[NTLUG:Discuss] firewall rules (long)

Kelly Scroggins kelly at cliffhanger.com
Tue Sep 7 01:24:38 CDT 1999 

I've been trying to set firewall rules.  I've not had any success.  I've
used the examples given in the "Linux Network Toolkit" and the "Firewall
HOWTO".  (Listed at the bottom of this message.)

I've tried these files one at a time of course.  The firewall example was
cut and pasted.  Both were edited with my IP addresses in the appropriate
places.

When these rules are implemented, and not working properly, I try to reverse
(flush) them with the flush commands but only a reboot sets things
straight.   ?

These are the flush commands I'm using:
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f


Does anyone have any suggestions as to what I may be missing?

And how much protection does the "ALL:ALL" setting in the /etc/hosts.deny
file provide?

Thanks,
Kelly

--------- firewall rules ----------


-------------- next part --------------

    ---------------------------------------------------------------------
# ../firewall.howto.rules

# This file is taken from the firewall HOWTO by
# Mark Grennan, markg at netplus.net

#  By default the IP Forwarding system in the Linux kernel forwards
#  everything.  Because of this, your firewall script should start by
#  denying access to everything and flushing any ipfw rules in place from
#  the last time it was run. This script will do the trick.
#
    #
    # setup IP packet Accounting and Forwarding
    #
    #   Forwarding
    #
    # By default DENY all services
    ipfwadm -F -p deny
    # Flush all commands
    ipfwadm -F -f
    ipfwadm -I -f
    ipfwadm -O -f

#  Now we have the ultimate firewall. Nothing can get through. No doubt
#  you have some services you need to forward so here are a few examples
#  you should find useful.

			# Legend:
			# ISP_NET  = ISP network.
			# ISP_ADDR = ISP address on the NIC.
			# LAN_NET  = LAN network.
			# LAN_ADDR = LAN address on the NIC.
			# LAN_GATEWAY_ADDR = IP address on the LAN side 
							of the firewall server.

    # Forward email to your server
    ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D ISP_ADDR 25

    # Forward email connections to outside email servers
    ipfwadm -F -a accept -b -P tcp -S ISP_ADDR 25 -D 0.0.0.0/0 1024:65535

    # Forward Web connections to your Web Server
    /sbin/ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D ISP_ADDR 80

    # Forward Web connections to outside Web Server
    /sbin/ipfwadm -F -a accept -b -P tcp -S ISP_ADDR 80 -D 0.0.0.0/0 1024:65535
                                       # -S 196.1.2.* <-was in the place right above.

    # Forward DNS traffic
    /sbin/ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D ISP_ADDR/24

#  You might also be interested in accounting for traffic going through
#  your firewall. This script will count every packet.  You could add a
#  line or two to account for packets going to just a single system.

    # Flush the current accounting rules
    ipfwadm -A -f
    # Accounting
    /sbin/ipfwadm -A -f
    /sbin/ipfwadm -A out -i -S ISP_NET/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D ISP_NET/24
    /sbin/ipfwadm -A in -i -S ISP_NET/24 -D 0.0.0.0/0
    /sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D ISP_NET/24

#  If all you wanted was a filtering firewall you can stop here.  Enjoy
#  :-)

    ---------------------------------------------------------------------

# ../firewall.simple.rules
#
# This is a script to apply the rules in the "Linux Network Toolkit"
# for building a simple firewall.
#

# First deny access to, and from everywhere.
#
/sbin/ipfwadm -I -p deny
/sbin/ipfwadm -O -p deny
/sbin/ipfwadm -F -p deny

# Next flush any rules still set.
#
/sbin/ipfwadm -I -f
/sbin/ipfwadm -O -f
/sbin/ipfwadm -F -f


			# Legend:
			# ISP_NET  = ISP network.
			# ISP_ADDR = ISP address on the NIC.
			# LAN_NET  = LAN network.
			# LAN_ADDR = LAN address on the NIC.
			# LAN_GATEWAY_ADDR = IP address on the LAN side 
							of the firewall server.


# Prevent IP spoofing.
#
/sbin/ipfwadm -I -a deny -V ISP_ADDR -S LAN_NET/24 -D 0.0.0.0/0
/sbin/ipfwadm -I -a deny -V ISP_ADDR -S ISP_ADDR -D 0.0.0.0/0

# Allow unlimited internal usage of the LAN.
#
/sbin/ipfwadm -I -a accept -V LAN_GATEWAY_ADDR -S 0.0.0.0/0 -D 0.0.0.0/0
/sbin/ipfwadm -O -a accept -V LAN_GATEWAY_ADDR -S 0.0.0.0/0 -D 0.0.0.0/0

# Allow the internal network access to the Internet.
#
# Allow outgoing and return tcp packets for smtp, pop3, telnet, ftp, and www.
/sbin/ipfwadm -O -a accept -P tcp -S ISP_ADDR -D 0.0.0.0/0 smtp pop-3 telnet www ftp
/sbin/ipfwadm -I -a accept -P tcp -k -S 0.0.0.0/0 smtp pop-3 telnet www ftp -D 27.7.19.186

# Allow second channel (data) that ftp sets up for itself.
/sbin/ipfwadm -O -a accept -P tcp -S ISP_ADDR -D 0.0.0.0/0 ftp-data
/sbin/ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 ftp-data -D ISP_ADDR

# Configure outgoing and return udp packets for domain service lookups (DNS).
/sbin/ipfwadm -O -a accept -P udp -S ISP_ADDR -D 0.0.0.0/0 domain
/sbin/ipfwadm -O -a accept -P udp -S 0.0.0.0/0 domain -D ISP_ADDR/24

# The end

More information about the Discuss mailing list