Re[2]: [cumbria_lug] Build a better firewall...
Ian Linwood
cumbria at mailman.lug.org.uk
Sat Aug 16 19:59:01 2003
Hello Schwuk,
Tuesday, August 12, 2003, 3:13:41 PM, you wrote:
> Got some suggestions on how to implement the above?
Ok, first rule - drop everything! Break your network. Then, slowly,
change rules to allow services to fix what's broken.
Open the absolute minimum of ports to get a service running. No ports
should be open, on any interface, that are not necessary.
SPOOF PREVENTION
----------------
Block these networks; incoming on the external interface
192.168.0.0/16 # rfc1918
172.16.0.0/12 # rfc1918
10.0.0.0/8 # rfc1918
127.0.0.0/8 # loopback
0.0.0.0/8 # can appear on networks due to strange routing decisions
169.254.0.0/16 # assigned by the IANA for use in auto-configuration
192.0.2.0/24 # reserved - example IP netblock for documentation authors
204.152.64.0/23 # reserved for Sun Microsystems for private cluster interconnects
224.0.0.0/3 # multicast - class D & E
You should also block your local internal subnets on the external
interface. This traffic should not hit the outside world as outgoing
traffic is *masq'd* as the IP you received from your ISP. Therefore
you shouldn't expect such addresses returning to you.
Block these networks; outgoing on the external interface
192.168.0.0/16 # rfc1918
172.16.0.0/12 # rfc1918
10.0.0.0/8 # rfc1918
127.0.0.0/8 # loopback
0.0.0.0/8 # can appear on networks due to strange routing decisions
169.254.0.0/16 # assigned by the IANA for use in auto-configuration
192.0.2.0/24 # reserved - example IP netblock for documentation authors
204.152.64.0/23 # reserved for Sun Microsystems for private cluster interconnects
224.0.0.0/3 # multicast - class D & E
You should also block your local internal subnets outgoing on the
external interface. This traffic should not hit the outside world as
outgoing traffic is *masq'd* as the IP you received from your ISP.
ICMP STORMS
-----------
Next block all ICMP traffic. If you require ping and traceroute, allow icmp-type 0 and icmp-type 11 to pass.
This will prevent smurf attacks (yes, thats what icmp type attacks are called). To be more secure, if you do allow icmp, try
to allow it to/from
trusted networks (ha! is there such a thing?).
FIN SCANS
---------
use the "--tcp-flags ALL SYN,ACK" to scann all the flag on incoming traffic. this will allow the SYN & ACK flags to be set
but will drop packets that
have other flags set.
REMEMBER TO LOG ALL SYN PACKETS.
Logs get big quite quickly, frequent logrotates should be done and old logs moved.
I recommend putting the logs in their own partition. This will prevent the firewall crashing should the logs blow in size.
The worst that will happen
is that the partition will fill.
DNAT
----
Try to nat destination addresses if possible. If you have a web server you wish make available, do not just open up port 80
on your public IP.
1. Run your web server on an rfc 1918 address.
2. Run the service port on >1024 port address.
3. Set up destination NAT on firewall to redirect address and port [pu.bl.ic.ip]:80 -> [lo.ca.l.ip]:8080
--
Best regards,
Ian