• No results found

Rulesets for IP Filter

In document Comparative Firewall Study (Page 85-91)

3.5 Rulesets for the firewalls

3.5.6 Rulesets for IP Filter

IP Filter can load two configuration files: • Filter rules:

typically read by ipf -Fa -f <file> from /etc/ipf.rules or /usr/local/etc/ipf.rules • Translation rules:

typically read by ipnat -CF -f <file> from /etc/ipnat.rules or /usr/local/etc/ipnat.rules List 42: IP Filter configuration files

Blank lines in those files are ignored, and lines beginning with # are treated as comments. Filter rules specify the criteria that a packet must match and the resulting action, either deny or allow, that is taken when a match is found. Like Packetfilter, IP Filter evaluates filter rules in a sequential order, first to last. Unless the packet matches a rule containing the quick keyword, the packet will be evaluated against all filter rules before the final action is taken. The last rule to match will be taken and will dictate which action to take on the packet. There is an implicit deny all or allow all at the beginning of a filtering ruleset meaning that if a packet does not match any filter rule the resulting action will be deny or allow. Despite that there should be an explicit deny all or allow all at the beginning of a filtering ruleset to have a ruleset, independent from implicit behaviour.

3.5.6.1 Ruleset 1

This is the realisation of the first ruleset 3.5.1.1 defined on page 62. In this configuration the firewall allows all the traffic.

• Filter rules:

pass in all pass out all

3.5.6.2 Ruleset 2

This is the realisation of the second ruleset 3.5.1.2 defined on page 62. In this configuration the firewall blocks all the traffic.

• Filter rules:

block in log all block out log all

3.5.6.3 Ruleset 3

This is the realisation of the third ruleset 3.5.1.3 defined on page 62. In this configuration the firewall allows all the traffic and actuates PAT (by dint of NAT) on the right interface.

• Filter rules:

pass in all pass out all

• Translation rules:

# NAT:

map wm0 192.168.100/24 -> 192.168.101.254/32

map wm0 192.168.100/24 -> 192.168.101.254/32 portmap tcp/udp auto # Redirect:

rdr wm0 192.168.101.254/32 port 5000 -> 192.168.100.1 port 5000 rdr wm0 192.168.101.254/32 port 5001 -> 192.168.100.1 port 5001

3.5.6.4 Ruleset 4

This is the realisation of the fourth ruleset 3.5.1.4 defined on page 62. • Filter rules:

block in log all block out log all

block in log quick from 192.168.101.0/32 to any block in log quick from any to 192.168.101.0/32 block in log quick from 192.168.100.0/32 to any block in log quick from any to 192.168.100.0/32 # HTTP

pass in quick on wm1 proto tcp \

from 192.168.100.0/29 to 192.168.101.0/29 port = 80 keep state pass out quick on wm0 proto tcp \

from 192.168.100.0/29 to 192.168.101.0/29 port = 80 keep state # DNS

pass in quick on wm1 proto udp \

from 192.168.100.0/29 to 192.168.101.1/32 port = 53 keep state pass out quick on wm0 proto udp \

from 192.168.100.0/29 to 192.168.101.1/32 port = 53 keep state # SSH

pass out quick on wm1 proto tcp \

from 192.168.101.0/29 to 192.168.100.1/32 port = 22 keep state # ECHO

pass in quick on wm0 proto tcp \

from 192.168.101.0/29 to 192.168.100.0/29 port = 7 keep state pass out quick on wm1 proto tcp \

from 192.168.101.0/29 to 192.168.100.0/29 port = 7 keep state # TEST_PROTOCOL STATEFUL

pass in quick on wm1 proto tcp/udp from 192.168.100.0/29 \ to 192.168.101.0/29 port 4999 >< 5101 keep state

pass out quick on wm0 proto tcp/udp from 192.168.100.0/29 \ to 192.168.101.0/29 port 4999 >< 5101 keep state

pass in quick on wm0 proto tcp/udp from 192.168.101.0/29 \ to 192.168.100.0/29 port 4999 >< 5101 keep state

pass out quick on wm1 proto tcp/udp from 192.168.101.0/29 \ to 192.168.100.0/29 port 4999 >< 5101 keep state

3.5.6.5 Ruleset 5

This is the realisation of the fifth ruleset 3.5.1.5 defined on page 63. • Filter rules:

block in log all block out log all

block in log quick from 192.168.101.0/32 to any block in log quick from any to 192.168.101.0/32 block in log quick from 192.168.100.0/32 to any block in log quick from any to 192.168.100.0/32 # ICMP

pass in quick proto icmp from 192.168.100.0/29 to 192.168.101.0/29 pass in quick proto icmp from 192.168.101.0/29 to 192.168.100.0/29 # DNS

pass in quick on wm1 proto udp from 192.168.100.0/29 \ to 192.168.101.1/32 port = 53 keep state

pass out quick on wm0 proto udp from 192.168.100.0/29 \ to 192.168.101.1/32 port = 53 keep state

pass in quick on wm1 proto udp from 192.168.100.0/29 \ to 192.168.101.2/32 port = 53 keep state

pass out quick on wm0 proto udp from 192.168.100.0/29 \ to 192.168.101.2/32 port = 53 keep state

pass in quick on wm1 proto udp from 192.168.100.0/29 \ to 192.168.101.3/32 port = 53 keep state

pass out quick on wm0 proto udp from 192.168.100.0/29 \ to 192.168.101.3/32 port = 53 keep state

# HTTP

pass in quick on wm1 proto tcp from 192.168.100.0/29 \ to 192.168.101.0/29 port = 80 keep state

pass out quick on wm0 proto tcp from 192.168.100.0/29 \ to 192.168.101.0/29 port = 80 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.1/32 port = 80 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.1/32 port = 80 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.2/32 port = 80 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.2/32 port = 80 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.3/32 port = 80 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.3/32 port = 80 keep state

# SMTP

pass in quick on wm1 proto tcp from 192.168.100.6 \ to 192.168.101.0/29 port = 25 keep state

pass out quick on wm0 proto tcp from 192.168.100.6 \ to 192.168.101.0/29 port = 25 keep state

pass in quick on wm1 proto tcp from 192.168.100.7 \ to 192.168.101.0/29 port = 25 keep state

pass out quick on wm0 proto tcp from 192.168.100.7 \ to 192.168.101.0/29 port = 25 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.6 port = 25 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.6 port = 25 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.7 port = 25 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.7 port = 25 keep state

# SSH

pass in quick on wm1 proto tcp from 192.168.100.0/29 \ to 192.168.101.0/29 port = 22 keep state

pass out quick on wm0 proto tcp from 192.168.100.0/29 \ to 192.168.101.0/29 port = 22 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.1/32 port = 22 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.1/32 port = 22 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.2/32 port = 22 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.2/32 port = 22 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.3/32 port = 22 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.3/32 port = 22 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.4/32 port = 22 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.4/32 port = 22 keep state

pass in quick on wm0 proto tcp from 192.168.101.0/29 \ to 192.168.100.5/32 port = 22 keep state

pass out quick on wm1 proto tcp from 192.168.101.0/29 \ to 192.168.100.5/32 port = 22 keep state

# TEST_PROTOCOL STATELESS

pass in quick on wm1 proto tcp/udp from 192.168.100.0/29 \ to 192.168.101.0/29 port 4999 >< 5101

pass out quick on wm0 proto tcp/udp from 192.168.100.0/29 \ to 192.168.101.0/29 port 4999 >< 5101

pass in quick on wm0 proto tcp/udp from 192.168.101.0/29 \ to 192.168.100.0/29 port 4999 >< 5101

pass out quick on wm1 proto tcp/udp from 192.168.101.0/29 \ to 192.168.100.0/29 port 4999 >< 5101

pass in quick on wm1 proto tcp/udp from 192.168.100.0/29 \ port 4999 >< 5101 to 192.168.101.0/29

pass out quick on wm0 proto tcp/udp from 192.168.100.0/29 \ port 4999 >< 5101 to 192.168.101.0/29

pass in quick on wm0 proto tcp/udp from 192.168.101.0/29 \ port 4999 >< 5101 to 192.168.100.0/29

pass out quick on wm1 proto tcp/udp from 192.168.101.0/29 \ port 4999 >< 5101 to 192.168.100.0/29

3.5.6.6 Ruleset 6

This is the realisation of the sixth ruleset 3.5.1.6 defined on page 64 as shell script which generates the appropriate config file.

• Filter rules:

#!/bin/sh

confile="ipf-6-${1}.rules" cat << END > ${confile} block in log all

block out log all

block in log quick from 192.168.101.0/32 to any block in log quick from any to 192.168.101.0/32 block in log quick from 192.168.100.0/32 to any block in log quick from any to 192.168.100.0/32 # TEST_PROTOCOL STATELESS

pass in quick on wm1 proto tcp/udp \

from 192.168.100.0/29 to 192.168.101.0/29 port 4999 >< 5101 pass out quick on wm0 proto tcp/udp \

from 192.168.100.0/29 to 192.168.101.0/29 port 4999 >< 5101 pass in quick on wm0 proto tcp/udp \

from 192.168.101.0/29 to 192.168.100.0/29 port 4999 >< 5101 pass out quick on wm1 proto tcp/udp \

from 192.168.101.0/29 to 192.168.100.0/29 port 4999 >< 5101 pass in quick on wm1 proto tcp/udp from 192.168.100.0/29 \

port 4999 >< 5101 to 192.168.101.0/29

pass out quick on wm0 proto tcp/udp from 192.168.100.0/29 \ port 4999 >< 5101 to 192.168.101.0/29

pass in quick on wm0 proto tcp/udp from 192.168.101.0/29 \ port 4999 >< 5101 to 192.168.100.0/29

pass out quick on wm1 proto tcp/udp from 192.168.101.0/29 \ port 4999 >< 5101 to 192.168.100.0/29 # GENERATED BY LOOP END port=1 currentLoop=1 maximumLoops=$1

while [ $currentLoop -le $maximumLoops ]; do for number in 1 2 3 4 5 6 7;do

let temp=20000+port > /dev/null cat << END >> ${confile}

pass in on wm0 proto tcp/udp from 192.168.101.0/29 \ to 192.168.100.${number}/32 port = ${temp}

pass out on wm1 proto tcp/udp from 192.168.101.0/29 \ to 192.168.100.${number}/32 port = ${temp}

END

let port=port+1 > /dev/null done

let currentLoop=currentLoop+1 > /dev/null done

3.5.6.7 Ruleset 7

This is the realisation of the seventh ruleset 3.5.1.7 defined on page 64 as shell script which gen- erates the appropriate config file.

• Filter rules:

#!/bin/sh

confile="ipf-7-${1}.rules" cat << END > ${confile} block in log all

block out log all

block in log quick from 192.168.101.0/32 to any block in log quick from any to 192.168.101.0/32 block in log quick from 192.168.100.0/32 to any block in log quick from any to 192.168.100.0/32 pass in on wm0 proto tcp/udp \

from 192.168.101.0/29 to 192.168.100.0/29 pass out on wm1 proto tcp/udp \

from 192.168.101.0/29 to 192.168.100.0/29 # GENERATED BY LOOP

END level=$1

for number in 1 2 3 4 5 6 7;do if [ $number -gt $level ]; then

cat << END >> ${confile}

pass in on wm1 proto tcp/udp \

from 192.168.100.${number}/32 to 192.168.101.0/29 pass out on wm0 proto tcp/udp \

from 192.168.100.${number}/32 to 192.168.101.0/29 END

else

cat << END >> ${confile}

pass in log on wm1 proto tcp/udp \

from 192.168.100.${number}/32 to 192.168.101.0/29 pass out on wm0 proto tcp/udp \

from 192.168.100.${number}/32 to 192.168.101.0/29 END

fi done

In document Comparative Firewall Study (Page 85-91)
Download now "Comparative Firewall S..."

Outline

Related documents