[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] How to configure IPFWADM on Qube2

On Mon, 20 Nov 2000 12:32:01 +0100, Ould <ouldm@xxxxxxxxxxxxxxxxxxx> wrote:

:>Hi,
:>I'm again wondering for script like that you sending me including Forwarding and
:>Masquerading (they are the main subjects I want to do).
:>
:>Thanks

The examples below are pretty much what I put in my ipfilters (NOT using the
GUI, it will overwrite the ipfilters script). However, I am not doing
forwarding or masquerading so it will not give you want you want. I'd be happy
to send it to you if you wish.

Another approach is to use the Cobalt web site configurator to set up the
basic format of the script. Then take that and edit it to meet your needs.
That is basically what I did. I took that info, put it into the admin GUI to
see what would be generated. I then made a copy of the ipfilters file and
started editing. As it turns out, forwarding and masquerading does not add too
much new, once you understand how it is organized. The first decision you need
to make is whether to (1) adopt a deny first, then specific allow policy, or
(2) adopt an allow first, then deny ranges of ports (my approach). Many
authors recommend approach 1, but I was not really comfortable with doing that
way. I may change later. 

Also, you may wish to visit http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
- he has an example script (towards the bottom of the page) that includes
forwarding. Another example script that has forwarding is at

http://www.xos.nl/linux/ipfwadm/paper/node8.html#SECTION00080000000000000000

HTH.

:>Mike Vanecek wrote:
:>
:>> On Wed, 15 Nov 2000 15:25:01 -0600, "Rodolfo J. Paiz \(E-mail\)"
:>> <rpaiz@xxxxxxxxxxxxxx> wrote:
:>>
:>> :>> I want to configurate Cobalt Qube II as firewall for my local
:>> :>> network. It does not support ipchains but IPFWADM.
:>> :>> Where I can find an appropriate scrip to do this. Actually,
:>> :>> when any attempt to define rules and configure firewall using
:>> :>> Qube interface administration fails.
:>> :>
:>> :>By now, we're certain that the entire IP Firewall portion of the
:>> :>Qube GUI is broken. At least five of us have done everything but
:>> :>rub massage oil on the damn thing, and it simply does not work.
:>> :>
:>> :>There is speculation that the GUI inserts malformed rules into
:>> :>the ipfwadm interface (without using the "/m" that would denote
:>> :>masquerading) but I've been unable to verify this.
:>> :>
:>> :>We'd all appreciate some input from Cobalt on this. It's a total
:>> :>failure on a very publicized but massively broken "feature."
:>> :>
:>> :>Jeff (Lovell)? Anyone? HELP...
:>>
:>> I no longer use the gui interface but have now written my ow
:>>
:>>   /etc/rc.d/init.d/ipfilters
:>>
:>> script that I use and modify as needed. Once you get the hang of it, it is
:>> quite easy. I use the -o option to turn on logging on some of my rules, but am
:>> very disappointed that the log messages are incomplete with regard to ports.
:>> Still, a ipfwadm -I -len gives me an overview of what is happening with my
:>> filters. I am thinking about installing something else that might give me more
:>> information.
:>>
:>> Anyone know why ipfwadm does not include the ports in the match log?
:>>
:>> I guess I could install port sentry which would give me more information
:>> (correct?)?  Anyone run port sentry on a Qube2 without difficulty?
:>>
:>> Sample ipfilters (I do NOT use forward or masquerade so do not copy these
:>> directly if you do):
:>>
:>> [admin@vanecek admin]$ cd /etc/rc.d/init.d
:>> [admin@vanecek init.d]$ cat ipfilters
:>> #!/bin/sh
:>>
:>> # This script sets the IP filtering rules
:>> # This file is edited automatically by the Cobalt admin
:>> # interface.  Any changes made here may be overwritten.
:>>
:>> # 0 = off; 1 = filter only; 2 = masq only; 3 = masq+filter
:>> MODE=1
:>> EXTERNAL_INTERFACE="eth0"
:>> IPADDR="xxx.xxx.xxx.xxx"   <---- removed
:>> CLASS_A="10.0.0.0/8"
:>> CLASS_B="172.16.0.0/12"
:>> CLASS_C="192.168.0.0/16"
:>> CLASS_D_MULTICAST="224.0.0.0/4"
:>> BROADCAST_DEST="255.255.255.255"
:>> BROADCAST_SRC="0.0.0.0"
:>> LOOPBACK="127.0.0.0/8"
:>>
:>> # Flush all existing state
:>> /sbin/ipfwadm -F -f
:>> /sbin/ipfwadm -I -f
:>> /sbin/ipfwadm -O -f
:>>
:>> #Set the default policy
:>> /sbin/ipfwadm -F -p deny
:>> /sbin/ipfwadm -I -p accept
:>> /sbin/ipfwadm -O -p accept
:>>
:>> # The rules will be slightly different depending on
:>> # if masquerading is on or not.
:>> # Filters only
:>> # Begin rules
:>> # Refuse spoofed packets
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $IPADDR -o
:>>
:>> # Refuse packets claiming to be private network
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_A -o
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_B -o
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_C -o
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $CLASS_D_MULTICAST -o
:>>
:>> # Refuse loopback packets
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $LOOPBACK -o
:>>
:>> # Refuse malformed broadcast packets
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S $BROADCAST_DEST -o
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -D $BROADCAST_SRC -o
:>>
:>> # Refuse coba packets
:>> /sbin/ipfwadm -I -a deny -W $EXTERNAL_INTERFACE -S xxx.xxx.31.236
:>>
:>> # Refuse specific ports
:>> /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P tcp -D 0.0.0.0/0 1:19  -o
:>> /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P udp -D 0.0.0.0/0 1:19  -o
:>> /sbin/ipfwadm -I -W $EXTERNAL_INTERFACE -a deny -P tcp -D 0.0.0.0/0 24  -o
:>>
:>> and so on.
:>>
:>> Sample check:
:>>
:>> [admin@vanecek init.d]$ ipfwadm -I -len
:>> IP firewall input rules, default policy: accept
:>>  pkts bytes type  prot opt  tosa tosx ifname  ifaddress       source
:>> destination          ports
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         xxx.xxx.26.245
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         10.0.0.0/8
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         172.16.0.0/12
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         192.168.0.0/16
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         224.0.0.0/4
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         127.0.0.0/8
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         255.255.255.255
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  all  ---o 0xFF 0x00 eth0    0.0.0.0         0.0.0.0/0
:>> 0.0.0.0              n/a
:>>    93 16230 deny  all  ---- 0xFF 0x00 eth0    0.0.0.0         xxx.xxx.31.236
:>> 0.0.0.0/0            n/a
:>>     0     0 deny  tcp  ---o 0xFF 0x00 eth0    0.0.0.0         0.0.0.0/0
:>> 0.0.0.0/0            * -> 1:19
:>>     0     0 deny  udp  ---o 0xFF 0x00 eth0    0.0.0.0         0.0.0.0/0
:>> 0.0.0.0/0            * -> 1:19
:>>
:>> etc.
:>>
:>> Sample output from my /var/log/messages
:>>
:>> Nov 17 21:31:29 vanecek kernel: IP fw-in deny eth0 UDP xxx.xxx.31.236:0
:>> xxx.xxx.31.255:0 L=0 S=0x00 I=0 F=0x0000 T=0
:>>     <-------------- Notice the port information is missing in the log message
:>> Nov 17 23:45:27 vanecek last message repeated 2 times
:>> Nov 18 01:53:37 vanecek last message repeated 2 times
:>> Nov 18 03:57:01 vanecek last message repeated 2 times
:>> Nov 18 06:00:52 vanecek last message repeated 2 times
:>>
:>> HTH, MIke.
:>>
:>> _______________________________________________
:>> cobalt-users mailing list
:>> cobalt-users@xxxxxxxxxxxxxxx
:>> To Subscribe or Unsubscribe, please go to:
:>> http://list.cobalt.com/mailman/listinfo/cobalt-users
:>
:>_______________________________________________
:>cobalt-users mailing list
:>cobalt-users@xxxxxxxxxxxxxxx
:>To Subscribe or Unsubscribe, please go to:
:>http://list.cobalt.com/mailman/listinfo/cobalt-users