outgoing TCO packets on le0 from any host to port 23 of host bar. +# +block out on le0 proto tcp from any to bar/32 port != 23 diff --git a/share/ipf/example.3 b/share/ipf/example.3 new file mode 100644 index 00000000000..cd31f73e7c2 --- /dev/null +++ b/share/ipf/example.3 @@ -0,0 +1,40 @@ +# +# block all inbound packets. +# +block in from any to any +# +# pass through packets to and from localhost. +# +pass in from 127.0.0.1/32 to 127.0.0.1/32 +# +# allow a variety of individual hosts to send any type of IP packet to any +# other host. +# +pass in from 10.1.3.1/32 to any +pass in from 10.1.3.2/32 to any +pass in from 10.1.3.3/32 to any +pass in from 10.1.3.4/32 to any +pass in from 10.1.3.5/32 to any +pass in from 10.1.0.13/32 to any +pass in from 10.1.1.1/32 to any +pass in from 10.1.2.1/32 to any +# +# +# block all outbound packets. +# +block out from any to any +# +# allow any packets destined for localhost out. +# +pass out from any to 127.0.0.1/32 +# +# allow any host to send any IP packet out to a limited number of hosts. +# +pass out from any to 10.1.3.1/32 +pass out from any to 10.1.3.2/32 +pass out from any to 10.1.3.3/32 +pass out from any to 10.1.3.4/32 +pass out from any to 10.1.3.5/32 +pass out from any to 10.1.0.13/32 +pass out from any to 10.1.1.1/32 +pass out from any to 10.1.2.1/32 diff --git a/share/ipf/example.4 b/share/ipf/example.4 new file mode 100644 index 00000000000..23aea7edf96 --- /dev/null +++ b/share/ipf/example.4 @@ -0,0 +1,4 @@ +# +# block all ICMP packets. +# +block proto icmp from any to any mask any diff --git a/share/ipf/example.5 b/share/ipf/example.5 new file mode 100644 index 00000000000..6e122e03bc7 --- /dev/null +++ b/share/ipf/example.5 @@ -0,0 +1,25 @@ +# +# test ruleset +# +# allow packets coming from foo to bar through. +# +pass from foo to bar +# +# allow any TCP packets from the same subnet as foo is on through to host +# 10.1.1.2 if they are destined for port 6667. +# +pass proto tcp from fubar/24 to 10.1.1.2/32 port = 6667 +# +# allow in UDP packets which are NOT from port 53 and are destined for +# localhost +# +pass proto udp from fubar port != 53 to localhost +# +# block all ICMP unreachables. +# +block from any to any icmp unreach +# +# allow packets through which have a non-standard IP header length (ie there +# are IP options such as source-routing present). +# +pass from any to any with ipopts diff --git a/share/ipf/example.6 b/share/ipf/example.6 new file mode 100644 index 00000000000..ac91fea1b25 --- /dev/null +++ b/share/ipf/example.6 @@ -0,0 +1,5 @@ +# +# block all TCP packets with only the SYN flag set (this is the first +# packet sent to establish a connection) out of the SYN-ACK pair. +# +block proto tcp from any to any flags S/SA diff --git a/share/ipf/example.7 b/share/ipf/example.7 new file mode 100644 index 00000000000..062de981193 --- /dev/null +++ b/share/ipf/example.7 @@ -0,0 +1,12 @@ +# block all ICMP packets. +# +block in proto icmp all +# +# allow in ICMP echos and echo-replies. +# +pass in on le1 proto icmp from any to any icmp-type echo +pass in on le1 proto icmp from any to any icmp-type echorep +# +# block all ICMP destination unreachable packets which are port-unreachables +# +block in on le1 proto icmp from any to any icmp-type unreach code 3 diff --git a/share/ipf/example.8 b/share/ipf/example.8 new file mode 100644 index 00000000000..69fa4a2d32a --- /dev/null +++ b/share/ipf/example.8 @@ -0,0 +1,10 @@ +# +# block all incoming TCP connections but send back a TCP-RST for ones to +# the ident port +# +block in proto tcp from any to any flags S/SA +block return-rst in quick proto tcp from any to any flags S/SA +# +# block all inbound UDP packets and send back an ICMP error. +# +block return-icmp in proto udp from any to any diff --git a/share/ipf/example.9 b/share/ipf/example.9 new file mode 100644 index 00000000000..77968f85d2f --- /dev/null +++ b/share/ipf/example.9 @@ -0,0 +1,12 @@ +# +# drop all packets without IP security options +# +block in all +pass in all with opt sec +# +# only allow packets in and out on le0 which are top secret +# +block out on le1 all +pass out on le1 all with opt sec-class topsecret +block in on le1 all +pass in on le1 all with opt sec-class topsecret |