Page 1 of 2 12 LastLast
Results 1 to 20 of 24

Thread: IPFW + DirectAdmin + FIREWALL RULESETS AVAILABLE HERE

  1. #1
    Join Date
    Jan 2005
    Posts
    79

    IPFW + DirectAdmin + FIREWALL RULESETS AVAILABLE HERE

    This is a tutorial I met at BSDTechTalk (located at: http://www.bsdtechtalk.com/showthread.php?t=78 )

    Thought I'd share it here with everybody.

    I hope this helps some people who are interesting in getting a firewall up for their BSD system (although they should be ).
    ==================
    ==================



    Tutorial Title: Quick IPFW Tutorial

    Tutorial Summary:
    Quick IPFW tutorial and an example IPFW config file showing a setup for a freebsd server with a DirectAdmin control panel.

    Author: Senad

    Contact: bsd@bsdtechtalk.com

    BSD Type: FreeBSD
    BSD Version: FreeBSD 5.x ,6.x


    Tutorial:
    IPFW can be added to FreeBSD 5.x,6.x by adding the IPFW commands and then startup up IPFW. FreeBSD 4.x needs IPFW compiled into the kernel.

    Allright lets begin.

    Firewall configuration
    In /etc/rc.conf we added the following options to turn on IPFW:
    Code:
    nano /etc/rc.conf
    Code:
    firewall_enable=”YES” 
    firewall_script="YES” 
    firewall_script="/etc/ipfw.rules"
    Then

    Code:
    nano /etc/ipfw.rules
    DirectAdmin Control Panel requires the following ports to be opened:

    20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:

    PassivePorts 32555 32565
    and then open that port range as well in your firewall.

    In our example we will use port 21 for FTP!

    22: ssh access

    25: smtp for exim to recieve email

    53: dns (named), so your sites resolve

    80, 443: apache traffic, http and https

    110: client pop email access
    143: clients imap email access

    2222: DirectAdmin Access

    3306: mysql acess. You don't need to open this port if you don't want to allow remote mysql access, as most mysql scripts are all accessed locally.

    Add the following Rules
    Code:
    ##############################
    # IPFW RULES Server
    ##############################
    cmd="ipfw -q add"
    ipfw -q -f flush
    
    ##############################
    #Allow loopback and deny loopback spoofing
    ##############################
    $cmd 05 allow all from any to any via lo0
    $cmd 10 deny all from any to 127.0.0.0/8
    $cmd 15 deny all from 127.0.0.0/8 to any
    $cmd 20 deny tcp from any to any frag
    
    ##############################
    # Stateful Rules
    ##############################
    $cmd 25 check-state
    $cmd 30 allow tcp from any to any established
    $cmd 35 allow all from any to any out keep-state
    $cmd 40 allow icmp from any to any
    
    ##############################
    # Incoming/outgoing services
    ##############################
    $cmd 45 allow tcp from any to any 21 in setup keep-state
    $cmd 46 allow udp from any to any 21 in setup keep-state
    $cmd 50 allow tcp from any to any 22 in setup keep-state
    $cmd 55 allow tcp from any to any 25 in setup keep-state
    $cmd 60 allow udp from any to any 53 in setup keep-state
    $cmd 61 allow tcp from any to any 53 in setup keep-state
    $cmd 65 allow tcp from any to any 80 in setup keep-state
    $cmd 70 allow tcp from any to any 443 in setup keep-state
    $cmd 75 allow tcp from any to any 110 in setup keep-state
    $cmd 80 allow tcp from any to any 143 in setup keep-state
    $cmd 90 allow tcp from any to any 2222 in setup keep-state
    $cmd 100 allow tcp from any to any 49152-65535 out setup keep-state
    
    ##############################
    # Deny and log
    ##############################
    $cmd 999 deny log all from any to any
    or use stateless firewall rules:
    Code:
    ##############################
    # IPFW RULES Server
    ##############################
    cmd="ipfw -q add"
    ipfw -q -f flush
    ks="keep-state"
    
    ##############################
    #Allow loopback and deny loopback spoofing
    ##############################
    $cmd 10 allow all from any to any via lo0
    $cmd 20 deny all from any to 127.0.0.0/8
    $cmd 30 deny all from 127.0.0.0/8 to any
    $cmd 40 deny tcp from any to any frag
    
    ##############################
    # Stateful Rules
    ##############################
    $cmd 50 check-state
    $cmd 60 allow tcp from any to any established
    $cmd 70 allow all from any to any out keep-state
    $cmd 80 allow icmp from any to any
    
    ##############################
    # Incoming/outgoing services
    ##############################
    $cmd 90 allow tcp from any to any 21 in
    $cmd 100 allow tcp from any to any 21 out
    $cmd 110 allow udp from any to any 21 in
    $cmd 120 allow udp from any to any 21 out
    $cmd 130 allow tcp from any to any 22 in
    $cmd 140 allow tcp from any to any 22 out
    $cmd 150 allow tcp from any to any 25 in
    $cmd 160 allow tcp from any to any 25 out
    $cmd 170 allow udp from any to any 53 in
    $cmd 180 allow udp from any to any 53 out
    $cmd 190 allow tcp from any to any 80 in
    $cmd 200 allow tcp from any to any 80 out
    $cmd 210 allow tcp from any to any 443 in
    $cmd 220 allow tcp from any to any 443 out
    $cmd 230 allow tcp from any to any 110 in
    $cmd 240 allow tcp from any to any 110 out
    $cmd 250 allow tcp from any to any 143 in
    $cmd 260 allow tcp from any to any 143 out
    $cmd 270 allow tcp from any to any 2222 in
    $cmd 280 allow tcp from any to any 2222 out
    $cmd 290 allow tcp from any to any 49152-65535 out
    
    ##############################
    # Deny and log
    ##############################
    $cmd 999 deny log all from any to any
    Now lets run ipfw
    Code:
    /etc/rc.d/ipfw start
    Last edited by Senad; 12-05-2005 at 03:44 PM.

  2. #2
    Join Date
    Mar 2005
    Posts
    75
    /etc/rc.conf:

    Code:
    pf_enable="YES"
    pf_rules="/etc/pf.conf"
    pf_program="/sbin/pfctl"
    pflog_enable="YES"
    pflog_logfile="/var/log/pflog"
    pflog_program="/sbin/pflogd"
    /etc/pf.conf

    Code:
    # /etc/pf.conf
    
    # Macros
    WWW="111.222.333.444/32"
    DNS="{ 111.222.333.445/32, 111.222.333.446/32 }"
    IF="rl0"
    LOCAL_IF="lo0"
    NO_ROUTE="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
    
    # Options
    set optimization normal
    set block-policy drop
    set require-order yes
    
    # Traffic Normalization
    scrub in all
    
    # Packet Filtering
    block in log all
    block out log all
    
    antispoof log quick for $LOCAL_IF inet
    pass in on $LOCAL_IF inet all keep state
    pass out on $LOCAL_IF inet all keep state
    
    antispoof log quick for $IF inet
    block in log quick on $IF from $NO_ROUTE to $IF
    block return-rst in log quick on $IF inet proto tcp from any to $WWW port 113
    pass in on $IF inet proto icmp from any to $WWW icmp-type 8 code 0 keep state
    pass in on $IF inet proto udp from any to $DNS port 53 keep state
    pass in on $IF inet proto tcp from any to $WWW port 22 flags S/SA modulate state
    pass in on $IF inet proto tcp from any to $WWW port 25 flags S/SA modulate state
    pass in on $IF inet proto tcp from any to $WWW port 80 flags S/SA modulate state
    pass in on $IF inet proto tcp from any to $WWW port 443 flags S/SA modulate state
    block out log quick on $IF from $IF to $NO_ROUTE
    pass out on $IF inet from $IF to any keep state
    "quick" in a rule means no further rules will be processed if the rule matches.

    To run pf:

    Code:
    pfctl -Rf /etc/pf.conf
    Last edited by dennisc; 12-15-2005 at 06:06 AM.

  3. #3
    Join Date
    Jan 2005
    Posts
    79
    firewall_type="OPEN"
    This will leave all of your firewall ports open to any connections. Basically you have no firewall since it allows all traffic to pass through.

  4. #4
    Join Date
    Jul 2006
    Posts
    38
    can someone confirm me this is correct:

    /etc/rc.conf
    Code:
    firewall_enable="YES"
    firewall_script="YES" 
    firewall_script="/etc/ipfw.rules"
    /etc/ipfw.rules
    Code:
    ##############################
    # IPFW RULES Server
    ##############################
    cmd="ipfw -q add"
    ipfw -q -f flush
    
    ##############################
    #Allow loopback and deny loopback spoofing
    ##############################
    $cmd 05 allow all from any to any via lo0
    $cmd 10 deny all from any to 127.0.0.0/8
    $cmd 15 deny all from 127.0.0.0/8 to any
    $cmd 20 deny tcp from any to any frag
    
    ##############################
    # Stateful Rules
    ##############################
    $cmd 25 check-state
    $cmd 30 allow tcp from any to any established
    $cmd 35 allow all from any to any out keep-state
    $cmd 40 allow icmp from any to any
    
    ##############################
    # Incoming/outgoing services
    ##############################
    $cmd 45 allow tcp from any to any 21 in setup keep-state
    $cmd 46 allow udp from any to any 21 in setup keep-state
    $cmd 50 allow tcp from any to any 22 in setup keep-state
    $cmd 55 allow tcp from any to any 25 in setup keep-state
    $cmd 60 allow udp from any to any 53 in setup keep-state
    $cmd 61 allow tcp from any to any 53 in setup keep-state
    $cmd 65 allow tcp from any to any 80 in setup keep-state
    $cmd 70 allow tcp from any to any 443 in setup keep-state
    $cmd 75 allow tcp from any to any 110 in setup keep-state
    $cmd 80 allow tcp from any to any 143 in setup keep-state
    $cmd 90 allow tcp from any to any 2222 in setup keep-state
    $cmd 100 allow tcp from any to any 49152-65535 out setup keep-state
    
    ##############################
    # Deny and log
    ##############################
    $cmd 999 deny log all from any to any
    I was reading about this:

    Also, shouldnt your rule;

    Code:
    $cmd 30 allow tcp from any to any established

    be

    Code:
    $cmd 30 deny tcp from any to any established

  5. #5
    Join Date
    Jan 2005
    Posts
    79
    Also, shouldnt your rule;

    Code:
    $cmd 30 allow tcp from any to any established

    be

    Code:
    $cmd 30 deny tcp from any to any established
    No it should allow it to be an established connections so the firewall rule will then keep the established/required connections in a stateful insepection. If you deny it then the firewall rule will deny every connection after the packets return.

    Simpler way of saying it:
    PC A sends syn packet to host. Host replies with a SYN,ACK...PC A sends back an ACK. You now have an established connection. Now since that rule is above the other more secified rulesets the firewalls stateful packet inspection will see that there is already an authorized connection with the host. If you set it at deny it will hence not allow that host to connect and access the required information and it will deny the user to that host. Having the established command allows you to keep that state at an approved method without having to go and read all of the firewall rulesets all over again. Since the firewall knows and keeps the state it will hence know to keep that state established and allowed by that rule. Hope that helps/makes sense.

  6. #6
    Join Date
    Jul 2006
    Posts
    38
    Senad, thank you for your post.
    I was uncertain to activate my ipfw.

    I still have 1 question about this ipfw config.
    you are talking about the passive ports in proftpd:

    PassivePorts 32555 32565
    shouldnt the rule be from:

    $cmd 100 allow tcp from any to any 49152-65535 out setup keep-state
    to

    $cmd 100 allow tcp from any to any 32555 - 32565 out setup keep-state
    or are those ports for other services?

    Also, could someone give me an example of giving a specific ip access to mysql.

    As you can imagine, i'm not really familiar with ipfw ^^'
    Last edited by greenm; 08-01-2006 at 02:21 AM.

  7. #7
    Join Date
    Jul 2005
    Posts
    2,008
    You can setup your own ports that you want your ftp server to use so senads rule may be different from yours.

  8. #8
    Join Date
    Jul 2006
    Posts
    38
    i know this, its was more the question if the passive port is another entry on the ipfw.conf or do i need to adept the line in my previous post...

  9. #9
    Join Date
    Jul 2006
    Posts
    38
    k well i've got everything figured out, only now i have 1 enoying little problem.

    opening passive ports will take long and a new port is opened every dir switch.

    when i disable the firewall its all working cool. so i think its something with the ipfw.conf..

    more people having this problem?

  10. #10
    Join Date
    Aug 2004
    Location
    uk
    Posts
    1,582
    specify passive port range in proftpd.conf then you dont have to open such a big port range.

  11. #11
    Join Date
    Jul 2006
    Posts
    38
    well i figured it out:

    if your proftpd passive port range is:
    32555-32565 do:

    Instead of:
    $cmd 100 allow tcp from any to any 32555-32565 out setup keep-state

    To
    $cmd 100 allow tcp from any to any 32555-32565 in setup keep-state

    So out to in, this works for me.

  12. #12
    Join Date
    Feb 2004
    Location
    The Netherlands
    Posts
    19

    Re: IPFW + DirectAdmin + FIREWALL RULESETS AVAILABLE HERE

    Originally posted by Senad
    110: client pop email access
    143: clients imap email access
    I guess now I know why I wasn't able to access email via imap, in outlook...

  13. #13
    Join Date
    Jan 2005
    Posts
    79
    Sorry about the long delay been very busy here. Greenm yes the ruleset I created was based on a remote box user.

  14. #14
    Join Date
    May 2007
    Posts
    22
    nice man

    Will try now.

  15. #15
    Join Date
    Mar 2006
    Posts
    148
    I had some issues getting my firewall rules set just right but I thought to share my completed work.

    You still need to do this:

    20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:

    PassivePorts 32555 32565


    #################################################
    # ipfw Firewall Commands
    #################################################
    cmd="ipfw -q add"
    ipfw -q -f flush

    #################################################
    # Allow Loopback and Deny Loopback Spoofing
    #################################################
    $cmd allow all from any to any via lo0
    $cmd deny all from any to 127.0.0.0/8
    $cmd deny all from 127.0.0.0/8 to any
    $cmd deny tcp from any to any frag

    #################################################
    # Stateful rules
    #################################################
    $cmd check-state
    $cmd deny tcp from any to any established
    $cmd allow all from any to any out keep-state
    $cmd allow icmp from any to any

    #################################################
    # Incoming/Outgoing Services
    #################################################
    $cmd allow tcp from any to any 21 setup keep-state
    $cmd allow tcp from any to any 22 setup keep-state
    $cmd allow tcp from any to any 25 setup keep-state
    $cmd allow tcp from any to any 53 setup keep-state
    $cmd allow udp from any to any 53 keep-state
    $cmd allow tcp from any to any 80 setup keep-state
    $cmd allow tcp from any to any 110 setup keep-state
    $cmd allow tcp from any to any 143 setup keep-state
    $cmd allow tcp from any to any 443 setup keep-state
    $cmd allow tcp from any to any 2222 setup keep-state
    $cmd allow tcp from any to any 32555-32565 in setup keep-state


    #################################################
    # Deny and Log
    #################################################
    $cmd deny log all from any to any
    Feel free to use them for yourself.

  16. #16
    Join Date
    Jan 2009
    Posts
    78
    I have tried this and the only thing that connects is the directadmin on port 2222

  17. #17
    Join Date
    Aug 2008
    Posts
    4,697
    Show the output of command "ipfw show"

  18. #18
    Join Date
    Jan 2009
    Posts
    78
    If I have been to a site recently it works, if not it fails:

    Code:
    server1# ipfw show
    00005  708   59530 allow ip from any to any via lo0
    00010    0       0 deny ip from any to 127.0.0.0/8
    00015    0       0 deny ip from 127.0.0.0/8 to any
    00020    0       0 deny tcp from any to any frag
    00025    0       0 check-state
    00030  418   43557 deny tcp from any to any established
    00035   22    2773 allow ip from any to any out keep-state
    00040    0       0 allow icmp from any to any
    00045    0       0 allow tcp from any to any dst-port 21 setup keep-state
    00046    0       0 allow udp from any to any dst-port 21 setup keep-state
    00050  108   13687 allow tcp from any to any dst-port 22 setup keep-state
    00055    0       0 allow tcp from any to any dst-port 25 setup keep-state
    00060    0       0 allow udp from any to any dst-port 53 setup keep-state
    00061    0       0 allow tcp from any to any dst-port 53 setup keep-state
    00065 8185 2860267 allow tcp from any to any dst-port 80 setup keep-state
    00070    0       0 allow tcp from any to any dst-port 443 setup keep-state
    00075    0       0 allow tcp from any to any dst-port 110 setup keep-state
    00080    0       0 allow tcp from any to any dst-port 143 setup keep-state
    00090   77   42565 allow tcp from any to any dst-port 2222 setup keep-state
    00100    0       0 allow tcp from any to any dst-port 35000-35999 setup keep-state
    00999 1221   80886 deny log ip from any to any
    65535    2      92 deny ip from any to any
    Last edited by HMTKSteve; 02-06-2009 at 11:55 AM.

  19. #19
    Join Date
    Nov 2008
    Posts
    6
    Why in the begin post after every port it says 'keep-state'? If you remove it, it should not fail. So no need for that.

    Oooh and check the rules under, u might like it.

    Code:
    #################################################
    # Deny Port scanning (Nmap)
    #################################################
    $cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
    $cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
    $cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
    $cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
    $cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
    $cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
    We would like Portscanning? nah

    Code:
    #################################################
    # Protection agianst DoS attacks
    #################################################
    $cmd 01500 allow icmp from any to any icmptypes 3
    $cmd 01510 allow icmp from any to any icmptypes 4
    $cmd 01520 allow icmp from any to any icmptypes 8
    $cmd 01530 allow icmp from any to any icmptypes 0
    $cmd 01540 allow icmp from any to any icmptypes 11 in
    I dont like DoS attacks on my server. Now this will not hold all the attacks, but most of it
    My English is bad

  20. #20
    Join Date
    Aug 2008
    Posts
    4,697
    Icmp isnt gonna stop any kind of ddos attack lol

Page 1 of 2 12 LastLast

Similar Threads

  1. How To: Install IPFW Firewall FreeBSD
    By existenz in forum How-To Guides
    Replies: 12
    Last Post: 02-28-2012, 03:14 AM
  2. Firewall (IPFW) FreeBSD
    By protocoles in forum FreeBSD
    Replies: 2
    Last Post: 01-31-2009, 01:53 PM
  3. Replies: 4
    Last Post: 12-17-2005, 07:36 PM
  4. Best IPTABLES Rulesets.
    By modem in forum General Technical Discussion & Troubleshooting
    Replies: 12
    Last Post: 01-06-2005, 03:33 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •