IPFW + DirectAdmin + FIREWALL RULESETS AVAILABLE HERE

Senad

Verified User
Joined
Jan 14, 2005
Messages
79
This is a tutorial I met at BSDTechTalk (located at: http://www.bsdtechtalk.com/showthread.php?t=78 )

Thought I'd share it here with everybody.

I hope this helps some people who are interesting in getting a firewall up for their BSD system (although they should be :D).
==================
==================



Tutorial Title: Quick IPFW Tutorial

Tutorial Summary:
Quick IPFW tutorial and an example IPFW config file showing a setup for a freebsd server with a DirectAdmin control panel.

Author: Senad

Contact: bsd@bsdtechtalk.com

BSD Type: FreeBSD
BSD Version: FreeBSD 5.x ,6.x


Tutorial:
IPFW can be added to FreeBSD 5.x,6.x by adding the IPFW commands and then startup up IPFW. FreeBSD 4.x needs IPFW compiled into the kernel.

Allright lets begin.

Firewall configuration
In /etc/rc.conf we added the following options to turn on IPFW:
Code:
nano /etc/rc.conf
Code:
firewall_enable=”YES” 
firewall_script="YES” 
firewall_script="/etc/ipfw.rules"
Then

Code:
nano /etc/ipfw.rules
DirectAdmin Control Panel requires the following ports to be opened:

20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:

PassivePorts 32555 32565
and then open that port range as well in your firewall.

In our example we will use port 21 for FTP!

22: ssh access

25: smtp for exim to recieve email

53: dns (named), so your sites resolve

80, 443: apache traffic, http and https

110: client pop email access
143: clients imap email access

2222: DirectAdmin Access

3306: mysql acess. You don't need to open this port if you don't want to allow remote mysql access, as most mysql scripts are all accessed locally.

Add the following Rules
Code:
##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 05 allow all from any to any via lo0
$cmd 10 deny all from any to 127.0.0.0/8
$cmd 15 deny all from 127.0.0.0/8 to any
$cmd 20 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 25 check-state
$cmd 30 allow tcp from any to any established
$cmd 35 allow all from any to any out keep-state
$cmd 40 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 45 allow tcp from any to any 21 in setup keep-state
$cmd 46 allow udp from any to any 21 in setup keep-state
$cmd 50 allow tcp from any to any 22 in setup keep-state
$cmd 55 allow tcp from any to any 25 in setup keep-state
$cmd 60 allow udp from any to any 53 in setup keep-state
$cmd 61 allow tcp from any to any 53 in setup keep-state
$cmd 65 allow tcp from any to any 80 in setup keep-state
$cmd 70 allow tcp from any to any 443 in setup keep-state
$cmd 75 allow tcp from any to any 110 in setup keep-state
$cmd 80 allow tcp from any to any 143 in setup keep-state
$cmd 90 allow tcp from any to any 2222 in setup keep-state
$cmd 100 allow tcp from any to any 49152-65535 out setup keep-state

##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any
or use stateless firewall rules:
Code:
##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush
ks="keep-state"

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 10 allow all from any to any via lo0
$cmd 20 deny all from any to 127.0.0.0/8
$cmd 30 deny all from 127.0.0.0/8 to any
$cmd 40 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 50 check-state
$cmd 60 allow tcp from any to any established
$cmd 70 allow all from any to any out keep-state
$cmd 80 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 90 allow tcp from any to any 21 in
$cmd 100 allow tcp from any to any 21 out
$cmd 110 allow udp from any to any 21 in
$cmd 120 allow udp from any to any 21 out
$cmd 130 allow tcp from any to any 22 in
$cmd 140 allow tcp from any to any 22 out
$cmd 150 allow tcp from any to any 25 in
$cmd 160 allow tcp from any to any 25 out
$cmd 170 allow udp from any to any 53 in
$cmd 180 allow udp from any to any 53 out
$cmd 190 allow tcp from any to any 80 in
$cmd 200 allow tcp from any to any 80 out
$cmd 210 allow tcp from any to any 443 in
$cmd 220 allow tcp from any to any 443 out
$cmd 230 allow tcp from any to any 110 in
$cmd 240 allow tcp from any to any 110 out
$cmd 250 allow tcp from any to any 143 in
$cmd 260 allow tcp from any to any 143 out
$cmd 270 allow tcp from any to any 2222 in
$cmd 280 allow tcp from any to any 2222 out
$cmd 290 allow tcp from any to any 49152-65535 out

##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any
Now lets run ipfw
Code:
/etc/rc.d/ipfw start
 
Last edited:

dennisc

Verified User
Joined
Mar 14, 2005
Messages
75
/etc/rc.conf:

Code:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_program="/sbin/pflogd"
/etc/pf.conf

Code:
# /etc/pf.conf

# Macros
WWW="111.222.333.444/32"
DNS="{ 111.222.333.445/32, 111.222.333.446/32 }"
IF="rl0"
LOCAL_IF="lo0"
NO_ROUTE="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# Options
set optimization normal
set block-policy drop
set require-order yes

# Traffic Normalization
scrub in all

# Packet Filtering
block in log all
block out log all

antispoof log quick for $LOCAL_IF inet
pass in on $LOCAL_IF inet all keep state
pass out on $LOCAL_IF inet all keep state

antispoof log quick for $IF inet
block in log quick on $IF from $NO_ROUTE to $IF
block return-rst in log quick on $IF inet proto tcp from any to $WWW port 113
pass in on $IF inet proto icmp from any to $WWW icmp-type 8 code 0 keep state
pass in on $IF inet proto udp from any to $DNS port 53 keep state
pass in on $IF inet proto tcp from any to $WWW port 22 flags S/SA modulate state
pass in on $IF inet proto tcp from any to $WWW port 25 flags S/SA modulate state
pass in on $IF inet proto tcp from any to $WWW port 80 flags S/SA modulate state
pass in on $IF inet proto tcp from any to $WWW port 443 flags S/SA modulate state
block out log quick on $IF from $IF to $NO_ROUTE
pass out on $IF inet from $IF to any keep state
"quick" in a rule means no further rules will be processed if the rule matches.

To run pf:

Code:
pfctl -Rf /etc/pf.conf
 
Last edited:

Senad

Verified User
Joined
Jan 14, 2005
Messages
79
firewall_type="OPEN"
This will leave all of your firewall ports open to any connections. Basically you have no firewall since it allows all traffic to pass through.
 

greenm

Verified User
Joined
Jul 11, 2006
Messages
38
can someone confirm me this is correct:

/etc/rc.conf
Code:
firewall_enable="YES"
firewall_script="YES" 
firewall_script="/etc/ipfw.rules"
/etc/ipfw.rules
Code:
##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 05 allow all from any to any via lo0
$cmd 10 deny all from any to 127.0.0.0/8
$cmd 15 deny all from 127.0.0.0/8 to any
$cmd 20 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 25 check-state
$cmd 30 allow tcp from any to any established
$cmd 35 allow all from any to any out keep-state
$cmd 40 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 45 allow tcp from any to any 21 in setup keep-state
$cmd 46 allow udp from any to any 21 in setup keep-state
$cmd 50 allow tcp from any to any 22 in setup keep-state
$cmd 55 allow tcp from any to any 25 in setup keep-state
$cmd 60 allow udp from any to any 53 in setup keep-state
$cmd 61 allow tcp from any to any 53 in setup keep-state
$cmd 65 allow tcp from any to any 80 in setup keep-state
$cmd 70 allow tcp from any to any 443 in setup keep-state
$cmd 75 allow tcp from any to any 110 in setup keep-state
$cmd 80 allow tcp from any to any 143 in setup keep-state
$cmd 90 allow tcp from any to any 2222 in setup keep-state
$cmd 100 allow tcp from any to any 49152-65535 out setup keep-state

##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any
I was reading about this:

Also, shouldnt your rule;

Code:
$cmd 30 allow tcp from any to any established

be

Code:
$cmd 30 deny tcp from any to any established
 

Senad

Verified User
Joined
Jan 14, 2005
Messages
79
Also, shouldnt your rule;

Code:
$cmd 30 allow tcp from any to any established

be

Code:
$cmd 30 deny tcp from any to any established
No it should allow it to be an established connections so the firewall rule will then keep the established/required connections in a stateful insepection. If you deny it then the firewall rule will deny every connection after the packets return.

Simpler way of saying it:
PC A sends syn packet to host. Host replies with a SYN,ACK...PC A sends back an ACK. You now have an established connection. Now since that rule is above the other more secified rulesets the firewalls stateful packet inspection will see that there is already an authorized connection with the host. If you set it at deny it will hence not allow that host to connect and access the required information and it will deny the user to that host. Having the established command allows you to keep that state at an approved method without having to go and read all of the firewall rulesets all over again. Since the firewall knows and keeps the state it will hence know to keep that state established and allowed by that rule. Hope that helps/makes sense.
 

greenm

Verified User
Joined
Jul 11, 2006
Messages
38
Senad, thank you for your post.
I was uncertain to activate my ipfw.

I still have 1 question about this ipfw config.
you are talking about the passive ports in proftpd:

PassivePorts 32555 32565
shouldnt the rule be from:

$cmd 100 allow tcp from any to any 49152-65535 out setup keep-state
to

$cmd 100 allow tcp from any to any 32555 - 32565 out setup keep-state
or are those ports for other services?

Also, could someone give me an example of giving a specific ip access to mysql.

As you can imagine, i'm not really familiar with ipfw ^^'
 
Last edited:

chatwizrd

Verified User
Joined
Jul 3, 2005
Messages
2,007
You can setup your own ports that you want your ftp server to use so senads rule may be different from yours.
 

greenm

Verified User
Joined
Jul 11, 2006
Messages
38
i know this, its was more the question if the passive port is another entry on the ipfw.conf or do i need to adept the line in my previous post...
 

greenm

Verified User
Joined
Jul 11, 2006
Messages
38
k well i've got everything figured out, only now i have 1 enoying little problem.

opening passive ports will take long and a new port is opened every dir switch.

when i disable the firewall its all working cool. so i think its something with the ipfw.conf..

more people having this problem?
 

Chrysalis

Verified User
Joined
Aug 25, 2004
Messages
1,584
Location
uk
specify passive port range in proftpd.conf then you dont have to open such a big port range.
 

greenm

Verified User
Joined
Jul 11, 2006
Messages
38
well i figured it out:

if your proftpd passive port range is:
32555-32565 do:

Instead of:
$cmd 100 allow tcp from any to any 32555-32565 out setup keep-state

To
$cmd 100 allow tcp from any to any 32555-32565 in setup keep-state

So out to in, this works for me.
 

Senad

Verified User
Joined
Jan 14, 2005
Messages
79
Sorry about the long delay been very busy here. Greenm yes the ruleset I created was based on a remote box user.
 

labrocca

Verified User
Joined
Mar 12, 2006
Messages
151
I had some issues getting my firewall rules set just right but I thought to share my completed work.

You still need to do this:

20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:

PassivePorts 32555 32565


#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush

#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag

#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state
$cmd allow icmp from any to any

#################################################
# Incoming/Outgoing Services
#################################################
$cmd allow tcp from any to any 21 setup keep-state
$cmd allow tcp from any to any 22 setup keep-state
$cmd allow tcp from any to any 25 setup keep-state
$cmd allow tcp from any to any 53 setup keep-state
$cmd allow udp from any to any 53 keep-state
$cmd allow tcp from any to any 80 setup keep-state
$cmd allow tcp from any to any 110 setup keep-state
$cmd allow tcp from any to any 143 setup keep-state
$cmd allow tcp from any to any 443 setup keep-state
$cmd allow tcp from any to any 2222 setup keep-state
$cmd allow tcp from any to any 32555-32565 in setup keep-state


#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any
Feel free to use them for yourself.
 

HMTKSteve

Verified User
Joined
Jan 18, 2009
Messages
78
I have tried this and the only thing that connects is the directadmin on port 2222
 

HMTKSteve

Verified User
Joined
Jan 18, 2009
Messages
78
If I have been to a site recently it works, if not it fails:

Code:
server1# ipfw show
00005  708   59530 allow ip from any to any via lo0
00010    0       0 deny ip from any to 127.0.0.0/8
00015    0       0 deny ip from 127.0.0.0/8 to any
00020    0       0 deny tcp from any to any frag
00025    0       0 check-state
00030  418   43557 deny tcp from any to any established
00035   22    2773 allow ip from any to any out keep-state
00040    0       0 allow icmp from any to any
00045    0       0 allow tcp from any to any dst-port 21 setup keep-state
00046    0       0 allow udp from any to any dst-port 21 setup keep-state
00050  108   13687 allow tcp from any to any dst-port 22 setup keep-state
00055    0       0 allow tcp from any to any dst-port 25 setup keep-state
00060    0       0 allow udp from any to any dst-port 53 setup keep-state
00061    0       0 allow tcp from any to any dst-port 53 setup keep-state
00065 8185 2860267 allow tcp from any to any dst-port 80 setup keep-state
00070    0       0 allow tcp from any to any dst-port 443 setup keep-state
00075    0       0 allow tcp from any to any dst-port 110 setup keep-state
00080    0       0 allow tcp from any to any dst-port 143 setup keep-state
00090   77   42565 allow tcp from any to any dst-port 2222 setup keep-state
00100    0       0 allow tcp from any to any dst-port 35000-35999 setup keep-state
00999 1221   80886 deny log ip from any to any
65535    2      92 deny ip from any to any
 
Last edited:

Spetterpoep

Verified User
Joined
Nov 26, 2008
Messages
6
Why in the begin post after every port it says 'keep-state'? If you remove it, it should not fail. So no need for that.

Oooh and check the rules under, u might like it.

Code:
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
We would like Portscanning? nah ;)

Code:
#################################################
# Protection agianst DoS attacks
#################################################
$cmd 01500 allow icmp from any to any icmptypes 3
$cmd 01510 allow icmp from any to any icmptypes 4
$cmd 01520 allow icmp from any to any icmptypes 8
$cmd 01530 allow icmp from any to any icmptypes 0
$cmd 01540 allow icmp from any to any icmptypes 11 in
I dont like DoS attacks on my server. Now this will not hold all the attacks, but most of it :p
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
Icmp isnt gonna stop any kind of ddos attack lol
 
Top