Hack 64 Script IP Filter Rulesets


figs/moderate.gif figs/hack64.gif

One firewall ruleset isn't always enough.

As a firewall administrator, you know that it takes a bit of creative genius to create a ruleset that best reflects your network's security needs. Things can get more interesting if those needs vary by time of day. For example, you may need to allow Internet access between business hours but ban it during the evening hours. This is easy to do with two rulebases, a couple of scripts, and trusty old cron.

6.12.1 Limiting Access with IP Filter

I have a FreeBSD firewall/router guarding my home network. I also happen to have a daughter who would spend her life online if she were allowed. There's a simple solution to restricting her access to the Internet to certain times of the day without having to use a proxy.

I use FreeBSD's IP Filter as my firewall software. My normal set of firewall rules, /etc/ipf.rules, allows unrestricted access to the Internet. Here's the section of that rulebase that controls my daughter's access:

# --------------------------comment area begin------------------------------ # Internal Interface: ed0 # Allow internal traffic to flow freely. # -------------------------- comment area end ------------------------------ pass in  on ed0 all pass out on ed0 all

Note that this is not my entire rulebase, just the section controlling the interface, ed0, connected to the portion of the network containing my daughter's computer.

Also note that I did not use the normal pass in quick on ed0 all or pass out quick on ed0 all. This is because the use of the word quick in IP Filter tells the program not to look any further for rules applying to the flow of traffic on an interface. If that were the case, this hack would not work.

I saved a copy of my unrestricted rulebase as /etc/ipf.rules.allow for safekeeping. This will be my first rulebase.

# cp /etc/ipf.rules /etc/ipf.rules.allow

I next edited a copy of the original rulebase file, /etc/ipf.rules, to block Natasha's computer (IP 10.0.0.3) from accessing the outside world while still allowing her to do homework:

# --------------------------comment area begin------------------------------ # Internal Interface: ed0 # Allow internal traffic to flow freely. # -------------------------- comment area end ------------------------------ pass in  on ed0 all pass out on ed0 all # --------------------------block Natasha's computer------------------------ block in  on ed0 from any to 10.0.0.3 block out on ed0 from any to 10.0.0.3

I saved this rule file as /etc/ipf.rules.block, my second rulebase. This second ruleset will effectively block her from surfing and using the usual plethora of messaging programs.

6.12.2 Switching Rules on a Schedule

To implement these restrictions at a specific time, I wrote a small script:

#!/bin/sh # copy the restrictive rules to the default ipfilter rulebase  cp /etc/ipf.rules.block /etc/ipf.rules  # cause ipfilter to re-read and apply the new rulebase /sbin/ipf -Fa -f /etc/ipf.rules

Notice that this is a very simple Bourne shell script. As the comments state, it copies the second, restrictive rulebase to the rulebase used by IP Filter. It then tells IP Filter to reread and apply the newly copied rulebase.

I saved this script as /usr/local/bin/block.sh and made it executable:

# chmod 751 /usr/local/bin/block.sh

From there, I used cron to schedule the restriction. First, I open up the crontab editor:

# crontab -e

and then add the line:

# minute, hour, all days, all weeks, on these days, script to run   0       21    *         *          0-4            /usr/local/bin/block.sh

which will effectively shut down access to the outside world starting at 9:00 PM, Sunday through Thursday (i.e., school nights).

To allow access to the Internet in the morning, I need another script:

#!/bin/sh # copy the non-restrictive rules to the default ipfilter rulebase  cp /etc/ipf.rules.allow /etc/ipf.rules  # cause ipfilter to re-read and apply the new rulebase /sbin/ipf -Fa -f /etc/ipf.rules

This script is very similar to the first one, except that it copies over the non-restrictive rulebase. I saved this file as /usr/local/bin/allow.sh and made it executable:

# chmod 751 /usr/local/bin/allow.sh

Once again, I launched crontab -e to add the following line:

# minute, hour, all days, all weeks, on these days, script to run   0       7     *         *          1-5            /usr/local/bin/allow.sh

This will allow access to resume at 7:00 AM, Monday to Friday. Obviously there are no restrictions on the weekends.

6.12.3 Hacking the Hack

While I've successfully used this hack at home for several years, it is easy to see how the same logic could apply to schedule multiple rulebases to suit any network's needs. This gives an administrator much more flexible control over traffic, without the overhead of additional firewall software.

6.12.4 See Also

  • man crontab

  • The IP Filter HOWTO (http://www.obfuscation.org/ipf/)



BSD Hacks
BSD Hacks
ISBN: 0596006799
EAN: 2147483647
Year: 2006
Pages: 160
Authors: Lavigne

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net