Home arrow Security arrow Firewalls
FreeBSD Firewall PDF
Sunday, 14 January 2007

This tutorial will cover firewall principles and implementation of a firewall in FreeBSD with IPFW.


"Firewall (networking), a logical barrier designed to prevent unauthorized or unwanted communications between sections of a computer network"
                                                     Wikipedia.org


Well this is a general description. In order to make a successfull firewall a good understanding of firewalling principles and security measures to prevent different kinds of attacks is needed.

1. Type of attacks

a. Unauthorized access
People who succeed to access your servers/network from inside or outside  (for example by finding weak passwords with bruteforce programs). Preventing unauthorized access can be done by automaticaly force users from time to time to change their passwords, by enforcing them to choose strong passwords (not word from dictionary, letters and numbers, 8-10 characters minimum), by deleting accounts of people that do not work anymore for respective organization/company. A good policy of preventing unauthorized access does not refer only to server accounts but also to implement a security policy for network resources (file servers and print servers).  

b. Exploits of bugs in programs
Some of the applications within operating system or userland applications installed on the server might have bugs/vulnerabilities. Those vulnerabilities might be exploited to gain access. To prevent that kind of security problems a good advice is to disable all services you do not need. Run only minimum/necessary services. Also be informed about security vulnerabilities of your installed applications (there are a lot of internet resources regarding security vulnerabilities) and when a version of your installed application is vulnerable, patch it. Also from time to time audit your server security.

c. Spoofing
This techinique is used to fake a host, in order to comunicate to victim host, creating the idea that victim communicate to a real/known host. To protect against this type of attacks it is recommended to setup the firewall to  verify datagrams's authenticity, block datagram routing with invalid source address. Also can be introduced into firewall a system for connection control mechanism to introduce unpredictibility (generating random ports for every connection, TCP sequence numbers and allocation of dynamic port address.

d. DoS and DDoS attacks
DoS attacs (Denial of Service) are done at network layer or applicaton layer by causing a service (or application) to cease functioning, or blocking others from making use of the service. On application layer due to a DoS attack that application wil cease functioning. DoS attacs could consume a lot of resources from the server (cpu, bandwidth for example). To protect against those kind of attacs is good to configure firewall to drop suspicious network traffic that reach your host. Some configurations of applications, firewall and different sysctl variables will help to prevent a DoS attack, or at least to add a certain degree of protection. DDoS attacks are harder to stop since are distributed, for some is almost impossible to protect, a help from ISP will help add filters to your IP.

e. Eavesdropping
This type of attack is about configuring a host to capture data that does not belong to it. Ethernet networks are vulnerable to this kind of attack because are based on broadcasts. Some measures to protect against eavesdropping are  avoiding use of broadcast networks and enforce the usage of data encryption.


2. Firewalls
Firewall is an important part of network/server security. Firewalls are located between local network and internet network. Firewall consist in a set of rules that determines which packets should pass and which shoud be dropped.

There are two types of policy involved in designing a firewall: Deny all and accept some, or accept all and deny some. First is a better, more secure aproach.

Firewalls will filter:
- TCP, UDP, ICMP protocols
- socket numbers (TCP/UDP)
- datagrams: data, SYN/ACK, ICMP Echo Request and more
- datagram source address
- datagram destination address

Firewall is implemented under FreeBSD in 3 variants: IPFILTER, IPFW and PF (OpenBSD Packet Filter, ported under FreeBSD). We will detail here IPFW firewall. The other firewalls will be described in a future tutorial.

3. Firewall design
There are different implementations of firewalls. The most simple setup is presented in Diagram 1.

Typical Firewall Setup
Diagram 1

Starting from typical firewall a version with 2 LANS can be implemented. Distinct two LANs will be on different subnets, and will not see each other. This setup can also be implemented with a managed switch and virtual LANs. Typical firewall with 2 lans is presented in Diagram 2.

Typical Firewall with two LANs
Diagram 2


If we have a Web Server, Mail server, Database Server and we want to separete is from internal LAN, we can use DMZ setup (DMZ = Demilitarized Zone). Servers located on DMZ will not be seen from LAN and viceversa. (will be on different subnets).

Firewall with DMZ
Diagram 3

Another interesting firewall setup is to achieve High Availability. That means we will use two Internet lines, with two firewalls. If one firewall or Internet connection fail, Internet conectivity will not be lost, the traffic will go trough firewall which is up. High Availability is implemented in Diagram 4.

High Availability Firewall
Diagram 4


4. How firewall filter works
IP datagram processing steps:
a) The IP datagram is received by firewall.
 The IP datagram is analysed to determine if its destination is this machine.
b) If the datagram is for this machine, then it is processed localy
c) If the datagram is not for this machine, a search is made into routing table, then according to routing table the datagram is forwarded to the appropriate interface or dropped if no route is found
d) Datagrams from local processes are sent do the routing software for forwarding to the appropriate interface.
The outgoing IP datagram is analysed to determine if is a valid route for it to follow, and if isn't, the datagram is dropped.
e) The IP datagram is transmitted.


5. IP Packet Filtering
There are three different types of packet that we need to filter: TCP, UDP and ICMP

TCP (Transmission Control Protocol)

UDP (User Datagram Protocol)

ICMP (Internet Control Message Protocol)


6. IPFW Firewall
In order to activate ipfw firewall, ipfw must be supported in Kernel or a module must be loaded. To load ipfw:
#kldload ipfw

If you do not have configured ipfw mode default to accept, then after loading ipfw module the only rule in firewall will be deny ip from any to any, that means all traffic will be blocked. So you will have to add some rules in order to access internet.

6.1 Kernel configuration for IPFW
The best way is to recompile kernel with support for ipfw. Adding support in kernel is preffered because of performance and security. It works well as module too but if you want to build a dedicated router/firewall is better to modify kernel configuration file, remove all drivers you do not need and add support in kernel for ipfw.

Following options need to be present in Kernel:

options IPFIREWALL
This option enable ipfw in Kernel.

options IPFIREWALL_VERBOSE
Enable logging with ipfw. If this option is set in kernel,  net.inet.ip.fw.verbose sysctl variable is set to 1, allowing to log ipfw (log keyword in ipfw).

options IPFIREWALL_VERBOSE_LIMIT=value
This option controls how many matching packets will be logged per rule, before logging is disabled. This option acts as a hard limit for firewalls that have not set logamount variable. This variable can be changed with sysctl variable: net.inet.ip.fw.verbose_limit.

 

options IPFIREWALL_DEFAULT_TO_ACCEPT
By default if ipfw is enabled in kernel (or loaded as module) it will add a rule to block everything. This option will reverse this, allowing all traffic through the firewall. This option is not recommended for production firewalls, and is sometimes used for testing purposes.

options IPFIREWALL_FORWARD
This option allows you to use fwd keyword in your ipfw rule, to direct traffic to hosts or ports you want. For example you want to redirect all traffic that has destination port 80 (www) to a server from your LAN.

options IPSTEALTH
This option is used for by firewall not to decrement time to live (TTL) value. This is used to hide presence of your firewall for outside world (your firewall will not be seen with traceroute command).

6.2 IPFW Rules
6.2.1 Overview of IPFW Rules


IPFW use a set of rules control firewall functionality. Rules can be numbered and order in which packets will be compared to firewall rules is from first rule, to last. Each rules has an associated action (allow or deny) and when a rule is matched, processing is stoped (the action for the first matching rule determine how the packet is processed.

Creating a simple firewall:

#ipfw add allow ip from me to any                                            # (a)
#ipfw add allow ip from any to me established                     # (b)
#ipfw add allow tcp from any to me port 25 setup                # (c)
#ipfw add allow tcp from any to me port 80 setup                # (d)
#ipfw add deny ip from any to any                                            # (e)

Rules explained:
a.  Allow traffic from me to any other host (on local network or Internet)
b. Allow incoming traffic for all host as long as is a part of already established connection (no rules have been specified to permit connections to be established)
c. Allow tcp connections from outside world to connect to this host

6.2.1 Examples of IPFW Rules

Block computer with a specific MAC
--------------------------------------------
# ipfw add 10 deny MAC any 00:0a:e4:a1:b0:9b

(in order this rule to work you shoud change the following sysctl variable to 1:
sysctl -w net.link.ether.ipfw=1)


Block PING to the server
------------------------------
# ipfw add deny icmp from any to me icmptypes 8 in recv fxp0


Last Updated ( Wednesday, 21 March 2007 )
 

Other BSD Systems

OpenBSD

Misc

Solaris

Polls

Best BSD firewall?