Web and ssh work! A lot of tuning and style

diff --git a/closed.conf b/closed.conf
index 5e79bb4..51d8ce4 100644 (file)
--- a/closed.conf
+++ b/closed.conf
@@ -21,12 +21,12 @@ set NSIP       `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
 
 ############# Port/protocol combinations we allow in and out
 set TCP_IN        "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
 
 ############# Port/protocol combinations we allow in and out
 set TCP_IN        "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"

-set TCP_OUT_DELAY         "ssh,ftp"
+set TCP_OUT_DELAY         "ssh,ftp,auth"

 set TCP_OUT_RELIABILITY           "http,nntp,smtp,pop3,auth,domain"
 set TCP_OUT_RELIABILITY           "http,nntp,smtp,pop3,auth,domain"

-set TCP_OUT_THROUGHPUT    "ftp-data,napster,napserv"
-set TCP_OUT_COST          ""
+set TCP_OUT_THROUGHPUT    "ftp-data"
+#set TCP_OUT_COST         ""

 
 

-set UDP_IN        "ntp"
+set UDP_IN        "ntp,domain"

 set UDP_OUT       "1:65535"
 
 set ICMP_IN       "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
 set UDP_OUT       "1:65535"
 
 set ICMP_IN       "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"


@@ -34,55 +34,54 @@ set ICMP_OUT         "ping,pong,fragmentation-needed,source-quench,parameter-problem"
 
 
 # Make us insensitive to the environment
 
 
 # Make us insensitive to the environment

+
+# Allow traffic in areas outside of our scope

 policy DROP {
 policy DROP {

-       table filter chain (INPUT FORWARD);
-       table mangle chain (PREROUTING);
-       table nat chain (PREROUTING POSTROUTING);
+       table mangle chain forward;
+       table filter chain forward;
+       table filter chain (INPUT,OUTPUT);

 }
 }

-policy DENY {
-       table filter chain (OUTPUT);
-       table mangle chain (OUTPUT);
-       table nat chain (OUTPUT);
+policy ACCEPT {
+       table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING);
+       table nat    chain (PREROUTING,OUTPUT,POSTROUTING);

 }
 
 }
 

-

 ######################################################################
 # Built-in chains that jump to our custom ones
 
 chain INPUT {
 ######################################################################
 # Built-in chains that jump to our custom ones
 
 chain INPUT {

-
-       state INVALID goto UNUSUAL DROP;
-       fragment goto UNUSUAL DROP;
-
+       state INVALID goto LDROP;
+       fragment goto LDROP;

 #      goto IANA_BAN;
 #      goto LOCAL_BAN;
 #      goto IANA_BAN;
 #      goto LOCAL_BAN;

-       goto PORTSCAN;
+       #goto PORTSCAN; # Do we need this? There are better, dedicated tools

 
        state (ESTABLISHED,RELATED) ACCEPT;
 
        if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
 
        state (ESTABLISHED,RELATED) ACCEPT;
 
        if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;

-       if lo goto UNUSUAL DROP;
-
-       #incoming traffic, seperate by interface
-       if %IFS {
-               goto badguys;
-               protocol tcp goto fw_tcp;
-               protocol udp goto fw_udp;
-               protocol icmp goto fw_icmp;
-       }
+       if lo saddr %IPSPEC     daddr %IPSPEC     ACCEPT;
+       if lo goto LDROP;
+
+       #incoming traffic
+       goto badguys;
+       protocol tcp goto fw_tcp;
+       protocol udp goto fw_udp;
+       protocol icmp goto fw_icmp;
+
+       goto LDROP;

 }
 
 chain OUTPUT {
 }
 
 chain OUTPUT {

-
-       state INVALID goto UNUSUAL DENY;
-       fragment goto UNUSUAL DENY;
+       state INVALID goto LDENY;
+       fragment goto LDENY;

 
        state (ESTABLISHED,RELATED) ACCEPT;
 
        of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
 
        state (ESTABLISHED,RELATED) ACCEPT;
 
        of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;

-       of lo goto UNUSUAL DENY;
+       of lo saddr %IPSPEC     daddr %IPSPEC     ACCEPT;
+       of lo goto LDENY;

 
 

-       saddr !%IPSPEC goto UNUSUAL DENY;
+       saddr !%IPSPEC goto LDENY;

 
        # again uncomment for trojan horses protection and inside out
        # violations....
 
        # again uncomment for trojan horses protection and inside out
        # violations....


@@ -93,17 +92,14 @@ chain OUTPUT {
 
        proto udp dport %UDP_OUT ACCEPT;
        proto icmp icmptype %ICMP_OUT ACCEPT;
 
        proto udp dport %UDP_OUT ACCEPT;
        proto icmp icmptype %ICMP_OUT ACCEPT;

+
+       goto LDENY;

 }
 
 #####################################################################
 # Deal with known offenders right away
 # Make difference between notorious ones and unusual ones
 chain badguys {
 }
 
 #####################################################################
 # Deal with known offenders right away
 # Make difference between notorious ones and unusual ones
 chain badguys {

-       #saddr spammer.net.com DROP; # you may specify computer names as well
-       saddr 10/8 DROP; # or network addresses like this impossible one
-       daddr 10/8 DROP; # maybe even from guys fooling you around
-       saddr 123.45.6.78 DROP; # a single machine, very bad
-       saddr 123.45.6/24 DROP; # better to include the entire subnet

 
        saddr(
                # Mailbombing nion's email
 
        saddr(
                # Mailbombing nion's email


@@ -134,29 +130,20 @@ chain badguys {
 #####################################################################
 # TCP traffic
 chain fw_tcp proto tcp {
 #####################################################################
 # TCP traffic
 chain fw_tcp proto tcp {

-

        # Standard allowances
        syn dport %TCP_IN sport 1024: {
        # Standard allowances
        syn dport %TCP_IN sport 1024: {

-               limit 200/s ACCEPT;
-               limit 5/m LOG log-prefix "SYN flood attack:" LOG;
-               DROP;
+               limit 5/s ACCEPT;
+               limit 20/m LOG log-prefix "SYN flood attack:" LOG;
+               goto LDROP;

        }
 
        }
 

-       # drop all syns: (incoming connections)
-       syn {
-               log-prefix "tcp SYN Dropped" LOG;
-               DROP;
-       }
-       
-       dport :1023 {
-               log-prefix "TCP packet not syn std port" LOG;
-               DROP;
-       }
+       # Should be covered by (RELATED,ESTABLISHED) ACCEPT above
+       #dport %TCP_IN accept;

 
        # deny scanning via DNS port
        sport domain {
                dport domain ACCEPT;
 
        # deny scanning via DNS port
        sport domain {
                dport domain ACCEPT;

-               syn goto LDENY;
+               syn goto LDROP;

        }
 
        # special case to allow active ftp transfers to our machine!
        }
 
        # special case to allow active ftp transfers to our machine!


@@ -166,25 +153,19 @@ chain fw_tcp proto tcp {
 
        # awkward incoming connections
        syn {
 
        # awkward incoming connections
        syn {

-               goto LDENY;
-       }
-
-       # lock suid ports
-       sport :1023 {
-               goto LDENY;
+               goto LDROP;

        }
 
        # want to deny inside-out fake stuff? uncomment this:
        # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
        dport 14000: { 
        }
 
        # want to deny inside-out fake stuff? uncomment this:
        # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 !
        dport 14000: { 

-               goto LDENY;
+               goto LDROP;

        }
        }

-
+}

 
 #####################################################################
 # UDP traffic
 chain fw_udp proto udp {
 
 #####################################################################
 # UDP traffic
 chain fw_udp proto udp {

-

        # Standard allowances
        dport %UDP_IN sport 1024: {
                ACCEPT;
        # Standard allowances
        dport %UDP_IN sport 1024: {
                ACCEPT;


@@ -194,14 +175,12 @@ chain fw_udp proto udp {
        sport domain dport domain saddr %NSIP {
                ACCEPT;
        }
        sport domain dport domain saddr %NSIP {
                ACCEPT;
        }

-       goto LDENY;

 }
 
 
 #####################################################################
 # ICMP traffic
 chain fw_icmp proto icmp {
 }
 
 
 #####################################################################
 # ICMP traffic
 chain fw_icmp proto icmp {

-

        # Standard allowances
        icmptype %ICMP_IN {
                ACCEPT;
        # Standard allowances
        icmptype %ICMP_IN {
                ACCEPT;


@@ -212,25 +191,32 @@ chain fw_icmp proto icmp {
        #       ACCEPT;
        #}
        # never seen hits on this one:
        #       ACCEPT;
        #}
        # never seen hits on this one:

-       goto LDENY;

 }
 
 
 #####################################################################
 # TOS (Type-of-service) adjustments
 chain tosqueue {
 }
 
 
 #####################################################################
 # TOS (Type-of-service) adjustments
 chain tosqueue {

-
-       protocol tcp reverse {
+       protocol tcp {

                # rapid response protocols
                # rapid response protocols

-               dport %TCP_OUT_DELAY settos min-delay ACCEPT;
+#              dport %TCP_OUT_DELAY settos min-delay ACCEPT;
+               dport %TCP_OUT_DELAY ACCEPT;
+               sport %TCP_OUT_DELAY ACCEPT;

                # keep these from timing out
                # keep these from timing out

-               dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
+#              dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
+               dport %TCP_OUT_RELIABILITY ACCEPT;
+               sport %TCP_OUT_RELIABILITY ACCEPT;

                # bulk stuff
                # bulk stuff

-               dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
-    dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
+#              dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
+               dport %TCP_OUT_THROUGHPUT ACCEPT;
+               sport %TCP_OUT_THROUGHPUT ACCEPT;
+#    dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
+    dport (ftp-data,8888,6699) ACCEPT;
+    sport (ftp-data,8888,6699) ACCEPT;

        }
 
        }
 

-       proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
+#      proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
+       goto LDENY;

 }
 
 #####################################################################
 }
 
 #####################################################################


@@ -243,10 +229,6 @@ chain LDROP {
        DROP;
 }
 
        DROP;
 }
 

-chain UNUSUAL {
-       LOG { log-level info logprefix "Unusual"; }
-}
-

 chain LDENY {
        LOG {
                log-level info proto tcp logprefix "Denied";
 chain LDENY {
        LOG {
                log-level info proto tcp logprefix "Denied";


@@ -255,50 +237,3 @@ chain LDENY {
        DENY;
 }
 
        DENY;
 }
 

-chain TCPACCEPT {
-       proto tcp {
-               syn limit 100/s ACCEPT;
-               ! syn ACCEPT;
-       }
-       logprefix "Mismatch in TCPACCEPT" LOG;
-       DENY;
-}
-
-chain UDPACCEPT {
-       proto udp ACCEPT;
-       logprefix "Mismatch in UDPACCEPT" LOG;
-       DENY;
-}
-
-
-
-#chain IANA_BAN {
-#      saddr %IANA_BANS DROP;
-#}
-#
-#chain LOCAL_BAN {
-#      saddr %LOCAL_BANS DROP;
-#}
-
-chain PORTSCAN {
-       proto tcp {
-               tcp-flags FIN:SYN:RST:PSH:ACK:URG NONE {
-                       limit 5/min log-prefix "NULL SCAN:" log-level 5
-                       log-tcp-options log-ip-options LOG;
-                       DROP;
-               }
-               tcp-flags FIN:SYN:RST:PSH:ACK:URG FIN:PSH:URG {
-                       limit 5/min log-prefix "NMAP-XMAS Portscan:" log-level 5 LOG;
-                       DROP;
-               }
-               tcp-flags SYN:RST SYN:RST {
-                       limit 5/min log-prefix "SYN/RST Portscan:" log-level 5 LOG;
-                       DROP;
-               }
-               tcp-flags FIN:SYN FIN:SYN {
-                       limit 5/min log-prefix "SYN/FIN Portscan:" log-level 5 LOG;
-                       DROP;
-               }
-       }
-}
-