# sysrc pf_enable=yes
章 30. 防火牆
This translation may be out of date. To help with the translations please access the FreeBSD translations instance.
目錄
30.1. 概述
防火牆能夠過濾透過系統內送 (Incoming) 與外發 (Outgoing) 的流量,防火牆可使用一組或多組 "規則 (Rules)" 來檢查網路連線中進出的網路封包(Network packets),並且能允許或阻擋其通過。 而防火牆規則可以檢查封包中一個或數個特徵,例如通訊協定類型、來源或目的主機位址,以及來源及目地的連接埠 (Port)。
防火牆可以加強主機或網路的安全性,它可以用來完成下列事情:
保護並隔離內部網路的應用程式、服務與主機,避免來自網際網路不必要的存取。
限制或者禁止內部網路的主機存取網際網路服務。
支援網路位址轉譯 (Network address translation, NAT),可允許內部網路使用私有 IP 位址並共用一個連線使用一個 IP 位址連到網際網路或者自動分配一個共用池當中的公開位址。
FreeBSD 有三種內建於基礎系統的防火牆:PF, IPFW 與 IPFILTER 即 IPF。FreeBSD 也提供了兩種流量限制程式 (Traffic shaper) 來控制頻寬的用量:altq(4) 與 dummynet(4),ALTQ 一般配合 PF 使用,而 dummynet 會配合 IPFW。每一種防火牆都會使用規則來管制來自與送往 FreeBSD 的封包,儘管它們用不同的方式運作且有不同的規則語法。
FreeBSD 提供多個防火牆是為了滿足不同的需求與各種使用者的偏好,每位使用者應評估那一種防火牆最能滿足其需求。
讀完這章,您將了解:
如何定義封包過濾規則。
FreeBSD 內建防火牆之間的差異。
如何使用與設定 PF 防火牆。
如何使用與設定 IPFW 防火牆。
如何使用與設定 IPFILTER 防火牆。
在開始閱讀這章之前,您需要:
了解 FreeBSD 基礎及網路概念。
由於所有防火牆均是以監控所選封包的控制欄位值為基礎運作,所以防火牆規則集的建立者必須很明白 TCP/IP 是如何運作的,在封包的控制欄位中會有那些數值,這些數值會被如何用在一般的連線階段,要了解更多相關資訊,可參考 Daryl’s TCP/IP Primer。 |
30.2. 防火牆概念
一個規則集 (Ruleset) 中會有一群根據封包內的資料來判斷通過或封鎖的規則,主機間雙向的封包交換構成一個連線階段的對話,防火牆規則集會同時處理接收自網際網路的封包以及由系統所產生的回應封包,每一個 TCP/IP 服務都會預先定義其通訊協定以及要傾聽的埠,要送往指定服務的封包會誕生在來源位址,使用一個不需特殊權限的埠並傳送給目標位址上特定服務的埠,所有上述過程中的參數均可用來當做建立規則的篩選條件,來允許或封鎖服務。
要查詢一個不清楚的埠號,可參考 /etc/services,或者至 http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 查詢埠號來找出特定埠號的用途。
查看這個連結來了解有 那些埠號會被木馬程式使用。
FTP 有兩個模式:主動 (Active) 模式與被動 (Passive) 模式,兩者的差異在於取得資料通道的方式,被動模式會較安全,由於資料通道會取自 FTP 連線請求者。想要取得 FTP 與兩種模式更進一步的說明,詳見 http://www.slacksite.com/other/ftp.html。
防火牆規則集可以為排除式 ("exclusive") 或者內含式 ("inclusive"),一個排除式的防火牆會允許所有的連線通過除了符合規則集的連線,內含式的防火牆則會反過來只允許符合規則集的連線並封鎖其他任何的連線。
內含式的防火牆對於外發的流量有較好的控制,使其成為提供網際網路服務的系統的最佳選擇,它同時可以控制可存取私有網路的網際網路連線,所有不符合該規則的連線會被封鎖並記錄。一般來說,內含式的防火牆會比排除式的防火牆安全,因為內含式的防火牆可以明顯的減少不必要連線所造成風險。
除非另有說明,否則所有在此章節的範例規則集均為內含式防火牆規則集。 |
使用具狀態防火牆 ("Stateful firewall") 可以更進一步加強安全性,這種類型的防火牆可持續追蹤連線,只允許與現有連線相符的封包或符合允許條件的新連線通過。
狀態過濾技術 (Stateful filtering) 將所有的流量當做是一個由雙向封包交換所組成的連線階段,當在符合的規則上指定狀態 (State) 時,防火牆會自動產生內部規則來處理該連線階段中每個預期會通過的封包,這種防火牆有足夠的比對能力可以辨別是否為同一個連線階段的封包,任何不符合連線階段樣板的封包都會被自動拒絕。
當連線階段結束時,該規則將會動態狀態表 (Dynamic state table) 中移除。
Stateful filtering 讓管理者可以專注於封鎖/傳遞新的連線階段,若新的連線階段通過,那麼該連線階段後續的封包將會自動允許通過,且任何假冒的封包會自動被拒絕。若新的連線階最被封鎖,將不允許其任何後續的封包。Stateful filtering 提供了進階的比對能力,能夠抵禦不同種類由攻擊者發動的 flood 攻擊。
NAT 代表 Network Address Translation 即網路位址轉譯,NAT 功能讓在防火牆之後的私有 LAN 可以共用一個 ISP 分配的 IP 位址 (甚至是動態分配的),NAT 每一台在該 LAN 中的電腦均可連線網際網路,而不需要支付 ISP 多個網路帳號或 IP 位址的額外費用。
NAT 在當封包要外送到防火牆之外的網際網路時,會自動轉譯每一台電腦在私有 LAN 的 IP 位址成為一個公有 IP 位址,它也同樣會對回傳的封包做反向轉譯。
根據 RFC1918,會保留以下範圍的 IP 位址做為私有網路使用,永遠不會被傳送到網際網路,因此可供 NAT 使用:
10.0.0.0/8
.172.16.0.0/12
.192.168.0.0/16
.
在使用防火牆規則時要_非常小心_,有一些設定_會將管理者鎖在伺服器之外_,保險起見的方式是在本機的 Console 做初次的防火牆設定,不要直接由遠端透過 ssh 來設定防火牆。 |
30.3. PF
自 FreeBSD 5.3 開始,基礎系統便有內建 OpenBSD’s PF 防火牆的移植版本,PF 是一套完整、多功能的防火牆,並可選擇開啟 ALTQ (Alternate Queuing) 的支援來提供 Quality of Service (QoS) 機制。
OpenBSD 計劃有維護一份官方參考文件於 PF FAQ ,Peter Hansteen 有維一份詳盡的 PF 教學於 http://home.nuug.no/~peter/pf/。
When reading the PF FAQ, keep in mind that FreeBSD’s version of PF has diverged substantially from the upstream OpenBSD version over the years. Not all features work the same way on FreeBSD as they do in OpenBSD and vice versa. |
要詢問有關設定與執行 PF 防火牆的問題可至 FreeBSD packet filter 郵遞論壇,在詢問問題之前請先查看該郵遞論壇的封存資料,因您的問題可能已有解答。
This section of the Handbook focuses on PF as it pertains to FreeBSD. It demonstrates how to enable PF and ALTQ. It also provides several examples for creating rulesets on a FreeBSD system.
30.3.1. 開啟 PF
To use PF, its kernel module must be first loaded. This section describes the entries that can be added to /etc/rc.conf to enable PF.
Start by adding pf_enable=yes
to /etc/rc.conf:
Additional options, described in pfctl(8), can be passed to PF when it is started. Add or change this entry in /etc/rc.conf and specify any required flags between the two quotes (""
):
pf_flags="" # additional flags for pfctl startup
PF will not start if it cannot find its ruleset configuration file. By default, FreeBSD does not ship with a ruleset and there is no /etc/pf.conf. Example rulesets can be found in /usr/shared/examples/pf/. If a custom ruleset has been saved somewhere else, add a line to /etc/rc.conf which specifies the full path to the file:
pf_rules="/path/to/pf.conf"
Logging support for PF is provided by pflog(4). To enable logging support, add pflog_enable=yes
to /etc/rc.conf:
# sysrc pflog_enable=yes
The following lines can also be added to change the default location of the log file or to specify any additional flags to pass to pflog(4) when it is started:
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup
Finally, if there is a LAN behind the firewall and packets need to be forwarded for the computers on the LAN, or NAT is required, enable the following option:
gateway_enable="YES" # Enable as LAN gateway
After saving the needed edits, PF can be started with logging support by typing:
# service pf start
# service pflog start
By default, PF reads its configuration rules from /etc/pf.conf and modifies, drops, or passes packets according to the rules or definitions specified in this file. The FreeBSD installation includes several sample files located in /usr/shared/examples/pf/. Refer to the PF FAQ for complete coverage of PF rulesets.
To control PF, use pfctl
. 有用的 pfctl
選項 summarizes some useful options to this command. Refer to pfctl(8) for a description of all available options:
指令 | 用途 |
---|---|
| Enable PF. |
| Disable PF. |
| Flush all NAT, filter, state, and table rules and reload /etc/pf.conf. |
| Report on the filter rules, NAT rules, or state table. |
| Check /etc/pf.conf for errors, but do not load ruleset. |
security/sudo is useful for running commands like |
To keep an eye on the traffic that passes through the PF firewall, consider installing the sysutils/pftop package or port. Once installed, pftop can be run to view a running snapshot of traffic in a format which is similar to top(1).
30.3.2. PF 規則集
This section demonstrates how to create a customized ruleset. It starts with the simplest of rulesets and builds upon its concepts using several examples to demonstrate real-world usage of PF’s many features.
The simplest possible ruleset is for a single machine that does not run any services and which needs access to one network, which may be the Internet. To create this minimal ruleset, edit /etc/pf.conf so it looks like this:
block in all pass out all keep state
The first rule denies all incoming traffic by default. The second rule allows connections created by this system to pass out, while retaining state information on those connections. This state information allows return traffic for those connections to pass back and should only be used on machines that can be trusted. The ruleset can be loaded with:
# pfctl -e ; pfctl -f /etc/pf.conf
In addition to keeping state, PF provides lists and macros which can be defined for use when creating rules. Macros can include lists and need to be defined before use. As an example, insert these lines at the very top of the ruleset:
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" udp_services = "{ domain }"
PF understands port names as well as port numbers, as long as the names are listed in /etc/services. This example creates two macros. The first is a list of seven TCP port names and the second is one UDP port name. Once defined, macros can be used in rules. In this example, all traffic is blocked except for the connections initiated by this system for the seven specified TCP services and the one specified UDP service:
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" udp_services = "{ domain }" block all pass out proto tcp to any port $tcp_services keep state pass proto udp to any port $udp_services keep state
Even though UDP is considered to be a stateless protocol, PF is able to track some state information. For example, when a UDP request is passed which asks a name server about a domain name, PF will watch for the response to pass it back.
Whenever an edit is made to a ruleset, the new rules must be loaded so they can be used:
# pfctl -f /etc/pf.conf
If there are no syntax errors, pfctl
will not output any messages during the rule load. Rules can also be tested before attempting to load them:
# pfctl -nf /etc/pf.conf
Including -n
causes the rules to be interpreted only, but not loaded. This provides an opportunity to correct any errors. At all times, the last valid ruleset loaded will be enforced until either PF is disabled or a new ruleset is loaded.
Adding |
30.3.2.1. 使用 NAT 的簡單通訊閘
This section demonstrates how to configure a FreeBSD system running PF to act as a gateway for at least one other machine. The gateway needs at least two network interfaces, each connected to a separate network. In this example, xl1 is connected to the Internet and xl0 is connected to the internal network.
First, enable the gateway to let the machine forward the network traffic it receives on one interface to another interface. This sysctl setting will forward IPv4 packets:
# sysctl net.inet.ip.forwarding=1
To forward IPv6 traffic, use:
# sysctl net.inet6.ip6.forwarding=1
To enable these settings at system boot, use sysrc(8) to add them to /etc/rc.conf:
# sysrc gateway_enable=yes
# sysrc ipv6_gateway_enable=yes
Verify with ifconfig
that both of the interfaces are up and running.
Next, create the PF rules to allow the gateway to pass traffic. While the following rule allows stateful traffic to pass from the Internet to hosts on the network, the to
keyword does not guarantee passage all the way from source to destination:
pass in on xl1 from xl1:network to xl0:network port $ports keep state
That rule only lets the traffic pass in to the gateway on the internal interface. To let the packets go further, a matching rule is needed:
pass out on xl0 from xl1:network to xl0:network port $ports keep state
While these two rules will work, rules this specific are rarely needed. For a busy network admin, a readable ruleset is a safer ruleset. The remainder of this section demonstrates how to keep the rules as simple as possible for readability. For example, those two rules could be replaced with one rule:
pass from xl1:network to any port $ports keep state
The interface:network
notation can be replaced with a macro to make the ruleset even more readable. For example, a $localnet
macro could be defined as the network directly attached to the internal interface ($xl1:network
). Alternatively, the definition of $localnet
could be changed to an IP address/netmask notation to denote a network, such as 192.168.100.1/24
for a subnet of private addresses.
If required, $localnet
could even be defined as a list of networks. Whatever the specific needs, a sensible $localnet
definition could be used in a typical pass rule as follows:
pass from $localnet to any port $ports keep state
The following sample ruleset allows all traffic initiated by machines on the internal network. It first defines two macros to represent the external and internal 3COM interfaces of the gateway.
For dialup users, the external interface will use tun0. For an ADSL connection, specifically those using PPP over Ethernet (PPPoE), the correct external interface is tun0, not the physical Ethernet interface. |
ext_if = "xl0" # macro for external interface - use tun0 for PPPoE int_if = "xl1" # macro for internal interface localnet = $int_if:network # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from $localnet to any -> ($ext_if) block all pass from { lo0, $localnet } to any keep state
This ruleset introduces the nat
rule which is used to handle the network address translation from the non-routable addresses inside the internal network to the IP address assigned to the external interface. The parentheses surrounding the last part of the nat rule ($ext_if)
is included when the IP address of the external interface is dynamically assigned. It ensures that network traffic runs without serious interruptions even if the external IP address changes.
Note that this ruleset probably allows more traffic to pass out of the network than is needed. One reasonable setup could create this macro:
client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \ https, cvspserver, 2628, 5999, 8000, 8080 }"
to use in the main pass rule:
pass inet proto tcp from $localnet to any port $client_out \ flags S/SA keep state
A few other pass rules may be needed. This one enables SSH on the external interface:
pass in inet proto tcp to $ext_if port ssh
This macro definition and rule allows DNS and NTP for internal clients:
udp_services = "{ domain, ntp }" pass quick inet proto { tcp, udp } to any port $udp_services keep state
Note the quick
keyword in this rule. Since the ruleset consists of several rules, it is important to understand the relationships between the rules in a ruleset. Rules are evaluated from top to bottom, in the sequence they are written. For each packet or connection evaluated by PF, the last matching rule in the ruleset is the one which is applied. However, when a packet matches a rule which contains the quick
keyword, the rule processing stops and the packet is treated according to that rule. This is very useful when an exception to the general rules is needed.
30.3.2.2. 建立 FTP Proxy
Configuring working FTP rules can be problematic due to the nature of the FTP protocol. FTP pre-dates firewalls by several decades and is insecure in its design. The most common points against using FTP include:
Passwords are transferred in the clear.
The protocol demands the use of at least two TCP connections (control and data) on separate ports.
When a session is established, data is communicated using randomly selected ports.
All of these points present security challenges, even before considering any potential security weaknesses in client or server software. More secure alternatives for file transfer exist, such as sftp(1) or scp(1), which both feature authentication and data transfer over encrypted connections..
For those situations when FTP is required, PF provides redirection of FTP traffic to a small proxy program called ftp-proxy(8), which is included in the base system of FreeBSD. The role of the proxy is to dynamically insert and delete rules in the ruleset, using a set of anchors, to correctly handle FTP traffic.
To enable the FTP proxy, add this line to /etc/rc.conf:
ftpproxy_enable="YES"
Then start the proxy by running service ftp-proxy start
.
For a basic configuration, three elements need to be added to /etc/pf.conf. First, the anchors which the proxy will use to insert the rules it generates for the FTP sessions:
nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*"
Second, a pass rule is needed to allow FTP traffic in to the proxy.
Third, redirection and NAT rules need to be defined before the filtering rules. Insert this rdr
rule immediately after the nat
rule:
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
Finally, allow the redirected traffic to pass:
pass out proto tcp from $proxy to any port ftp
where $proxy
expands to the address the proxy daemon is bound to.
Save /etc/pf.conf, load the new rules, and verify from a client that FTP connections are working:
# pfctl -f /etc/pf.conf
This example covers a basic setup where the clients in the local network need to contact FTP servers elsewhere. This basic configuration should work well with most combinations of FTP clients and servers. As shown in ftp-proxy(8), the proxy’s behavior can be changed in various ways by adding options to the ftpproxy_flags=
line. Some clients or servers may have specific quirks that must be compensated for in the configuration, or there may be a need to integrate the proxy in specific ways such as assigning FTP traffic to a specific queue.
For ways to run an FTP server protected by PF and ftp-proxy(8), configure a separate ftp-proxy
in reverse mode, using -R
, on a separate port with its own redirecting pass rule.
30.3.2.3. 管理 ICMP
Many of the tools used for debugging or troubleshooting a TCP/IP network rely on the Internet Control Message Protocol (ICMP), which was designed specifically with debugging in mind.
The ICMP protocol sends and receives control messages between hosts and gateways, mainly to provide feedback to a sender about any unusual or difficult conditions enroute to the target host. Routers use ICMP to negotiate packet sizes and other transmission parameters in a process often referred to as path MTU discovery.
From a firewall perspective, some ICMP control messages are vulnerable to known attack vectors. Also, letting all diagnostic traffic pass unconditionally makes debugging easier, but it also makes it easier for others to extract information about the network. For these reasons, the following rule may not be optimal:
pass inet proto icmp from any to any
One solution is to let all ICMP traffic from the local network through while stopping all probes from outside the network:
pass inet proto icmp from $localnet to any keep state pass inet proto icmp from any to $ext_if keep state
Additional options are available which demonstrate some of PF’s flexibility. For example, rather than allowing all ICMP messages, one can specify the messages used by ping(8) and traceroute(8). Start by defining a macro for that type of message:
icmp_types = "echoreq"
and a rule which uses the macro:
pass inet proto icmp all icmp-type $icmp_types keep state
If other types of ICMP packets are needed, expand icmp_types
to a list of those packet types. Type more /usr/src/sbin/pfctl/pfctl_parser.c
to see the list of ICMP message types supported by PF. Refer to http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml for an explanation of each message type.
Since Unix traceroute
uses UDP by default, another rule is needed to allow Unix traceroute
:
# allow out the default range for traceroute(8): pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
Since TRACERT.EXE
on Microsoft Windows systems uses ICMP echo request messages, only the first rule is needed to allow network traces from those systems. Unix traceroute
can be instructed to use other protocols as well, and will use ICMP echo request messages if -I
is used. Check the traceroute(8) man page for details.
30.3.2.3.1. Path MTU Discovery
Internet protocols are designed to be device independent, and one consequence of device independence is that the optimal packet size for a given connection cannot always be predicted reliably. The main constraint on packet size is the Maximum Transmission Unit (MTU) which sets the upper limit on the packet size for an interface. Type ifconfig
to view the MTUs for a system’s network interfaces.
TCP/IP uses a process known as path MTU discovery to determine the right packet size for a connection. This process sends packets of varying sizes with the "Do not fragment" flag set, expecting an ICMP return packet of "type 3, code 4" when the upper limit has been reached. Type 3 means "destination unreachable", and code 4 is short for "fragmentation needed, but the do-not-fragment flag is set". To allow path MTU discovery in order to support connections to other MTUs, add the destination unreachable
type to the icmp_types
macro:
icmp_types = "{ echoreq, unreach }"
Since the pass rule already uses that macro, it does not need to be modified to support the new ICMP type:
pass inet proto icmp all icmp-type $icmp_types keep state
30.3.2.4. 使用 Tables
Some types of data are relevant to filtering and redirection at a given time, but their definition is too long to be included in the ruleset file. PF supports the use of tables, which are defined lists that can be manipulated without needing to reload the entire ruleset, and which can provide fast lookups. Table names are always enclosed within < >
, like this:
table <clients> { 192.168.2.0/24, !192.168.2.5 }
In this example, the 192.168.2.0/24
network is part of the table, except for the address 192.168.2.5
, which is excluded using the !
operator. It is also possible to load tables from files where each item is on a separate line, as seen in this example /etc/clients:
192.168.2.0/24 !192.168.2.5
To refer to the file, define the table like this:
table <clients> persist file "/etc/clients"
Once the table is defined, it can be referenced by a rule:
pass inet proto tcp from <clients> to any port $client_out flags S/SA keep state
A table’s contents can be manipulated live, using pfctl
. This example adds another network to the table:
# pfctl -t clients -T add 192.168.1.0/16
Note that any changes made this way will take affect now, making them ideal for testing, but will not survive a power failure or reboot. To make the changes permanent, modify the definition of the table in the ruleset or edit the file that the table refers to. One can maintain the on-disk copy of the table using a cron(8) job which dumps the table’s contents to disk at regular intervals, using a command such as pfctl -t clients -T show >/etc/clients
. Alternatively, /etc/clients can be updated with the in-memory table contents:
# pfctl -t clients -T replace -f /etc/clients
30.3.2.5. 使用 Overload Tables 保護 SSH
Those who run SSH on an external interface have probably seen something like this in the authentication logs:
Sep 26 03:12:34 skapet sshd[25771]: Failed password for root from 200.72.41.31 port 40992 ssh2 Sep 26 03:12:34 skapet sshd[5279]: Failed password for root from 200.72.41.31 port 40992 ssh2 Sep 26 03:12:35 skapet sshd[5279]: Received disconnect from 200.72.41.31: 11: Bye Bye Sep 26 03:12:44 skapet sshd[29635]: Invalid user admin from 200.72.41.31 Sep 26 03:12:44 skapet sshd[24703]: input_userauth_request: invalid user admin Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2
This is indicative of a brute force attack where somebody or some program is trying to discover the user name and password which will let them into the system.
If external SSH access is needed for legitimate users, changing the default port used by SSH can offer some protection. However, PF provides a more elegant solution. Pass rules can contain limits on what connecting hosts can do and violators can be banished to a table of addresses which are denied some or all access. It is even possible to drop all existing connections from machines which overreach the limits.
To configure this, create this table in the tables section of the ruleset:
table <bruteforce> persist
Then, somewhere early in the ruleset, add rules to block brute access while allowing legitimate access:
block quick from <bruteforce> pass inet proto tcp from any to $localnet port $tcp_services \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload <bruteforce> flush global)
The part in parentheses defines the limits and the numbers should be changed to meet local requirements. It can be read as follows:
max-src-conn
is the number of simultaneous connections allowed from one host.
max-src-conn-rate
is the rate of new connections allowed from any single host (15) per number of seconds (5).
overload <bruteforce>
means that any host which exceeds these limits gets its address added to the bruteforce
table. The ruleset blocks all traffic from addresses in the bruteforce
table.
Finally, flush global
says that when a host reaches the limit, that all (global
) of that host’s connections will be terminated (flush
).
These rules will not block slow bruteforcers, as described in http://home.nuug.no/~peter/hailmary2013/. |
This example ruleset is intended mainly as an illustration. For example, if a generous number of connections in general are wanted, but the desire is to be more restrictive when it comes to ssh, supplement the rule above with something like the one below, early on in the rule set:
pass quick proto { tcp, udp } from any to any port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload <bruteforce> flush global)
It May Not be Necessary to Block All Overloaders It is worth noting that the overload mechanism is a general technique which does not apply exclusively to SSH, and it is not always optimal to entirely block all traffic from offenders. For example, an overload rule could be used to protect a mail service or a web service, and the overload table could be used in a rule to assign offenders to a queue with a minimal bandwidth allocation or to redirect to a specific web page. |
Over time, tables will be filled by overload rules and their size will grow incrementally, taking up more memory. Sometimes an IP address that is blocked is a dynamically assigned one, which has since been assigned to a host who has a legitimate reason to communicate with hosts in the local network.
For situations like these, pfctl provides the ability to expire table entries. For example, this command will remove <bruteforce>
table entries which have not been referenced for 86400
seconds:
# pfctl -t bruteforce -T expire 86400
Similar functionality is provided by security/expiretable, which removes table entries which have not been accessed for a specified period of time.
Once installed, expiretable can be run to remove <bruteforce>
table entries older than a specified age. This example removes all entries older than 24 hours:
/usr/local/sbin/expiretable -v -d -t 24h bruteforce
30.3.2.6. SPAM 防護
Not to be confused with the spamd daemon which comes bundled with spamassassin, mail/spamd can be configured with PF to provide an outer defense against SPAM. This spamd hooks into the PF configuration using a set of redirections.
Spammers tend to send a large number of messages, and SPAM is mainly sent from a few spammer friendly networks and a large number of hijacked machines, both of which are reported to blacklists fairly quickly.
When an SMTP connection from an address in a blacklist is received, spamd presents its banner and immediately switches to a mode where it answers SMTP traffic one byte at a time. This technique, which is intended to waste as much time as possible on the spammer’s end, is called tarpitting. The specific implementation which uses one byte SMTP replies is often referred to as stuttering.
This example demonstrates the basic procedure for setting up spamd with automatically updated blacklists. Refer to the man pages which are installed with mail/spamd for more information.
Procedure: Configuring spamd
Install the mail/spamd package or port. To use spamd’s greylisting features, fdescfs(5) must be mounted at /dev/fd. Add the following line to /etc/fstab:
fdescfs /dev/fd fdescfs rw 0 0
Then, mount the filesystem:
# mount fdescfs
Next, edit the PF ruleset to include:
table <spamd> persist table <spamd-white> persist rdr pass on $ext_if inet proto tcp from <spamd> to \ { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025
The two tables
<spamd>
and<spamd-white>
are essential. SMTP traffic from an address listed in<spamd>
but not in<spamd-white>
is redirected to the spamd daemon listening at port 8025.The next step is to configure spamd in /usr/local/etc/spamd.conf and to add some rc.conf parameters.
The installation of mail/spamd includes a sample configuration file (/usr/local/etc/spamd.conf.sample) and a man page for spamd.conf. Refer to these for additional configuration options beyond those shown in this example.
One of the first lines in the configuration file that does not begin with a
#
comment sign contains the block which defines theall
list, which specifies the lists to use:all:\ :traplist:whitelist:
This entry adds the desired blacklists, separated by colons (
:
). To use a whitelist to subtract addresses from a blacklist, add the name of the whitelist immediately after the name of that blacklist. For example::blacklist:whitelist:
.This is followed by the specified blacklist’s definition:
traplist:\ :black:\ :msg="SPAM. Your address %A has sent spam within the last 24 hours":\ :method=http:\ :file=www.openbsd.org/spamd/traplist.gz
where the first line is the name of the blacklist and the second line specifies the list type. The
msg
field contains the message to display to blacklisted senders during the SMTP dialogue. Themethod
field specifies how spamd-setup fetches the list data; supported methods arehttp
,ftp
, from afile
in a mounted file system, and viaexec
of an external program. Finally, thefile
field specifies the name of the file spamd expects to receive.The definition of the specified whitelist is similar, but omits the
msg
field since a message is not needed:whitelist:\ :white:\ :method=file:\ :file=/var/mail/whitelist.txt
Choose Data Sources with CareUsing all the blacklists in the sample spamd.conf will blacklist large blocks of the Internet. Administrators need to edit the file to create an optimal configuration which uses applicable data sources and, when necessary, uses custom lists.
Next, add this entry to /etc/rc.conf. Additional flags are described in the man page specified by the comment:
spamd_flags="-v" # use "" and see spamd-setup(8) for flags
When finished, reload the ruleset, start spamd by typing
service obspamd start
, and complete the configuration usingspamd-setup
. Finally, create a cron(8) job which callsspamd-setup
to update the tables at reasonable intervals.
On a typical gateway in front of a mail server, hosts will soon start getting trapped within a few seconds to several minutes.
PF also supports greylisting, which temporarily rejects messages from unknown hosts with 45n codes. Messages from greylisted hosts which try again within a reasonable time are let through. Traffic from senders which are set up to behave within the limits set by RFC 1123 and RFC 2821 are immediately let through.
More information about greylisting as a technique can be found at the greylisting.org web site. The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers and malware writers have been very slow to adapt to bypass this technique.
The basic procedure for configuring greylisting is as follows:
Procedure: Configuring Greylisting
Make sure that fdescfs(5) is mounted as described in Step 1 of the previous Procedure.
To run spamd in greylisting mode, add this line to /etc/rc.conf:
spamd_grey="YES" # use spamd greylisting if YES
Refer to the spamd man page for descriptions of additional related parameters.
To complete the greylisting setup:
# service obspamd restart # service obspamlogd start
Behind the scenes, the spamdb database tool and the spamlogd whitelist updater perform essential functions for the greylisting feature. spamdb is the administrator’s main interface to managing the black, grey, and white lists via the contents of the /var/db/spamdb database.
30.3.2.7. 網路保健
This section describes how block-policy
, scrub
, and antispoof
can be used to make the ruleset behave sanely.
The block-policy
is an option which can be set in the options
part of the ruleset, which precedes the redirection and filtering rules. This option determines which feedback, if any, PF sends to hosts that are blocked by a rule. The option has two possible values: drop
drops blocked packets with no feedback, and return
returns a status code such as Connection refused
.
If not set, the default policy is drop
. To change the block-policy
, specify the desired value:
set block-policy return
In PF, scrub
is a keyword which enables network packet normalization. This process reassembles fragmented packets and drops TCP packets that have invalid flag combinations. Enabling scrub
provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments. A number of options are available, but the simplest form is suitable for most configurations:
scrub in all
Some services, such as NFS, require specific fragment handling options. Refer to https://home.nuug.no/~peter/pf/en/scrub.html for more information.
This example reassembles fragments, clears the "do not fragment" bit, and sets the maximum segment size to 1440 bytes:
scrub in all fragment reassemble no-df max-mss 1440
The antispoof
mechanism protects against activity from spoofed or forged IP addresses, mainly by blocking packets appearing on interfaces and in directions which are logically not possible.
These rules weed out spoofed traffic coming in from the rest of the world as well as any spoofed packets which originate in the local network:
antispoof for $ext_if antispoof for $int_if
30.3.2.8. 處理不可路由 (Non-Routable) 的位址
Even with a properly configured gateway to handle network address translation, one may have to compensate for other people’s misconfigurations. A common misconfiguration is to let traffic with non-routable addresses out to the Internet. Since traffic from non-routeable addresses can play a part in several DoS attack techniques, consider explicitly blocking traffic from non-routeable addresses from entering the network through the external interface.
In this example, a macro containing non-routable addresses is defined, then used in blocking rules. Traffic to and from these addresses is quietly dropped on the gateway’s external interface.
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians
30.3.3. 開啟 ALTQ
On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS). Once ALTQ is enabled, queues can be defined in the ruleset which determine the processing priority of outbound packets.
Before enabling ALTQ, refer to altq(4) to determine if the drivers for the network cards installed on the system support it.
ALTQ is not available as a loadable kernel module. If the system’s interfaces support ALTQ, create a custom kernel using the instructions in 設定 FreeBSD 核心. The following kernel options are available. The first is needed to enable ALTQ. At least one of the other options is necessary to specify the queueing scheduler algorithm:
options ALTQ options ALTQ_CBQ # Class Based Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ)
The following scheduler algorithms are available:
- CBQ
Class Based Queuing (CBQ) is used to divide a connection’s bandwidth into different classes or queues to prioritize traffic based on filter rules.
- RED
Random Early Detection (RED) is used to avoid network congestion by measuring the length of the queue and comparing it to the minimum and maximum thresholds for the queue. When the queue is over the maximum, all new packets are randomly dropped.
- RIO
In Random Early Detection In and Out (RIO) mode, RED maintains multiple average queue lengths and multiple threshold values, one for each QOS level.
- HFSC
Hierarchical Fair Service Curve Packet Scheduler (HFSC) is described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html.
- PRIQ
Priority Queuing (PRIQ) always passes traffic that is in a higher queue first.
More information about the scheduling algorithms and example rulesets are available at the OpenBSD’s web archive.
30.4. IPFW
IPFW 是一套專為 FreeBSD 所寫的具狀態防火牆 (Stateful firewall),它同時支援 IPv4 與 IPv6,它由數個元件組成:核心防火牆過濾規則處理器與其整合的封包計帳設施、記錄設施、NAT、dummynet(4) 流量限制程式、轉送設施、橋接設施以及 ipstealth 設施。
FreeBSD 提供一個範本規則集於 /etc/rc.firewall,其定義了幾個常見情境會使用的防火牆類型來協助初學的使用者撰寫合適的規則集。IPFW 提供了強大的語法讓進階的使用者可以用來自訂符合環境安全性要求的規則集。
本節將介紹如何開啟 IPFW、規則語法的概要以及示範幾種常見情境所使用的規則集。
30.4.1. 開啟 IPFW
IPFW is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPFW.
For those users who wish to statically compile IPFW support into a custom kernel, see IPFW 核心選項.
To configure the system to enable IPFW at boot time, add firewall_enable="YES"
to /etc/rc.conf:
# sysrc firewall_enable="YES"
To use one of the default firewall types provided by FreeBSD, add another line which specifies the type:
# sysrc firewall_type="open"
The available types are:
open
: passes all traffic.client
: protects only this machine.simple
: protects the whole network.closed
: entirely disables IP traffic except for the loopback interface.workstation
: protects only this machine using stateful rules.UNKNOWN
: disables the loading of firewall rules.filename: full path of the file containing the firewall ruleset.
If firewall_type
is set to either client
or simple
, modify the default rules found in /etc/rc.firewall to fit the configuration of the system.
Note that the filename
type is used to load a custom ruleset.
An alternate way to load a custom ruleset is to set the firewall_script
variable to the absolute path of an executable script that includes IPFW commands. The examples used in this section assume that the firewall_script
is set to /etc/ipfw.rules:
# sysrc firewall_script="/etc/ipfw.rules"
To enable logging through syslogd(8), include this line:
# sysrc firewall_logging="YES"
Only firewall rules with the |
There is no /etc/rc.conf variable to set logging limits. To limit the number of times a rule is logged per connection attempt, specify the number using this line in /etc/sysctl.conf:
# echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf
To enable logging through a dedicated interface named ipfw0
, add this line to /etc/rc.conf instead:
# sysrc firewall_logif="YES"
Then use tcpdump to see what is being logged:
# tcpdump -t -n -i ipfw0
There is no overhead due to logging unless tcpdump is attached. |
After saving the needed edits, start the firewall. To enable logging limits now, also set the sysctl
value specified above:
# service ipfw start
# sysctl net.inet.ip.fw.verbose_limit=5
30.4.2. IPFW 規則語法
When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule’s action is executed and the search of the ruleset terminates for that packet. This is referred to as "first match wins". If the packet does not match any of the rules, it gets caught by the mandatory IPFW default rule number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the count
, skipto
, or tee
keywords, the search continues. Refer to ipfw(8) for details on how these keywords affect rule processing.
When creating an IPFW rule, keywords must be written in the following order. Some keywords are mandatory while other keywords are optional. The words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it. The #
symbol is used to mark the start of a comment and may appear at the end of a rule or on its own line. Blank lines are ignored.
CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC SRC_PORT to DST DST_PORT OPTIONS
This section provides an overview of these keywords and their options. It is not an exhaustive list of every possible option. Refer to ipfw(8) for a complete description of the rule syntax that can be used when creating IPFW rules.
- CMD
Every rule must start with ipfw add.
- RULE_NUMBER
Each rule is associated with a number from
1
to65534
. The number is used to indicate the order of rule processing. Multiple rules can have the same number, in which case they are applied according to the order in which they have been added.- SET_NUMBER
Each rule is associated with a set number from
0
to31
. Sets can be individually disabled or enabled, making it possible to quickly add or delete a set of rules. If a SET_NUMBER is not specified, the rule will be added to set0
.- ACTION
A rule can be associated with one of the following actions. The specified action will be executed when the packet matches the selection criterion of the rule.
allow | accept | pass | permit: these keywords are equivalent and allow packets that match the rule.
check-state: checks the packet against the dynamic state table. If a match is found, execute the action associated with the rule which generated this dynamic rule, otherwise move to the next rule. A
check-state
rule does not have selection criterion. If nocheck-state
rule is present in the ruleset, the dynamic rules table is checked at the firstkeep-state
orlimit
rule.count: updates counters for all packets that match the rule. The search continues with the next rule.
deny | drop: either word silently discards packets that match this rule.
Additional actions are available. Refer to ipfw(8) for details.
- LOG_AMOUNT
When a packet matches a rule with the
log
keyword, a message will be logged to syslogd(8) with a facility name ofSECURITY
. Logging only occurs if the number of packets logged for that particular rule does not exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is specified, the limit is taken from the value ofnet.inet.ip.fw.verbose_limit
. A value of zero removes the logging limit. Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for that rule, usingipfw resetlog
.Logging is done after all other packet matching conditions have been met, and before performing the final action on the packet. The administrator decides which rules to enable logging on.
- PROTO
This optional value can be used to specify any protocol name or number found in /etc/protocols.
- SRC
The
from
keyword must be followed by the source address or a keyword that represents the source address. An address can be represented byany
,me
(any address configured on an interface on this system),me6
, (any IPv6 address configured on an interface on this system), ortable
followed by the number of a lookup table which contains a list of addresses. When specifying an IP address, it can be optionally followed by its CIDR mask or subnet mask. For example,1.2.3.4/25
or1.2.3.4:255.255.255.128
.- SRC_PORT
An optional source port can be specified using the port number or name from /etc/services.
- DST
The
to
keyword must be followed by the destination address or a keyword that represents the destination address. The same keywords and addresses described in the SRC section can be used to describe the destination.- DST_PORT
An optional destination port can be specified using the port number or name from /etc/services.
- OPTIONS
Several keywords can follow the source and destination. As the name suggests, OPTIONS are optional. Commonly used options include
in
orout
, which specify the direction of packet flow,icmptypes
followed by the type of ICMP message, andkeep-state
.When a keep-state rule is matched, the firewall will create a dynamic rule which matches bidirectional traffic between the source and destination addresses and ports using the same protocol.
The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack with IPFW, use
limit
. This option limits the number of simultaneous sessions by checking the open dynamic rules, counting the number of times this rule and IP address combination occurred. If this count is greater than the value specified bylimit
, the packet is discarded.Dozens of OPTIONS are available. Refer to ipfw(8) for a description of each available option.
30.4.3. 範例規則集
This section demonstrates how to create an example stateful firewall ruleset script named /etc/ipfw.rules. In this example, all connection rules use in
or out
to clarify the direction. They also use via
interface-name to specify the interface the packet is traveling over.
When first creating or testing a firewall ruleset, consider temporarily setting this tunable: net.inet.ip.fw.default_to_accept="1" This sets the default policy of ipfw(8) to be more permissive than the default |
The firewall script begins by indicating that it is a Bourne shell script and flushes any existing rules. It then creates the cmd
variable so that ipfw add
does not have to be typed at the beginning of every rule. It also defines the pif
variable which represents the name of the interface that is attached to the Internet.
#!/bin/sh # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" pif="dc0" # interface name of NIC attached to Internet
The first two rules allow all traffic on the trusted internal interface and on the loopback interface:
# Change xl0 to LAN NIC interface name $cmd 00005 allow all from any to any via xl0 # No restrictions on Loopback Interface $cmd 00010 allow all from any to any via lo0
The next rule allows the packet through if it matches an existing entry in the dynamic rules table:
$cmd 00101 check-state
The next set of rules defines which stateful connections internal systems can create to hosts on the Internet:
# Allow access to public DNS # Replace x.x.x.x with the IP address of a public DNS server # and repeat for each DNS server in /etc/resolv.conf $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state # Allow access to ISP's DHCP server for cable/DSL configurations. # Use the first rule and check log for IP address. # Then, uncomment the second rule, input the IP address, and delete the first rule $cmd 00120 allow log udp from any to any 67 out via $pif keep-state #$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state # Allow outbound HTTP and HTTPS connections $cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state $cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state # Allow outbound email connections $cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state $cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state # Allow outbound ping $cmd 00250 allow icmp from any to any out via $pif keep-state # Allow outbound NTP $cmd 00260 allow udp from any to any 123 out via $pif keep-state # Allow outbound SSH $cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state # deny and log all other outbound connections $cmd 00299 deny log all from any to any out via $pif
The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use limit
to prevent flooding.
# Deny all inbound traffic from non-routable reserved address spaces $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny public pings $cmd 00310 deny icmp from any to any in via $pif # Deny ident $cmd 00315 deny tcp from any to any 113 in via $pif # Deny all Netbios services. $cmd 00320 deny tcp from any to any 137 in via $pif $cmd 00321 deny tcp from any to any 138 in via $pif $cmd 00322 deny tcp from any to any 139 in via $pif $cmd 00323 deny tcp from any to any 81 in via $pif # Deny fragments $cmd 00330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 00332 deny tcp from any to any established in via $pif # Allow traffic from ISP's DHCP server. # Replace x.x.x.x with the same IP address used in rule 00120. #$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state # Allow HTTP connections to internal web server $cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow inbound SSH connections $cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Reject and log all other incoming connections $cmd 00499 deny log all from any to any in via $pif
The last rule logs all packets that do not match any of the rules in the ruleset:
# Everything else is denied and logged $cmd 00999 deny log all from any to any
30.4.4. 核心內 NAT
FreeBSD’s IPFW firewall has two implementations of NAT: one being the userland natd(8) daemon, and the more recent IPFW’s built-in NAT facility also known as in-kernel NAT. Both work in conjunction with IPFW to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public IP address.
To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two NICs, where one is connected to the Internet and the other is connected to the internal LAN. Each machine connected to the LAN should be assigned an IP address in the private network space, as defined by RFC 1918.
Some additional configuration is needed in order to enable the in-kernel NAT function of IPFW. To enable in-kernel NAT support at boot time, the following must be set in /etc/rc.conf:
gateway_enable="YES" firewall_enable="YES" firewall_nat_enable="YES"
When |
When the ruleset contains stateful rules, the positioning of the NAT rule is critical and the skipto
action is used. The skipto
action requires a rule number so that it knows which rule to jump to. Furthermore, because of the architecture of libalias(3), a library implemented as a kernel module used for the in-kernel NAT facility of IPFW, it is necessary to disable TCP segmentation offloading, or in short TSO. TSO can be disabled on a per network interface basis by using ifconfig(8) or on a system wide basis using sysctl(8). To disable TSO system wide, the following must be set in /etc/sysctl.conf:
net.inet.tcp.tso="0"
The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel NAT. It starts by adding some additional variables which represent the rule number to skip to, the keep-state
option, and a list of TCP ports which will be used to reduce the number of rules.
#!/bin/sh ipfw -q -f flush cmd="ipfw -q add" skip="skipto 1000" pif=dc0 ks="keep-state" good_tcpo="22,25,37,53,80,443,110"
A NAT instance will also be configured. With in-kernel NAT it is possible to have multiple NAT instances each with their own configuration. Although, for this example only one NAT instance is needed; NAT instance number 1. The configuration takes a few arguments and flags such as: if
which indicates the public interface, same_ports
which takes care that alliased ports and local port numbers are mapped the same, unreg_only
will result in only unregistered (private) address spaces to be processed by the NAT instance, and reset
which will help to keep a functioning NAT instance even when the public IP address of the IPFW machine changes. For all possible options that can be passed to a single NAT instance configuration consult ipfw(8). Furthermore, because of the nature of a stateful NATing firewall, it is neseccary to allow translated packets to be reinjected in the firewall for further processing, this can be achieved by disabling one_pass
behavior at the start of the firewall script.
ipfw disable one_pass ipfw -q nat 1 config if $pif same_ports unreg_only reset
The inbound NAT rule is inserted after the two rules which allow all traffic on the trusted and loopback interfaces and after the reassamble rule but before the check-state
rule. It is important that the rule number selected for this NAT rule, in this example 100
, is higher than the first three rules and lower than the check-state
rule. Furthermore, because of the behavior of in-kernel NAT it is advised to place a reassamble rule just before the first NAT rule and after the rules that allow traffic on trusted interface. Normally, IP fragmentation should not happen, but when dealing with IPSEC/ESP/GRE tunneling traffic it might and the reassmabling of fragments is necessary before handing the complete packet over to the in-kernel NAT engine.
The reassemble rule was not needed with userland natd(8) because the internal workings of the IPFW The current NAT instance number and NAT rule number does not match with the default NAT instance number and rule number created by rc.firewall which is a script to set up the baked-in default firewall rulesets present in FreeBSD. |
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic $cmd 010 allow all from any to any via lo0 # exclude loopback traffic $cmd 099 reass all from any to any in # reassamble inbound packets $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets # Allow the packet through if it has an existing entry in the dynamic rules table $cmd 101 check-state
The outbound rules are modified to replace the allow
action with the $skip
variable, indicating that rule processing will continue at rule 1000
. The seven tcp
rules have been replaced by rule 125
as the $good_tcpo
variable contains the seven allowed outbound ports.
Remember that IPFW’s firewall performance is largely determined by the number of rules present in the ruleset. |
# Authorized outbound packets $cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks $cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks
The inbound rules remain the same, except for the very last rule which removes the via $pif
in order to catch both inbound and outbound rules. The NAT rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the skipto
action. In this ruleset, rule number 1000
handles passing all packets to our configured instance for NAT processing. The next rule allows any packet which has undergone NAT processing to pass.
$cmd 999 deny log all from any to any $cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules $cmd 1001 allow ip from any to any
In this example, rules 100
, 101
, 125
, 1000
, and 1001
control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private LANIP address.
Consider an internal web browser which initializes a new outbound HTTP session over port 80. When the first outbound packet enters the firewall, it does not match rule 100
because it is headed out rather than in. It passes rule 101
because this is the first packet and it has not been posted to the dynamic state table yet. The packet finally matches rule 125
as it is outbound on an allowed port and has a source IP address from the internal LAN. On matching this rule, two actions take place. First, the keep-state
action adds an entry to the dynamic state table and the specified action, skipto rule 1000
, is executed. Next, the packet undergoes NAT and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of the ruleset. It matches rule 100
and has its destination IP address mapped back to the original internal address. It then is processed by the check-state
rule, is found in the table as an existing session, and is released to the LAN.
On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the LAN. The packet generated as a response is recognized by the check-state
rule as belonging to an existing session. It is then sent to rule 1000
to undergo NAT before being released to the outbound interface.
Transition from userland natd(8) to in-kernel NAT might seem seamless at first but there is small catch. When using the GENERIC kernel, IPFW will load the libalias.ko kernel module, when |
30.4.4.1. Port 重新導向
The drawback with NAT in general is that the LAN clients are not accessible from the Internet. Clients on the LAN can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the LAN client machines. A simple way around this is to redirect selected Internet ports on the NAT providing machine to a LAN client.
For example, an IRC server runs on client A
and a web server runs on client B
. For this to work properly, connections received on ports 6667 (IRC) and 80 (HTTP) must be redirected to the respective machines.
With in-kernel NAT all configuration is done in the NAT instance configuration. For a full list of options that an in-kernel NAT instance can use, consult ipfw(8). The IPFW syntax follows the syntax of natd. The syntax for redirect_port
is as follows:
redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]]
To configure the above example setup, the arguments should be:
redirect_port tcp 192.168.0.2:6667 6667 redirect_port tcp 192.168.0.3:80 80
After adding these arguments to the configuration of NAT instance 1 in the above ruleset, the TCP ports will be port forwarded to the LAN client machines running the IRC and HTTP services.
ipfw -q nat 1 config if $pif same_ports unreg_only reset \ redirect_port tcp 192.168.0.2:6667 6667 \ redirect_port tcp 192.1683.0.3:80 80
Port ranges over individual ports can be indicated with redirect_port
. For example, tcp 192.168.0.2:2000-3000 2000-3000 would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client A
.
30.4.4.2. 位址重新導向
Address redirection is useful if more than one IP address is available. Each LAN client can be assigned its own external IP address by ipfw(8), which will then rewrite outgoing packets from the LAN clients with the proper external IP address and redirects all traffic incoming on that particular IP address back to the specific LAN client. This is also known as static NAT. For example, if IP addresses 128.1.1.1
, 128.1.1.2
, and 128.1.1.3
are available, 128.1.1.1
can be used as the ipfw(8) machine’s external IP address, while 128.1.1.2
and 128.1.1.3
are forwarded back to LAN clients A
and B
.
The redirect_address
syntax is as below, where localIP
is the internal IP address of the LAN client, and publicIP
the external IP address corresponding to the LAN client.
redirect_address localIP publicIP
In the example, the arguments would read:
redirect_address 192.168.0.2 128.1.1.2 redirect_address 192.168.0.3 128.1.1.3
Like redirect_port
, these arguments are placed in a NAT instance configuration. With address redirection, there is no need for port redirection, as all data received on a particular IP address is redirected.
The external IP addresses on the ipfw(8) machine must be active and aliased to the external interface. Refer to rc.conf(5) for details.
30.4.4.3. Userspace NAT
Let us start with a statement: the userspace NAT implementation: natd(8), has more overhead than in-kernel NAT. For natd(8) to translate packets, the packets have to be copied from the kernel to userspace and back which brings in extra overhead that is not present with in-kernel NAT.
要在開機時啟動 Userspace 的 NAT daemon natd(8) 需在 /etc/rc.conf 中做以下最小設定,其中 natd_interface
要設成連接到網際網路的 NIC 名稱,rc(8) script of natd(8) 會自動檢查是否有使用動態 IP 位址,並且自行設定並處理。
gateway_enable="YES" natd_enable="YES" natd_interface="rl0"
In general, the above ruleset as explained for in-kernel NAT can also be used together with natd(8). The only exceptions are the configuration of the in-kernel NAT instance (ipfw -q nat 1 config …)
not being applicable any more, rule number 100 and 1000 will have to change sligthly as below, and reassemble rule 99 is not needed anymore as the divert
action is used which covers fragmentation.
$cmd 100 divert natd ip from any to any in via $pif $cmd 1000 divert natd ip from any to any out via $pif
To configure port or address redirection, a similar syntax as with in-kernel NAT is used. Although, now, instead of specifying the configuration in our ruleset script like with in-kernel NAT, configuration of natd(8) is best done in a configuration file. To do this, an extra flag must be passed via /etc/rc.conf which specifies the path of the configuration file.
natd_flags="-f /etc/natd.conf"
The specified file must contain a list of configuration options, one per line. For more information about the configuration file and possible variables, consult natd(8). Below are two example entries, one per line: redirect_port tcp 192.168.0.2:6667 6667 redirect_address 192.168.0.3 128.1.1.3 |
30.4.5. IPFW 指令
ipfw
can be used to make manual, single rule additions or deletions to the active firewall while it is running. The problem with using this method is that all the changes are lost when the system reboots. It is recommended to instead write all the rules in a file and to use that file to load the rules at boot time and to replace the currently running firewall rules whenever that file changes.
ipfw
is a useful way to display the running firewall rules to the console screen. The IPFW accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. During the process of testing a rule, listing the rule with its counter is one way to determine if the rule is functioning as expected.
To list all the running rules in sequence:
# ipfw list
To list all the running rules with a time stamp of when the last time the rule was matched:
# ipfw -t list
The next example lists accounting information and the packet count for matched rules along with the rules themselves. The first column is the rule number, followed by the number of matched packets and bytes, followed by the rule itself.
# ipfw -a list
To list dynamic rules in addition to static rules:
# ipfw -d list
To also show the expired dynamic rules:
# ipfw -d -e list
To zero the counters:
# ipfw zero
To zero the counters for just the rule with number NUM:
# ipfw zero NUM
30.4.5.1. 記錄防火牆訊息
Even with the logging facility enabled, IPFW will not generate any rule logging on its own. The firewall administrator decides which rules in the ruleset will be logged, and adds the log
keyword to those rules. Normally only deny rules are logged. It is customary to duplicate the "ipfw default deny everything" rule with the log
keyword included as the last rule in the ruleset. This way, it is possible to see all the packets that did not match any of the rules in the ruleset.
Logging is a two edged sword. If one is not careful, an over abundance of log data or a DoS attack can fill the disk with log files. Log messages are not only written to syslogd, but also are displayed on the root console screen and soon become annoying.
The IPFIREWALL_VERBOSE_LIMIT=5
kernel option limits the number of consecutive messages sent to syslogd(8), concerning the packet matching of a given rule. When this option is enabled in the kernel, the number of consecutive messages concerning a particular rule is capped at the number specified. There is nothing to be gained from 200 identical log messages. With this option set to five, five consecutive messages concerning a particular rule would be logged to syslogd and the remainder identical consecutive messages would be counted and posted to syslogd with a phrase like the following:
last message repeated 45 times
All logged packets messages are written by default to /var/log/security, which is defined in /etc/syslog.conf.
30.4.5.2. 建立規則 Script
Most experienced IPFW users create a file containing the rules and code them in a manner compatible with running them as a script. The major benefit of doing this is the firewall rules can be refreshed in mass without the need of rebooting the system to activate them. This method is convenient in testing new rules as the procedure can be executed as many times as needed. Being a script, symbolic substitution can be used for frequently used values to be substituted into multiple rules.
This example script is compatible with the syntax used by the sh(1), csh(1), and tcsh(1) shells. Symbolic substitution fields are prefixed with a dollar sign ($). Symbolic fields do not have the $ prefix. The value to populate the symbolic field must be enclosed in double quotes ("").
Start the rules file like this:
############### start of example ipfw rules script ############# # ipfw -q -f flush # Delete all rules # Set defaults oif="tun0" # out interface odns="192.0.2.11" # ISP's DNS server IP address cmd="ipfw -q add " # build rule prefix ks="keep-state" # just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established $cmd 00600 allow tcp from any to any 80 out via $oif setup $ks $cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks $cmd 00611 allow udp from any to $odns 53 out via $oif $ks ################### End of example ipfw rules script ############
The rules are not important as the focus of this example is how the symbolic substitution fields are populated.
If the above example was in /etc/ipfw.rules, the rules could be reloaded by the following command:
# sh /etc/ipfw.rules
/etc/ipfw.rules can be located anywhere and the file can have any name.
The same thing could be accomplished by running these commands by hand:
# ipfw -q -f flush
# ipfw -q add check-state
# ipfw -q add deny all from any to any frag
# ipfw -q add deny tcp from any to any established
# ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state
# ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state
# ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state
30.4.6. IPFW 核心選項
In order to statically compile IPFW support into a custom kernel, refer to the instructions in 設定 FreeBSD 核心. The following options are available for the custom kernel configuration file:
options IPFIREWALL # enables IPFW options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied options IPFIREWALL_NAT # enables in-kernel NAT support options IPFIREWALL_NAT64 # enables in-kernel NAT64 support options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support options IPFIREWALL_PMOD # enables protocols modification module support options IPDIVERT # enables NAT through natd(8)
IPFW can be loaded as a kernel module: options above are built by default as modules or can be set at runtime using tunables. |
30.5. IPFILTER (IPF)
IPFILTER 即為 IPF,是一套跨平台、開放源碼的防火牆,已被移植到各種作業系統,包含 FreeBSD, NetBSD, OpenBSD 與 Solaris™。
IPFILTER 是核心端 (Kernel-side) 的防火牆且 NAT 機制可由 Userland 的程式控制與監控,防火牆規則可以使用 ipf 設定或刪除,NAT 規則可以使用 ipnat 設定或刪除,可使用 ipfstat 來列出 IPFILTER 在核心部份的執行期統計資訊,可使用 ipmon 來記錄 IPFILTER 動作到系統記錄檔。
IPF 原來是以 "最後一個符合的條件優先" 的規則處理邏輯所撰寫並只能使用無狀態 (Stateless) 的規則,之後 IPF 才被加強支援快速 (quick
) 與保留狀態 (keep state
) 的選項。
IPF FAQ 位於 http://www.phildev.net/ipf/index.html,可搜尋的 IPFilter 郵遞論壇封存資料可至 http://marc.info/?l=ipfilter 取得。
由於 FreeBSD 也支援 IPF 因此操作手冊特別在此章節對此介紹,本節提供幾個有使用快速 (quick
) 與保留狀態 (keep state
) 選項的規則範例。
30.5.1. 開啟 IPF
IPF is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPF.
For users who prefer to statically compile IPF support into a custom kernel, refer to the instructions in 設定 FreeBSD 核心. The following kernel options are available:
options IPFILTER options IPFILTER_LOG options IPFILTER_LOOKUP options IPFILTER_DEFAULT_BLOCK
where options IPFILTER
enables support for IPFILTER, options IPFILTER_LOG
enables IPF logging using the ipl packet logging pseudo-device for every rule that has the log
keyword, IPFILTER_LOOKUP
enables IP pools in order to speed up IP lookups, and options IPFILTER_DEFAULT_BLOCK
changes the default behavior so that any packet not matching a firewall pass
rule gets blocked.
To configure the system to enable IPF at boot time, add the following entries to /etc/rc.conf. These entries will also enable logging and default pass all
. To change the default policy to block all
without compiling a custom kernel, remember to add a block all
rule at the end of the ruleset.
ipfilter_enable="YES" # Start ipf firewall ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipmon_enable="YES" # Start IP monitor log ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq # n = map IP & port to names
If NAT functionality is needed, also add these lines:
gateway_enable="YES" # Enable as LAN gateway ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
Then, to start IPF now:
# service ipfilter start
To load the firewall rules, specify the name of the ruleset file using ipf
. The following command can be used to replace the currently running firewall rules:
# ipf -Fa -f /etc/ipf.rules
where -Fa
flushes all the internal rules tables and -f
specifies the file containing the rules to load.
This provides the ability to make changes to a custom ruleset and update the running firewall with a fresh copy of the rules without having to reboot the system. This method is convenient for testing new rules as the procedure can be executed as many times as needed.
Refer to ipf(8) for details on the other flags available with this command.
30.5.2. IPF 規則語法
This section describes the IPF rule syntax used to create stateful rules. When creating rules, keep in mind that unless the quick
keyword appears in a rule, every rule is read in order, with the last matching rule being the one that is applied. This means that even if the first rule to match a packet is a pass
, if there is a later matching rule that is a block
, the packet will be dropped. Sample rulesets can be found in /usr/shared/examples/ipfilter.
When creating rules, a #
character is used to mark the start of a comment and may appear at the end of a rule, to explain that rule’s function, or on its own line. Any blank lines are ignored.
The keywords which are used in rules must be written in a specific order, from left to right. Some keywords are mandatory while others are optional. Some keywords have sub-options which may be keywords themselves and also include more sub-options. The keyword order is as follows, where the words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it:
ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE
This section describes each of these keywords and their options. It is not an exhaustive list of every possible option. Refer to ipf(5) for a complete description of the rule syntax that can be used when creating IPF rules and examples for using each keyword.
- ACTION
The action keyword indicates what to do with the packet if it matches that rule. Every rule must have an action. The following actions are recognized:
block
: drops the packet.pass
: allows the packet.log
: generates a log record.count
: counts the number of packets and bytes which can provide an indication of how often a rule is used.auth
: queues the packet for further processing by another program.call
: provides access to functions built into IPF that allow more complex actions.decapsulate
: removes any headers in order to process the contents of the packet.- DIRECTION
Next, each rule must explicitly state the direction of traffic using one of these keywords:
in
: the rule is applied against an inbound packet.out
: the rule is applied against an outbound packet.all
: the rule applies to either direction.If the system has multiple interfaces, the interface can be specified along with the direction. An example would be
in on fxp0
.- OPTIONS
Options are optional. However, if multiple options are specified, they must be used in the order shown here.
log
: when performing the specified ACTION, the contents of the packet’s headers will be written to the ipl(4) packet log pseudo-device.quick
: if a packet matches this rule, the ACTION specified by the rule occurs and no further processing of any following rules will occur for this packet.on
: must be followed by the interface name as displayed by ifconfig(8). The rule will only match if the packet is going through the specified interface in the specified direction.When using the
log
keyword, the following qualifiers may be used in this order:body
: indicates that the first 128 bytes of the packet contents will be logged after the headers.first
: if thelog
keyword is being used in conjunction with akeep state
option, this option is recommended so that only the triggering packet is logged and not every packet which matches the stateful connection.Additional options are available to specify error return messages. Refer to ipf(5) for more details.
- PROTO_TYPE
The protocol type is optional. However, it is mandatory if the rule needs to specify a SRC_PORT or a DST_PORT as it defines the type of protocol. When specifying the type of protocol, use the
proto
keyword followed by either a protocol number or name from /etc/protocols. Example protocol names includetcp
,udp
, oricmp
. If PROTO_TYPE is specified but no SRC_PORT or DST_PORT is specified, all port numbers for that protocol will match that rule.- SRC_ADDR
The
from
keyword is mandatory and is followed by a keyword which represents the source of the packet. The source can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keywordall
. Refer to ipf(5) for examples.There is no way to match ranges of IP addresses which do not express themselves easily using the dotted numeric form / mask-length notation. The net-mgmt/ipcalc package or port may be used to ease the calculation of the CIDR mask. Additional information is available at the utility’s web page: http://jodies.de/ipcalc.
- SRC_PORT
The port number of the source is optional. However, if it is used, it requires PROTO_TYPE to be first defined in the rule. The port number must also be preceded by the
proto
keyword.A number of different comparison operators are supported:
=
(equal to),!=
(not equal to),<
(less than),>
(greater than),⇐
(less than or equal to), and>=
(greater than or equal to).To specify port ranges, place the two port numbers between
<>
(less than and greater than ),><
(greater than and less than ), or:
(greater than or equal to and less than or equal to).- DST_ADDR
The
to
keyword is mandatory and is followed by a keyword which represents the destination of the packet. Similar to SRC_ADDR, it can be a hostname, an IP address followed by the CIDR mask, an address pool, or the keywordall
.- DST_PORT
Similar to SRC_PORT, the port number of the destination is optional. However, if it is used, it requires PROTO_TYPE to be first defined in the rule. The port number must also be preceded by the
proto
keyword.- TCP_FLAG|ICMP_TYPE
If
tcp
is specified as the PROTO_TYPE, flags can be specified as letters, where each letter represents one of the possible TCP flags used to determine the state of a connection. Possible values are:S
(SYN),A
(ACK),P
(PSH),F
(FIN),U
(URG),R
(RST),C
(CWN), andE
(ECN).If
icmp
is specified as the PROTO_TYPE, the ICMP type to match can be specified. Refer to ipf(5) for the allowable types.- STATE
If a
pass
rule containskeep state
, IPF will add an entry to its dynamic state table and allow subsequent packets that match the connection. IPF can track state for TCP, UDP, and ICMP sessions. Any packet that IPF can be certain is part of an active session, even if it is a different protocol, will be allowed.In IPF, packets destined to go out through the interface connected to the public Internet are first checked against the dynamic state table. If the packet matches the next expected packet comprising an active session conversation, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. Packets that do not belong to an already active session are checked against the outbound ruleset. Packets coming in from the interface connected to the public Internet are first checked against the dynamic state table. If the packet matches the next expected packet comprising an active session, it exits the firewall and the state of the session conversation flow is updated in the dynamic state table. Packets that do not belong to an already active session are checked against the inbound ruleset.
Several keywords can be added after
keep state
. If used, these keywords set various options that control stateful filtering, such as setting connection limits or connection age. Refer to ipf(5) for the list of available options and their descriptions.
30.5.3. 範例規則集
This section demonstrates how to create an example ruleset which only allows services matching pass
rules and blocks all others.
FreeBSD uses the loopback interface (lo0) and the IP address 127.0.0.1
for internal communication. The firewall ruleset must contain rules to allow free movement of these internally used packets:
# no restrictions on loopback interface pass in quick on lo0 all pass out quick on lo0 all
The public interface connected to the Internet is used to authorize and control access of all outbound and inbound connections. If one or more interfaces are cabled to private networks, those internal interfaces may require rules to allow packets originating from the LAN to flow between the internal networks or to the interface attached to the Internet. The ruleset should be organized into three major sections: any trusted internal interfaces, outbound connections through the public interface, and inbound connections through the public interface.
These two rules allow all traffic to pass through a trusted LAN interface named xl0:
# no restrictions on inside LAN interface for private network pass out quick on xl0 all pass in quick on xl0 all
The rules for the public interface’s outbound and inbound sections should have the most frequently matched rules placed before less commonly matched rules, with the last rule in the section blocking and logging all packets for that interface and direction.
This set of rules defines the outbound section of the public interface named dc0. These rules keep state and identify the specific services that internal systems are authorized for public Internet access. All the rules use quick
and specify the appropriate port numbers and, where applicable, destination addresses.
# interface facing Internet (outbound) # Matches session start requests originating from or behind the # firewall, destined for the Internet. # Allow outbound access to public DNS servers. # Replace x.x.x. with address listed in /etc/resolv.conf. # Repeat for each DNS server. pass out quick on dc0 proto tcp from any to x.x.x. port = 53 flags S keep state pass out quick on dc0 proto udp from any to xxx port = 53 keep state # Allow access to ISP's specified DHCP server for cable or DSL networks. # Use the first rule, then check log for the IP address of DHCP server. # Then, uncomment the second rule, replace z.z.z.z with the IP address, # and comment out the first rule pass out log quick on dc0 proto udp from any to any port = 67 keep state #pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state # Allow HTTP and HTTPS pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state # Allow email pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state # Allow NTP pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state # Allow FTP pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state # Allow SSH pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state # Allow ping pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state # Block and log everything else block out log first quick on dc0 all
This example of the rules in the inbound section of the public interface blocks all undesirable packets first. This reduces the number of packets that are logged by the last rule.
# interface facing Internet (inbound) # Block all inbound traffic from non-routable or reserved address spaces block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP block in quick on dc0 from 127.0.0.0/8 to any #loopback block in quick on dc0 from 0.0.0.0/8 to any #loopback block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast # Block fragments and too short tcp packets block in quick on dc0 all with frags block in quick on dc0 proto tcp all with short # block source routed packets block in quick on dc0 all with opt lsrr block in quick on dc0 all with opt ssrr # Block OS fingerprint attempts and log first occurrence block in log first quick on dc0 proto tcp from any to any flags FUP # Block anything with special options block in quick on dc0 all with ipopts # Block public pings and ident block in quick on dc0 proto icmp all icmp-type 8 block in quick on dc0 proto tcp from any to any port = 113 # Block incoming Netbios services block in log first quick on dc0 proto tcp/udp from any to any port = 137 block in log first quick on dc0 proto tcp/udp from any to any port = 138 block in log first quick on dc0 proto tcp/udp from any to any port = 139 block in log first quick on dc0 proto tcp/udp from any to any port = 81
Any time there are logged messages on a rule with the log first
option, run ipfstat -hio
to evaluate how many times the rule has been matched. A large number of matches may indicate that the system is under attack.
The rest of the rules in the inbound section define which connections are allowed to be initiated from the Internet. The last rule denies all connections which were not explicitly allowed by previous rules in this section.
# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with # the same IP address used in the outbound section. pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state # Allow public connections to specified internal web server pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state # Block and log only first occurrence of all remaining traffic. block in log first quick on dc0 all
30.5.4. 設定 NAT
To enable NAT, add these statements to /etc/rc.conf and specify the name of the file containing the NAT rules:
gateway_enable="YES" ipnat_enable="YES" ipnat_rules="/etc/ipnat.rules"
NAT rules are flexible and can accomplish many different things to fit the needs of both commercial and home users. The rule syntax presented here has been simplified to demonstrate common usage. For a complete rule syntax description, refer to ipnat(5).
The basic syntax for a NAT rule is as follows, where map
starts the rule and IF should be replaced with the name of the external interface:
map IF LAN_IP_RANGE -> PUBLIC_ADDRESS
The LAN_IP_RANGE is the range of IP addresses used by internal clients. Usually, it is a private address range such as 192.168.1.0/24
. The PUBLIC_ADDRESS can either be the static external IP address or the keyword 0/32
which represents the IP address assigned to IF.
In IPF, when a packet arrives at the firewall from the LAN with a public destination, it first passes through the outbound rules of the firewall ruleset. Then, the packet is passed to the NAT ruleset which is read from the top down, where the first matching rule wins. IPF tests each NAT rule against the packet’s interface name and source IP address. When a packet’s interface name matches a NAT rule, the packet’s source IP address in the private LAN is checked to see if it falls within the IP address range specified in LAN_IP_RANGE. On a match, the packet has its source IP address rewritten with the public IP address specified by PUBLIC_ADDRESS. IPF posts an entry in its internal NAT table so that when the packet returns from the Internet, it can be mapped back to its original private IP address before being passed to the firewall rules for further processing.
For networks that have large numbers of internal systems or multiple subnets, the process of funneling every private IP address into a single public IP address becomes a resource problem. Two methods are available to relieve this issue.
The first method is to assign a range of ports to use as source ports. By adding the portmap
keyword, NAT can be directed to only use source ports in the specified range:
map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000
Alternately, use the auto
keyword which tells NAT to determine the ports that are available for use:
map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
The second method is to use a pool of public addresses. This is useful when there are too many LAN addresses to fit into a single public address and a block of public IP addresses is available. These public addresses can be used as a pool from which NAT selects an IP address as a packet’s address is mapped on its way out.
The range of public IP addresses can be specified using a netmask or CIDR notation. These two rules are equivalent:
map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0 map dc0 192.168.1.0/24 -> 204.134.75.0/24
A common practice is to have a publically accessible web server or mail server segregated to an internal network segment. The traffic from these servers still has to undergo NAT, but port redirection is needed to direct inbound traffic to the correct server. For example, to map a web server using the internal address 10.0.10.25
to its public IP address of 20.20.20.5
, use this rule:
rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80
If it is the only web server, this rule would also work as it redirects all external HTTP requests to 10.0.10.25
:
rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80
IPF has a built in FTP proxy which can be used with NAT. It monitors all outbound traffic for active or passive FTP connection requests and dynamically creates temporary filter rules containing the port number used by the FTP data channel. This eliminates the need to open large ranges of high order ports for FTP connections.
In this example, the first rule calls the proxy for outbound FTP traffic from the internal LAN. The second rule passes the FTP traffic from the firewall to the Internet, and the third rule handles all non-FTP traffic from the internal LAN:
map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map dc0 10.0.10.0/29 -> 0/32
The FTP map
rules go before the NAT rule so that when a packet matches an FTP rule, the FTP proxy creates temporary filter rules to let the FTP session packets pass and undergo NAT. All LAN packets that are not FTP will not match the FTP rules but will undergo NAT if they match the third rule.
Without the FTP proxy, the following firewall rules would instead be needed. Note that without the proxy, all ports above 1024
need to be allowed:
# Allow out LAN PC client FTP to public Internet # Active and passive modes pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state # Allow out passive mode data channel high order port numbers pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state
Whenever the file containing the NAT rules is edited, run ipnat
with -CF
to delete the current NAT rules and flush the contents of the dynamic translation table. Include -f
and specify the name of the NAT ruleset to load:
# ipnat -CF -f /etc/ipnat.rules
To display the NAT statistics:
# ipnat -s
To list the NAT table’s current mappings:
# ipnat -l
To turn verbose mode on and display information relating to rule processing and active rules and table entries:
# ipnat -v
30.5.5. 檢視 IPF 統計資訊
IPF includes ipfstat(8) which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using ipf -Z
.
The default ipfstat
output looks like this:
input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
input packets logged: blocked 99286 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 3898 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 169364 lost 0
packet state(out): kept 431395 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Result cache hits(in): 1215208 (out): 1098963
IN Pullups succeeded: 2 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
Several options are available. When supplied with either -i
for inbound or -o
for outbound, the command will retrieve and display the appropriate list of filter rules currently installed and in use by the kernel. To also see the rule numbers, include -n
. For example, ipfstat -on
displays the outbound rules table with rule numbers:
@1 pass out on xl0 from any to any
@2 block out on dc0 from any to any
@3 pass out quick on dc0 proto tcp/udp from any to any keep state
Include -h
to prefix each rule with a count of how many times the rule was matched. For example, ipfstat -oh
displays the outbound internal rules table, prefixing each rule with its usage count:
2451423 pass out on xl0 from any to any
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep state
To display the state table in a format similar to top(1), use ipfstat -t
. When the firewall is under attack, this option provides the ability to identify and see the attacking packets. The optional sub-flags give the ability to select the destination or source IP, port, or protocol to be monitored in real time. Refer to ipfstat(8) for details.
30.5.6. IPF 日誌
IPF provides ipmon
, which can be used to write the firewall’s logging information in a human readable format. It requires that options IPFILTER_LOG
be first added to a custom kernel using the instructions in 設定 FreeBSD 核心.
This command is typically run in daemon mode in order to provide a continuous system log file so that logging of past events may be reviewed. Since FreeBSD has a built in syslogd(8) facility to automatically rotate system logs, the default rc.confipmon_flags
statement uses -Ds
:
ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq # n = map IP & port to names
Logging provides the ability to review, after the fact, information such as which packets were dropped, what addresses they came from, and where they were going. This information is useful in tracking down attackers.
Once the logging facility is enabled in rc.conf and started with service ipmon start
, IPF will only log the rules which contain the log
keyword. The firewall administrator decides which rules in the ruleset should be logged and normally only deny rules are logged. It is customary to include the log
keyword in the last rule in the ruleset. This makes it possible to see all the packets that did not match any of the rules in the ruleset.
By default, ipmon -Ds
mode uses local0
as the logging facility. The following logging levels can be used to further segregate the logged data:
LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header
In order to setup IPF to log all data to /var/log/ipfilter.log, first create the empty file:
# touch /var/log/ipfilter.log
Then, to write all logged messages to the specified file, add the following statement to /etc/syslog.conf:
local0.* /var/log/ipfilter.log
To activate the changes and instruct syslogd(8) to read the modified /etc/syslog.conf, run service syslogd reload
.
Do not forget to edit /etc/newsyslog.conf to rotate the new log file.
Messages generated by ipmon
consist of data fields separated by white space. Fields common to all messages are:
The date of packet receipt.
The time of packet receipt. This is in the form HH:MM:SS.F, for hours, minutes, seconds, and fractions of a second.
The name of the interface that processed the packet.
The group and rule number of the rule in the format
@0:17
.The action:
p
for passed,b
for blocked,S
for a short packet,n
did not match any rules, andL
for a log rule.The addresses written as three fields: the source address and port separated by a comma, the → symbol, and the destination address and port. For example:
209.53.17.22,80 → 198.73.220.17,1722
.PR
followed by the protocol name or number: for example,PR tcp
.len
followed by the header length and total length of the packet: for example,len 20 40
.
If the packet is a TCP packet, there will be an additional field starting with a hyphen followed by letters corresponding to any flags that were set. Refer to ipf(5) for a list of letters and their flags.
If the packet is an ICMP packet, there will be two fields at the end: the first always being "icmp" and the next being the ICMP message and sub-message type, separated by a slash. For example: icmp 3/3
for a port unreachable message.
30.6. Blacklistd
Blacklistd is a daemon listening to sockets to receive notifications from other daemons about connection attempts that failed or were successful. It is most widely used in blocking too many connection attempts on open ports. A prime example is SSH running on the internet getting a lot of requests from bots or scripts trying to guess passwords and gain access. Using blacklistd, the daemon can notify the firewall to create a filter rule to block excessive connection attempts from a single source after a number of tries. Blacklistd was first developed on NetBSD and appeared there in version 7. FreeBSD 11 imported blacklistd from NetBSD.
This chapter describes how to set up blacklistd, configure it, and provides examples on how to use it. Readers should be familiar with basic firewall concepts like rules. For details, refer to the firewall chapter. PF is used in the examples, but other firewalls available on FreeBSD should be able to work with blacklistd, too.
30.6.1. 開啟 Blacklistd
The main configuration for blacklistd is stored in blacklistd.conf(5). Various command line options are also available to change blacklistd’s run-time behavior. Persistent configuration across reboots should be stored in /etc/blacklistd.conf. To enable the daemon during system boot, add a blacklistd_enable
line to /etc/rc.conf like this:
# sysrc blacklistd_enable=yes
To start the service manually, run this command:
# service blacklistd start
30.6.2. 建立 Blacklistd 規則集
Rules for blacklistd are configured in blacklistd.conf(5) with one entry per line. Each rule contains a tuple separated by spaces or tabs. Rules either belong to a local
or a remote
, which applies to the machine where blacklistd is running or an outside source, respectively.
30.6.2.1. 本地規則
An example blacklistd.conf entry for a local rule looks like this:
[local] ssh stream * * * 3 24h
All rules that follow the [local]
section are treated as local rules (which is the default), applying to the local machine. When a [remote]
section is encountered, all rules that follow it are handled as remote machine rules.
Seven fields define a rule separated by either tabs or spaces. The first four fields identify the traffic that should be blacklisted. The three fields that follow define backlistd’s behavior. Wildcards are denoted as asterisks (*
), matching anything in this field. The first field defines the location. In local rules, these are the network ports. The syntax for the location field is as follows:
[address|interface][/mask][:port]
Adressses can be specified as IPv4 in numeric format or IPv6 in square brackets. An interface name like em0
can also be used.
The socket type is defined by the second field. TCP sockets are of type stream
, whereas UDP is denoted as dgram
. The example above uses TCP, since SSH is using that protocol.
A protocol can be used in the third field of a blacklistd rule. The following protocols can be used: tcp
, udp
, tcp6
, udp6
, or numeric. A wildcard, like in the example, is typically used to match all protocols unless there is a reason to distinguish traffic by a certain protocol.
In the fourth field, the effective user or owner of the daemon process that is reporting the event is defined. The username or UID can be used here, as well as a wildcard (see example rule above).
The packet filter rule name is declared by the fifth field, which starts the behavior part of the rule. By default, blacklistd puts all blocks under a pf anchor called blacklistd
in pf.conf like this:
anchor "blacklistd/*" in on $ext_if block in pass out
For separate blacklists, an anchor name can be used in this field. In other cases, the wildcard will suffice. When a name starts with a hyphen (-
) it means that an anchor with the default rule name prepended should be used. A modified example from the above using the hyphen would look like this:
ssh stream * * -ssh 3 24h
With such a rule, any new blacklist rules are added to an anchor called blacklistd-ssh
.
To block whole subnets for a single rule violation, a /
in the rule name can be used. This causes the remaining portion of the name to be interpreted as the mask to be applied to the address specified in the rule. For example, this rule would block every address adjoining /24
.
22 stream tcp * */24 3 24h
It is important to specify the proper protocol here. IPv4 and IPv6 treat /24 differently, that is the reason why |
This rule defines that if any one host in that network is misbehaving, everything else on that network will be blocked, too.
The sixth field, called nfail
, sets the number of login failures required to blacklist the remote IP in question. When a wildcard is used at this position, it means that blocks will never happen. In the example rule above, a limit of three is defined meaning that after three attempts to log into SSH on one connection, the IP is blocked.
The last field in a blacklistd rule definition specifies how long a host is blacklisted. The default unit is seconds, but suffixes like m
, h
, and d
can also be specified for minutes, hours, and days, respectively.
The example rule in its entirety means that after three times authenticating to SSH will result in a new PF block rule for that host. Rule matches are performed by first checking local rules one after another, from most specific to least specific. When a match occurs, the remote
rules are applied and the name, nfail
, and disable fields are changed by the remote
rule that matched.
30.6.2.2. 遠端規則
Remote rules are used to specify how blacklistd changes its behavior depending on the remote host currently being evaluated. Each field in a remote rule is the same as in a local rule. The only difference is in the way blacklistd is using them. To explain it, this example rule is used:
[remote] 203.0.113.128/25 * * * =/25 = 48h
The address field can be an IP address (either v4 or v6), a port or both. This allows setting special rules for a specific remote address range like in this example. The fields for type, protocol and owner are identically interpreted as in the local rule.
The name fields is different though: the equal sign (=
) in a remote rule tells blacklistd to use the value from the matching local rule. It means that the firewall rule entry is taken and the /25
prefix (a netmask of 255.255.255.128
) is added. When a connection from that address range is blacklisted, the entire subnet is affected. A PF anchor name can also be used here, in which case blacklistd will add rules for this address block to the anchor of that name. The default table is used when a wildcard is specified.
A custom number of failures in the nfail
column can be defined for an address. This is useful for exceptions to a specific rule, to maybe allow someone a less strict application of rules or a bit more leniency in login tries. Blocking is disabled when an asterisk is used in this sixth field.
Remote rules allow a stricter enforcement of limits on attempts to log in compared to attempts coming from a local network like an office.
30.6.3. Blacklistd 客戶端設定
There are a few software packages in FreeBSD that can utilize blacklistd’s functionality. The two most prominent ones are ftpd(8) and sshd(8) to block excessive connection attempts. To activate blacklistd in the SSH daemon, add the following line to /etc/ssh/sshd_config:
UseBlacklist yes
接著重新啟動 sshd 來使變更生效。
Blacklisting for ftpd(8) is enabled using -B
, either in /etc/inetd.conf or as a flag in /etc/rc.conf like this:
ftpd_flags="-B"
That is all that is needed to make these programs talk to blacklistd.
30.6.4. Blacklistd 管理
Blacklistd provides the user with a management utility called blacklistctl(8). It displays blocked addresses and networks that are blacklisted by the rules defined in blacklistd.conf(5). To see the list of currently blocked hosts, use dump
combined with -b
like this.
# blacklistctl dump -b
address/ma:port id nfail last access
213.0.123.128/25:22 OK 6/3 2019/06/08 14:30:19
This example shows that there were 6 out of three permitted attempts on port 22 coming from the address range 213.0.123.128/25
. There are more attempts listed than are allowed because SSH allows a client to try multiple logins on a single TCP connection. A connection that is currently going on is not stopped by blacklistd. The last connection attempt is listed in the last access
column of the output.
To see the remaining time that this host will be on the blacklist, add -r
to the previous command.
# blacklistctl dump -br
address/ma:port id nfail remaining time
213.0.123.128/25:22 OK 6/3 36s
In this example, there are 36s seconds left until this host will not be blocked any more.
30.6.5. 從封鎖清單移除主機
Sometimes it is necessary to remove a host from the block list before the remaining time expires. Unfortunately, there is no functionality in blacklistd to do that. However, it is possible to remove the address from the PF table using pfctl. For each blocked port, there is a child anchor inside the blacklistd anchor defined in /etc/pf.conf. For example, if there is a child anchor for blocking port 22 it is called blacklistd/22
. There is a table inside that child anchor that contains the blocked addresses. This table is called port followed by the port number. In this example, it would be called port22
. With that information at hand, it is now possible to use pfctl(8) to display all addresses listed like this:
# pfctl -a blacklistd/22 -t port22 -T show
...
213.0.123.128/25
...
After identifying the address to be unblocked from the list, the following command removes it from the list:
# pfctl -a blacklistd/22 -T delete 213.0.123.128/25
The address is now removed from PF, but will still show up in the blacklistctl list, since it does not know about any changes made in PF. The entry in blacklistd’s database will eventually expire and be removed from its output eventually. The entry will be added again if the host is matching one of the block rules in blacklistd again.
最後修改於: March 9, 2024 由 Danilo G. Baio