Hack 66 Automatically Generate Firewall Rules


figs/beginner.gif figs/hack66.gif

Easily protect any FreeBSD workstation with a fully configured firewall.

You know the importance of being protected by a firewall. You know where to look in the manpages for details. Given enough time and trouble, you could write a firewall configuration for any situation. They're all reasonably similar, though, so why not generate the configuration by answering a few questions?

That's the purpose of the IPFilter setup script: to generate configuration rules for typical SOHO firewalls using FreeBSD and IPFilter. Even novice users can retain the full benefits of a firewall without first having to learn syntax. In fact, with this script, you should be able to set up a typical firewall with no FreeBSD configuration knowledge at all.

Even if you're not a novice user, this is a great script to refer friends to as they discover FreeBSD. Now you can rest easy in the thought that your friends are protected and you didn't even have to find the time to show them how to set up their systems.

6.14.1 What the Script Does

The script uses a simple question and answer text interface. It has four main parts:


Network settings and IPFilter firewall and IPNAT configuration

This configures internal and external network card interface IP address settings either manually or via DHCP. It creates stateful firewall rules on the external network interface and configures NAT to provide Internet connection sharing on the internal network interface.


ADSL PPPOE configuration

This prompts for a login name, password, and Ethernet NIC to generate the /etc/ppp/ppp.conf file. It then inserts the required PPP variables in /etc/rc.conf. This starts userland PPP at bootup.


DHCP server configuration

This checks for the installation of the ISC DHCP server. If it's not installed, the script offers to install the latest version from the ports system or via a precompiled package.

Once installed, the script will configure the DHCP server by prompting for the addresses of the ISP's DNS servers, the address of the internal NIC to use as the default gateway, and the IP address range and subnet mask to use for the internal LAN.


Serial console setup

Answer "yes" to this section of the script if you plan on running the firewall headless [Hack #26] .

6.14.2 Installation

The easiest way to install the script is to download it to the system that will become the firewall. I prefer the fetch command:

% fetch http://www.roq.com/bsd/ipfilterscript.tar.gz

If networking isn't configured on that system yet, you can copy the file from another device, such as a USB flash key:

# mount -t msdos /dev/da0s1 /mnt  # cp /mnt/ipfilterscript.tar.gz /tmp/

Once you have the script, extract it and run it:

# tar -zxf ipfilterscript.tar.gz # ./ipfilter.pl ###################################################################### 1: Would you like to setup PPPoE DSL connection (Choose 1) 2: Setup IP configuration, Firewalling and NAT (Choose 2) or 3: Setup a DHCP server (Choose 3 and hit enter) 4: Setup serial console support 5: Exit ######################################################################

If you use ADSL with PPPoE, choose 1 and press Enter. If you have ADSL but use it with a static IP, instead choose 2, which combines IP configuration, Firewalling, and NAT setup. Choosing 3 will install and configure a DHCP server. First, however, configure your network, as the script will attempt to download and install the DHCP server.

6.14.3 Example Usage

For this example, I will choose 2 for IP configuration. The script lists my three Ethernet cards, rl0, xl0, and rl0, two of which I haven't configured.

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500         inet6 fe80::202:44ff:fe36:8259%rl0 prefixlen 64 scopeid 0x1         inet 10.0.0.5 netmask 0xff000000 broadcast 10.255.255.255         ether 00:02:44:36:82:59         media: Ethernet autoselect (10baseT/UTP)         status: active xl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500         options=3<RXCSUM,TXCSUM>         ether 00:50:da:89:bc:9f         media: Ethernet 10baseT/UTP (10baseT/UTP <half-duplex>) rl1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500         ether 00:02:44:04:14:2c         media: Ethernet autoselect (10baseT/UTP)         status: no carrier lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384         inet6 ::1 prefixlen 128         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4         inet 127.0.0.1 netmask 0xff000000 #####################################################################  Choose your external Nic, eg "fxp0" . If you are firewalling for a PPPoE  / ADSL setup use "tun0" #####################################################################

At the moment, I have only one Ethernet card plugged into something. Only rl0 has active status, so it is plugged into my ADSL modem. I'll configure it with a static IP address by typing in rl0 and pressing Enter. The script now asks for my internal network card, which is rl1.

#######################################################################  choose your internal Nic, eg "rl0" ####################################################################### rl1 #######################################################################  Internal nic IP, Recommended "192.168.1.1" . Hit "ENTER" for recommended  defaults #######################################################################

Now the script needs to know the IP address of the gateway device, behind which all of my internal machines live. The defaults are fine, so I can simply press Enter for the next few questions.

Setting Internal nic IP to 192.168.1.1 #######################################################################  Internal nic Netmask, Just hit enter for 255.255.255.0 ####################################################################### Setting Internal nic Netmask to 255.255.255.0

When asked for my external IP, I type it in manually since I am setting up a static IP connection:

#######################################################################  External nic IP, or type "DHCP" for DHCP, for connections like ADSL type "NONE" for no dhclient on external nic ####################################################################### 10.6.1.2 Setting External nic IP to 10.6.1.2 #######################################################################  External nic netmask, eg 255.255.255.0 ####################################################################### 255.255.255.254 Setting External Netmask to 255.255.255.254 ####################################################################### Do you want to enter a gateway default IP address? if you ISP provided  you with a default gateway choose Yes Y/N, default = no y What is your gateway IP for your firewall machine to route to, (eg:  111.1.1.1) 10.6.1.1 #######################################################################  Do you want statefull firewall or just allow everything and rely on  IPNAT to protect you, I recommend firewalling :)  Choose: "y" for statefull firewall or "n" for allow everything #######################################################################  y ####################################################################### Do you want to forward any ports from the firewall to a internal host ip?  n ####################################################################### Do you want IP Filter to log denied packets? Y/N, default = yes  y #### Denied packets will be logged to /var/log/firewall.log #### ####################################################################### Do you want to install a /etc/ipfrestart script so you can easily reset your rules? Handy if you are trying out new rulesets. Y/N, default = yes  y ####################################################################### Do you want ftp active mode supprt? when ftping out behind a basic NAT firewall, active mode ftp wont work. This is because normal active mode ftp actually initiates a FTP connection from the server back to YOU! and requires more then basic nat to work. The day FTP is gone and fully replaced by something more secure like  SSH's sftp will be a day when the internet is large degree more secure. Choose: "y" to switch on active ftp support (recommended) or "n"  y Going to write the data to these files /etc/rc.conf /etc/ipf.rules /etc//etc/ipnat.rules /etc/newsyslog.conf hit ctrl+c to abort All done, type "reboot" for changes to take effect ######################################################################## Settings for internal machines behind the firewall: Gateway: 192.168.1.1 Netmask: 255.255.255.0 DNS: (Your ISPS DNS) Clients IP: 192.168.1.2 or higher ########################################################################

Finally, the script writes the necessary information to the required configuration files. When I reboot, the system is fully configured to access the ISP and provide NAT and DHCP services to the internal LAN, and it will protect all packets through its firewall.

6.14.4 See Also

  • The IPFilterscript web site (http://www.roq.com/bsd/)

  • The IPFilter web site (http://coombs.anu.edu.au/~avalon/)



BSD Hacks
BSD Hacks
ISBN: 0596006799
EAN: 2147483647
Year: 2006
Pages: 160
Authors: Lavigne

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net