[luau] Quick and dirty ipfilter question

Dustin Cross dusty at sandust.com
Thu Dec 5 17:12:01 PST 2002 

Aloha,

I assume you are running either BSD or Solaris and have IPfilter and not
Netfilter that comes with Linux.  Do you have any IPfilter rules yet?

Here is a simple IPfilter ruleset that will allow ssh in from those
specific IPs, and block ALL other traffic in, it will allow ALL traffic out
and keep state on that traffic so it can get back in:

#############################
# Begin Ruleset
#############################

# Allow ssh traffic in
# Flags S/SA only allows packets with the SYN and SYNACK flags set
# This prevents many forms of portscanning such as FIN scanning
pass in log quick on eth0 proto tcp from 63.13.13.2/32 to eth0/32 port = 22
flags S/SA keep state
pass in log quick on eth0 proto tcp from 192.168.0.0/24 to eth0/32 port =
22 flags S/SA keep state

# Deny all inbound traffic by protocol and catch anything that falls
through other rules
# RETURN-RST returns reset to give the appearence of no packet filter
running and no services running
# RETURN-ICMP-AS-DEST(port-unr) returns port-unreachable to give the
appearence of no packet filter
block return-rst in log quick on eth0 proto tcp from any to any
block in log quick on eth0 proto icmp from any to any
block return-icmp-as-dest(port-unr) in log quick on eth0 proto udp from any
to any
block in log quick on eth0 from any to any

# Pass out all traffic and keep state to allow it to return
# Flags S ensures state tracking only on the first outbound tcp packet
pass out quick on eth0 proto tcp from any to any flags S keep state
pass out quick on eth0 proto udp from any to any keep state
pass out quick on eth0 proto icmp from any to any keep state

#############################
# End Ruleset
#############################


In casr line wrapps mess anything up, every line should start with #,
block, or pass.


Dusty


> I recently upgraded a 7.1 RH machine and now I need a really quick
> crash course in ipfilter.  How can I convert the below to an ipfilter
> format?  I found some automated tools to go from ipfwadm to ipchains
> but that is obviously not what I need.  I am reading the RTFM's and I
> will eventually get a grip on ipfilter but I don't want to leave
> myself open in the mean time.  Below is what I was using.  It allows
> SSH in from 2 places, localnet and my work firewall.  I do not need a
> full blown firewall because this machine is already behind one but
> port 22 is forwarded here so I am limiting it locally.
>
> /sbin/ipchains -I input 1 -j ACCEPT -p tcp -s 63.13.13.2 -d 0/0 22
> /sbin/ipchains -I input 1 -j ACCEPT -p tcp -s 192.168.0.0/24 -d 0/0 2
> /sbin/ipchains -A input -j DENY -p tcp -s 0/0 -d 0/0 22
>
> The only interface is eth0 and ip is 192.168.0.1 if ipfilter needs
> that extra info.  Maybe I'll have it working soon on my own but
> thanks ahead for any tips.
>
>
>
>
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau

More information about the LUAU mailing list