6.4.6. Building a packet filtering firewall

Note: The following suggestions are just that: suggestions. The requirements of each firewall are different and I cannot tell you how to build a firewall to meet your particular requirements.

When initially setting up your firewall, unless you have a test bench setup where you can configure your firewall host in a controlled environment, I strongly recommend you use the logging version of the commands and enable logging in the kernel. This will allow you to quickly identify problem areas and cure them without too much disruption. Even after the initial setup phase is complete, I recommend using the logging for of `deny' as it allows tracing of possible attacks and also modification of the firewall rules if your requirements alter.

Note: If you use the logging versions of the accept command, it can generate large ammounts of log data as one log line will be generated for every packet that passes through the firewall, so large ftp/http transfers, etc, will really slow the system down. It also increases the latencies on those packets as it requires more work to be done by the kernel before the packet can be passed on. syslogd with also start using up a lot more processor time as it logs all the extra data to disk, and it could quite easily fill the partition /var/log is located on.

As currently supplied, FreeBSD does not have the ability to load firewall rules at boot time. My suggestion is to put a call to a shell script in the /etc/netstart script. Put the call early enough in the netstart file so that the firewall is configured before any of the IP interfaces are configured. This means that there is no window during which time your network is open.

The actual script used to load the rules is entirely up to you. There is currently no support in the ipfw utility for loading multiple rules in the one command. The system I use is to use the command:

# ipfw list

to write a list of the current rules out to a file, and then use a text editor to prepend ``ipfw '' before all the lines. This will allow the script to be fed into /bin/sh and reload the rules into the kernel. Perhaps not the most efficient way, but it works.

The next problem is what your firewall should actually DO! This is largely dependant on what access to your network you want to allow from the outside, and how much access to the outside world you want to allow from the inside. Some general rules are:

• Block all incoming access to ports below 1000 for TCP. This is where most of the security sensitive services are, like finger, smtp (mail) and telnet.

• Block incoming SYN connections to ports between 1001 and 1024 (this will allow internal users to rsh/rlogin to the outside). If you do not want to allow rsh/rlogin connections from the inside to the outside, then extend the above suggestion to cover ports 1-1024.

• Block all incoming UDP traffic. There are very few useful services that travel over UDP, and what useful traffic there is is normally a security threat (e.g. Suns RPC and NFS protocols). This has its disadvantages also, since UDP is a connectionless protocol, denying incoming UDP traffic also blocks the replies to outoing UDP traffic. This can cause a problem for people (on the inside) using external archie (prospero) servers. If you want to allow access to archie, you'll have to allow packets coming from ports 191 and 1525 to any internal UDP port through the firewall. ntp is another service you may consider allowing through, which comes from port 123.

• Block traffic to port 6000 from the outside. Port 6000 is the port used for access to X11 servers, and can be a security threat (especially if people are in the habbit of doing xhost + on their workstations). X11 can actually use a range of ports starting at 6000, the upper limit being how many X displays you can run on the machine. The upper limit as defined by RFC 1700 (Assigned Numbers) is 6063.

• Check what ports any internal servers use (e.g. SQL servers, etc). It's probably a good idea to block those as well, as they normally fall outside the 1-1024 range specified above.

Of course, if you want to make sure that no un-authorised traffic gets through the firewall, change the default policy to ``deny''. This will mean that any traffic which is allowed through has to be specified explicitly in an ``accept'' or ``allow'' filter rule. Which ports you allow through is again something that you will have to decide for yourself. If you do set the default policy to be deny, you will probably want to install proxy servers, as no traffic will be able to get OUT either unless you allow TCP SYN connections going form the inside out.

As I said above, these are only guidelines. You will have to decide what filter rules you want to use on your firewall yourself. I cannot accept ANY responsibility if someone breaks into your network, even if you follow the advice given above.