ipf - network filtering, etc

[Barnaby W. Füi]

i've been playing with ipf, and i am actually having alot of fun. i've been reading this: http://www.obfuscation.org/ipf/ipf-howto.html and i've pretty much read all of it, and certain parts a few times. i'm doing this on netbsd, in preparation to move my firewall/nat machine from debian to netbsd. any of you guys used ipf much? (or just general routing/firewalling advice?) any wisdom you can share?

 

[Barnaby W. Füi]

alright, here is my ipf.conf *so far*. rtk0 will be the internet-facing interface. since there is only one "bad" way out of the machine (rtk0), i can't think of anything that would need to be filtered on the lan interface. any thoughts on that? anyways here it is:

### rtk0 in ###
block in on rtk0 from any to any head 1

# if tcp, tell them there's no service running, instead of playing dead
block return-rst in proto tcp from any to any group 1

# ip ranges we dont want
block in quick from 0.0.0.0/8 to any group 1
block in quick from 10.0.0.0/8 to any group 1
block in quick from 224.0.0.0/3 to any group 1
block in quick from 127.0.0.0/8 to any group 1
block in quick from 172.16.0.0/12 to any group 1
block in quick from 20.20.20.0/24 to any group 1
block in quick from 169.254.0.0/16 to any group 1
block in quick from 204.152.64.0/23 to any group 1
# haxxorz!
block in log level auth.info quick from 192.168.0.0/24 to any group 1
block in log level auth.alert quick from any to 192.168.0.0/16 group 1

# let people ping us, and traceroute us
pass in quick proto icmp from any to any icmp-type 8 group 1
pass in quick proto icmp from any to any icmp-type 11 group 1

# services
pass in quick proto tcp from any to any port = 80 flags S keep state keep frags group 1
pass in log level auth.info quick proto udp from any to any port = 53 keep state keep frags group 1
pass in log level auth.info quick proto tcp from any to any port = 53 flags S keep state keep frags group 1
pass in log level auth.info quick proto tcp from any to any port = 25 flags S keep state keep frags group 1
pass in log level auth.info quick proto tcp from any to any port = 22 flags S keep state keep frags group 1
### end rtk0 in ###

### rtk0 out ###
# let it all hang out!
pass out on rtk0 from any to any head 2

# we cant talk to these people, lets not even try..
block out quick from any to 0.0.0.0/8 group 2
block out quick from any to 10.0.0.0/8 group 2
block out quick from any to 224.0.0.0/3 group 2
block out quick from any to 127.0.0.0/8 group 2
block out quick from any to 172.16.0.0/12 group 2
block out quick from any to 20.20.20.0/24 group 2
block out quick from any to 192.168.0.0/16 group 2
block out quick from any to 169.254.0.0/16 group 2
block out quick from any to 204.152.64.0/23 group 2

# since we only let icmp 8/11 in on its own,
# then let any icmp in, IF we initiate it.
pass out quick proto icmp from any to any keep state group 2
### end rtk0 out ###

 

[n0cmonkey]

I stopped using IPF when PF came out. I prefered filtering everything coming in, and less going out.

 

[Barnaby W. Füi]

i actually have made a few changes, i added udp to where icmp is at the bottom, so outbound udp and icmp will work. the only problem i'm having is that traceroute wont work, even though i have all of the icmp types needed for it allowed, and udp is allowed out.

 

[FUBAR]

I'll see if we can dig up our config from work, we used to use it at all our sites for firewalling... come to think of it, there's still one site with it in... We use it on sun boxes, not that it matters much. We do the block everything in, nothing out route.

We switched off of it to use FreeS/Wan on RH, that and the Sun boxes that we have running around couldn't handle the load of doing ipsec on solaris pushing a T1 out the tunnel.

 

[Barnaby W. Füi]

bleh, still not working.

i now have:

pass out quick proto udp from any to any port 33434 >< 33525 keep state keep frags group 2
pass out quick proto icmp from any to any keep state keep frags group 2

and in, i have icmp types 0 3 8 11 and 30 allowed, at one point i allowed all icmp, it didnt make a difference. it seems that for traceroute i only need 3 and 11.

 

[Barnaby W. Füi]

ok, turns out i needed to allow udp in on ports 33434-33525.

in case anyone ever does a search for ipf on these forums, here's my full, working ipf.conf

### rtk0 in ###

block in log level auth.info on rtk0 from any to any head 1

# ip ranges we dont want
block in quick from 0.0.0.0/8 to any group 1
block in quick from 10.0.0.0/8 to any group 1
block in quick from 224.0.0.0/3 to any group 1
block in quick from 127.0.0.0/8 to any group 1
block in quick from 172.16.0.0/12 to any group 1
block in quick from 20.20.20.0/24 to any group 1
block in quick from 169.254.0.0/16 to any group 1
block in quick from 204.152.64.0/23 to any group 1

# oddness, alert!
block in log level auth.alert quick from 192.168.0.0/24 to any group 1
block in log level auth.alert quick from any to 192.168.0.0/16 group 1

# if tcp, tell them there's no service running, instead of playing dead
block return-rst in log level auth.info proto tcp from any to any group 1

# let people ping us, and traceroute us
pass in log level auth.info quick proto icmp from any to any icmp-type 3 group 1
pass in log level auth.info quick proto icmp from any to any icmp-type 8 group 1
pass in log level auth.info quick proto icmp from any to any icmp-type 11 group 1
pass in log level auth.info quick proto udp from any to any port 33434 >< 33525 keep state keep frags group 1

## services
# log all, except 80

# www - dont log it, access_log and error_log are good enough for me
# domain/udp, domain/tcp, mail, ssh.
pass in quick proto tcp from any to any port = 80 flags S keep state keep frags group 1
pass in log level auth.info quick proto udp from any to any port = 53 keep state keep frags group 1
pass in log level auth.info quick proto tcp from any to any port = 53 flags S keep state keep frags group 1
pass in log level auth.info quick proto tcp from any to any port = 25 flags S keep state keep frags group 1
pass in log level auth.info quick proto tcp from any to any port = 22 flags S keep state keep frags group 1

### end rtk0 in ###

### rtk0 out ###

# let it all hang out!
pass out on rtk0 from any to any head 2

# except for these - oddness, log it
block out log level auth.alert quick from any to 0.0.0.0/8 group 2
block out log level auth.alert quick from any to 10.0.0.0/8 group 2
block out log level auth.alert quick from any to 224.0.0.0/3 group 2
block out log level auth.alert quick from any to 127.0.0.0/8 group 2
block out log level auth.alert quick from any to 172.16.0.0/12 group 2
block out log level auth.alert quick from any to 20.20.20.0/24 group 2
block out log level auth.alert quick from any to 192.168.0.0/16 group 2
block out log level auth.alert quick from any to 169.254.0.0/16 group 2
block out log level auth.alert quick from any to 204.152.64.0/23 group 2

# anything we initiate, keep state in case it needs to get back in
pass out quick proto tcp from any to any flags S keep state keep frags group 2
pass out quick proto udp from any to any keep state keep frags group 2
pass out quick proto icmp from any to any keep state keep frags group 2

### end rtk0 out ###

edit:

just did a little test for fun, this ruleset caused a 1.7% decrease in the number of packets transmitted during a few-minute long ping flood, and increased average latency by 2/1000th of a millisecond (2 nanoseconds? is a ms/1000 == 1ns?)