[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] How to configure IPFWADM on Qube2
- Subject: Re: [cobalt-users] How to configure IPFWADM on Qube2
- From: Mike Vanecek <nospam99@xxxxxxxxxxxx>
- Date: Sat Nov 18 16:52:01 2000
- Organization: anonymous
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Wed, 15 Nov 2000 15:25:01 -0600, "Rodolfo J. Paiz \(E-mail\)"
<rpaiz@xxxxxxxxxxxxxx> wrote:
:>> I want to configurate Cobalt Qube II as firewall for my local
:>> network. It does not support ipchains but IPFWADM.
:>> Where I can find an appropriate scrip to do this. Actually,
:>> when any attempt to define rules and configure firewall using
:>> Qube interface administration fails.
:>
:>By now, we're certain that the entire IP Firewall portion of the
:>Qube GUI is broken. At least five of us have done everything but
:>rub massage oil on the damn thing, and it simply does not work.
:>
:>There is speculation that the GUI inserts malformed rules into
:>the ipfwadm interface (without using the "/m" that would denote
:>masquerading) but I've been unable to verify this.
:>
:>We'd all appreciate some input from Cobalt on this. It's a total
:>failure on a very publicized but massively broken "feature."
:>
:>Jeff (Lovell)? Anyone? HELP...
I no longer use the gui interface but have now written my ow
/etc/rc.d/init.d/ipfilters
script that I use and modify as needed. Once you get the hang of it, it is
quite easy. I use the -o option to turn on logging on some of my rules, but am
very disappointed that the log messages are incomplete with regard to ports.
Still, a ipfwadm -I -len gives me an overview of what is happening with my
filters. I am thinking about installing something else that might give me more
information.
Anyone know why ipfwadm does not include the ports in the match log?
I guess I could install port sentry which would give me more information
(correct?)? Anyone run port sentry on a Qube2 without difficulty?
Sample ipfilters (I do NOT use forward or masquerade so do not copy these
directly if you do):
[admin@vanecek admin]$ cd /etc/rc.d/init.d
[admin@vanecek init.d]$ cat ipfilters
#!/bin/sh
# This script sets the IP filtering rules
# This file is edited automatically by the Cobalt admin
# interface. Any changes made here may be overwritten.
# 0 = off; 1 = filter only; 2 = masq only; 3 = masq+filter
MODE=1
EXTERNAL_INTERFACE="eth0"
IPADDR="xxx.xxx.xxx.xxx" <---- removed
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
BROADCAST_DEST="255.255.255.255"
BROADCAST_SRC="0.0.0.0"
LOOPBACK="127.0.0.0/8"
# Flush all existing state
/sbin/ipfwadm -F -f
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
#Set the default policy
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -I -p accept
/sbin/ipfwadm -O -p accept
# The rules will be slightly different depending on
# if masquerading is on or not.
# Filters only
# Begin rules
# Refuse spoofed packets
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $IPADDR -o
# Refuse packets claiming to be private network
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_A -o
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_B -o
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_C -o
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_D_MULTICAST -o
# Refuse loopback packets
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $LOOPBACK -o
# Refuse malformed broadcast packets
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $BROADCAST_DEST -o
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -D $BROADCAST_SRC -o
# Refuse coba packets
/sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S xxx.xxx.31.236
# Refuse specific ports
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P tcp -D 0.0.0.0/0 1:19 -o
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P udp -D 0.0.0.0/0 1:19 -o
/sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P tcp -D 0.0.0.0/0 24 -o
and so on.
Sample check:
[admin@vanecek init.d]$ ipfwadm -I -len
IP firewall input rules, default policy: accept
pkts bytes type prot opt tosa tosx ifname ifaddress source
destination ports
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 xxx.xxx.26.245
0.0.0.0/0 n/a
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 10.0.0.0/8
0.0.0.0/0 n/a
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 172.16.0.0/12
0.0.0.0/0 n/a
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 192.168.0.0/16
0.0.0.0/0 n/a
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 224.0.0.0/4
0.0.0.0/0 n/a
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 127.0.0.0/8
0.0.0.0/0 n/a
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 255.255.255.255
0.0.0.0/0 n/a
0 0 deny all ---o 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0
0.0.0.0 n/a
93 16230 deny all ---- 0xFF 0x00 eth0 0.0.0.0 xxx.xxx.31.236
0.0.0.0/0 n/a
0 0 deny tcp ---o 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0
0.0.0.0/0 * -> 1:19
0 0 deny udp ---o 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0
0.0.0.0/0 * -> 1:19
etc.
Sample output from my /var/log/messages
Nov 17 21:31:29 vanecek kernel: IP fw-in deny eth0 UDP xxx.xxx.31.236:0
xxx.xxx.31.255:0 L=0 S=0x00 I=0 F=0x0000 T=0
<-------------- Notice the port information is missing in the log message
Nov 17 23:45:27 vanecek last message repeated 2 times
Nov 18 01:53:37 vanecek last message repeated 2 times
Nov 18 03:57:01 vanecek last message repeated 2 times
Nov 18 06:00:52 vanecek last message repeated 2 times
HTH, MIke.