From 9b2115e21e28936f7db6294f2c7ff9a81387de0c Mon Sep 17 00:00:00 2001 From: Adam Chlipala Date: Mon, 22 Aug 2005 00:30:32 +0000 Subject: [PATCH] Migrate to newer ferm version and implement preliminary per-user rules --- closed.conf | 158 +++++++++++++++++++++++++--------------------------- open.conf | 10 ++-- 2 files changed, 79 insertions(+), 89 deletions(-) diff --git a/closed.conf b/closed.conf index 81c2863..4c785b6 100644 --- a/closed.conf +++ b/closed.conf @@ -1,66 +1,63 @@ -option iptables option clearall option createchains option automod ############# Define variables -set IFCONFIG "/sbin/ifconfig" -set AWK "/usr/bin/awk" -set GREP "/bin/grep" -set CAT "/bin/cat" -set SED "/bin/sed" +def $IFCONFIG = "/sbin/ifconfig"; +def $AWK = "/usr/bin/awk"; +def $GREP = "/bin/grep"; +def $CAT = "/bin/cat"; +def $SED = "/bin/sed"; -set MASK "29" # Our netmask is /29 = 255.255.255.248 -set IPS "64.20.38.170" -set IFS "eth0" -set IPSPEC "64.20.38.170/%MASK" +def $MASK = 29; # Our netmask is /29 = 255.255.255.248 +def $IPS = 64.20.38.170; +def $IFS = eth0; +def $IPSPEC = "64.20.38.170/$MASK"; -set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'` -#set NTPIP `%CAT /etc/ntp.conf | %GREP server | %AWK '{print $2}'` +def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`; +#set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'` + +def $BADGUYS = `/etc/firewall/print_badguys`; ############# Port/protocol combinations we allow in and out -set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s" -set TCP_OUT_DELAY "ssh,ftp,auth" -set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain" -set TCP_OUT_THROUGHPUT "ftp-data" +def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s); +def $TCP_OUT_DELAY = (ssh ftp auth); +def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain); +def $TCP_OUT_THROUGHPUT = (ftp-data); #set TCP_OUT_COST "" -set UDP_IN "ntp,domain" -set UDP_OUT "1:65535" +def $UDP_IN = (ntp domain); +def $UDP_OUT = 1:65535; -set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem" -set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem" +def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem); +def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem); # Make us insensitive to the environment +table mangle chain FORWARD policy DROP; +table filter chain FORWARD policy DROP; +table filter chain (INPUT OUTPUT) policy DROP; # Allow traffic in areas outside of our scope -policy DROP { - table mangle chain forward; - table filter chain forward; - table filter chain (INPUT,OUTPUT); -} -policy ACCEPT { - table mangle chain (PREROUTING,INPUT,OUTPUT,POSTROUTING); - table nat chain (PREROUTING,OUTPUT,POSTROUTING); -} +table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT; +table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT; ###################################################################### # Built-in chains that jump to our custom ones chain INPUT { - state INVALID goto LDROP; - fragment goto LDROP; + state INVALID goto ldrop; + fragment goto ldrop; # goto IANA_BAN; # goto LOCAL_BAN; #goto PORTSCAN; # Do we need this? There are better, dedicated tools - state (ESTABLISHED,RELATED) ACCEPT; + state (ESTABLISHED RELATED) ACCEPT; if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - if lo saddr %IPSPEC daddr %IPSPEC ACCEPT; - if lo goto LDROP; + if lo saddr $IPSPEC daddr $IPSPEC ACCEPT; + if lo goto ldrop; #incoming traffic goto badguys; @@ -68,54 +65,49 @@ chain INPUT { protocol udp goto fw_udp; protocol icmp goto fw_icmp; - goto LDROP; + goto ldrop; } chain OUTPUT { - state INVALID goto LDENY; - fragment goto LDENY; + state INVALID goto lreject; + fragment goto lreject; - state (ESTABLISHED,RELATED) ACCEPT; + state (ESTABLISHED RELATED) ACCEPT; of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; - of lo saddr %IPSPEC ACCEPT; - of lo goto LDENY; + of lo saddr $IPSPEC ACCEPT; + of lo goto lreject; # queueing goes here, maybe some special fw rules as well proto tcp goto tosqueue; # ACCEPT must be handled here - proto udp dport %UDP_OUT ACCEPT; - proto icmp icmptype %ICMP_OUT ACCEPT; + proto udp dport $UDP_OUT ACCEPT; + proto icmp icmp-type $ICMP_OUT ACCEPT; - goto LDENY; + goto lreject; } -%BADGUYS = `cat /etc/firewall/badguys | grep -v '^#'` - ##################################################################### # Deal with known offenders right away # Make difference between notorious ones and unusual ones chain badguys { - saddr %BADGUYS DROP; + saddr $BADGUYS REJECT; } ##################################################################### # TCP traffic chain fw_tcp proto tcp { # Standard allowances - syn dport %TCP_IN sport 1024: { + syn dport $TCP_IN sport 1024: { limit 5/s ACCEPT; - limit 20/m LOG log-prefix "SYN flood attack:" LOG; - goto LDROP; + limit 20/m LOG log-prefix "SYN flood attack:"; + goto ldrop; } - # Should be covered by (RELATED,ESTABLISHED) ACCEPT above - #dport %TCP_IN accept; - # deny scanning via DNS port sport domain { dport domain ACCEPT; - syn goto LDROP; + syn goto ldrop; } # special case to allow active ftp transfers to our machine! @@ -123,15 +115,11 @@ chain fw_tcp proto tcp { ACCEPT; } + include 'users_tcp_in.conf'; + # awkward incoming connections syn { - goto LDROP; - } - - # want to deny inside-out fake stuff? uncomment this: - # (see /proc/sys/net/ipv4/ip_local_port_range ): Tune the file to 13999 ! - dport 14000: { - goto LDROP; + goto ldrop; } } @@ -139,12 +127,12 @@ chain fw_tcp proto tcp { # UDP traffic chain fw_udp proto udp { # Standard allowances - dport %UDP_IN sport 1024: { + dport $UDP_IN sport 1024: { ACCEPT; } # again no dns fumbling around - sport domain dport domain saddr %NSIP { + sport domain dport domain saddr $NSIP { ACCEPT; } } @@ -154,7 +142,7 @@ chain fw_udp proto udp { # ICMP traffic chain fw_icmp proto icmp { # Standard allowances - icmptype %ICMP_IN { + icmp-type $ICMP_IN { ACCEPT; } @@ -171,41 +159,45 @@ chain fw_icmp proto icmp { chain tosqueue { protocol tcp { # rapid response protocols -# dport %TCP_OUT_DELAY settos min-delay ACCEPT; - dport %TCP_OUT_DELAY ACCEPT; - sport %TCP_OUT_DELAY ACCEPT; +# dport $TCP_OUT_DELAY settos min-delay ACCEPT; + dport $TCP_OUT_DELAY ACCEPT; + sport $TCP_OUT_DELAY ACCEPT; # keep these from timing out -# dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT; - dport %TCP_OUT_RELIABILITY ACCEPT; - sport %TCP_OUT_RELIABILITY ACCEPT; +# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT; + dport $TCP_OUT_RELIABILITY ACCEPT; + sport $TCP_OUT_RELIABILITY ACCEPT; # bulk stuff -# dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; - dport %TCP_OUT_THROUGHPUT ACCEPT; - sport %TCP_OUT_THROUGHPUT ACCEPT; -# dport (ftp-data,8888,6699) settos max-throughput ACCEPT; - dport (ftp-data,8888,6699) ACCEPT; - sport (ftp-data,8888,6699) ACCEPT; +# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT; + dport $TCP_OUT_THROUGHPUT ACCEPT; + sport $TCP_OUT_THROUGHPUT ACCEPT; +# dport (ftp-data 8888 6699) settos max-throughput ACCEPT; + dport (ftp-data 8888 6699) ACCEPT; + sport (ftp-data 8888 6699) ACCEPT; } -# proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT; - goto LDENY; +# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT; + + include 'users_tcp_out.conf'; + + goto lreject; } ##################################################################### # Supporting targets -chain LDROP { +chain ldrop { LOG { - log-level info logprefix "Dropped"; + log-level info log-prefix "Dropped"; log-level warn fragment log-prefix "FRAGMENT Dropped"; } - DROP; + REJECT; } -chain LDENY { +chain lreject { LOG { - log-level info proto tcp logprefix "Denied"; + log-level info proto tcp log-prefix "Denied"; log-level warn fragment log-prefix "FRAGMENT Denied"; } - DENY; + REJECT; } +include 'users.conf'; diff --git a/open.conf b/open.conf index ea7a5aa..1240758 100644 --- a/open.conf +++ b/open.conf @@ -1,10 +1,8 @@ -option iptables option clearall option createchains -policy ACCEPT { - table filter chain (INPUT FORWARD OUTPUT); - table mangle chain (PREROUTING OUTPUT); - table nat chain (PREROUTING POSTROUTING OUTPUT); -} +table filter chain (INPUT FORWARD OUTPUT) policy ACCEPT; +table mangle chain (PREROUTING OUTPUT) policy ACCEPT; +table nat chain (PREROUTING POSTROUTING OUTPUT) policy ACCEPT; + -- 2.20.1