IPFW need help converting rules over!

[TidalWave]

Hi guys,

I have a bunch of firewall rules from a Linux Centos server that I'm replacing with a FreeBSD (freenas) server. It's for OpenVPN server so I want to lock it down tight! I need some help to translate these iptables commands into ipfw commands. Please! Any help will be appreciated.

Guidlines, written by some guy who no longer works here, but I want to copy them into FreeNAS.

Drop all packets by default that have no rules for them.

-P INPUT DROP



Allow localhost

-A INPUT -i lo -j ACCEPT

Drop traffic to localhost not originating from localhost

-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

Accept established connections inbound

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

SSH is allowed.

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

To harden SSH, allow only 5 attempts per IP every 3 mins and drop the rest

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 5 --name DEFAULT --rsource -j DROP

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

Allow ICMP only from OpenVPN subnet source address

-A INPUT -s 10.8.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT

Allowing TCP services

-A INPUT -p tcp -m tcp --dport [port_no] -m state --state NEW -j ACCEPT

Allowing multiple related services

-A INPUT -p tcp -m tcp -m multiport --dports [port_no],[port_no] -m state --state NEW -j ACCEPT

Allowed UDP services

-A INPUT -p udp -m udp --dport [port_no] -m state --state NEW -j ACCEPT





In case of policy resets

-A INPUT -j REJECT --reject-with icmp-port-unreachable

Make FORWARD filtering more efficient

-I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


Sample Rules

*nat

:PREROUTING ACCEPT [167925:9905808]

:POSTROUTING ACCEPT [5926:389524]

:OUTPUT ACCEPT [403:30503]

COMMIT

*filter

:INPUT DROP [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [7019:1831655]

:BKH - [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

-A INPUT -s 10.8.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT

-A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT

-A INPUT -p tcp -m tcp -m multiport --dports 5666,5667 -m state --state NEW -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

COMMIT


Sample Ruleset

Chain INPUT (policy DROP 0 packets, 0 bytes)

num pkts bytes target prot opt in out source destination

1 13M 4311M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

2 9 512 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

3 0 0 REJECT all -- !lo * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable

4 574 55104 ACCEPT icmp -- * * 10.8.0.0/21 0.0.0.0/0 icmp type 8

5 15857 949K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW

6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80,443 state NEW

7 2 151 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 state NEW

8 3606 216K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 5666,5667 state NEW

9 203 15046 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Best,

 

[Jailer]

Do yourself a favor and fire up a pfsense box and call it a day.

 

[Heracles]

Hey TidalWave,

FreeNAS is not meant at all to act as a firewall. It is a storage appliance and should be used for that. As jailer said, pfSense is the FreeBSD based appliance meant for firewalling and OpenVPN.

Should you insist for doing it, have a look at Firewall Builder. It is an open source firewall console designed to manage many different firewalls, including iptables and ipfw. You create your configuration including declaring your gateways, interfaces and IP addresses and then you create your rules. Once ready, you deploy them and FWBuilder will compile your rule base to the proper format for the packet filter installed on your gateway, be it iptables, ipfw or many others.

 

[melloa]

Do yourself a favor and fire up a pfsense box and call it a day.

Isn't that right? I was about to say the same :)

 

[TidalWave]

I agree I can move it over to a PFsense box and work on the firewall rules more easily from it, but I'll still want to harden the pfsense as much as i can.

 

[melloa]

I agree I can move it over to a PFsense box and work on the firewall rules more easily from it, but I'll still want to harden the pfsense as much as i can.

Agree. You can start visiting pfSense. They have lots on information on their software.

 

[Jailer]

I agree I can move it over to a PFsense box and work on the firewall rules more easily from it, but I'll still want to harden the pfsense as much as i can.

It is by default deny all inbound on a fresh install so I don't know how much more hardened you can be from that.

 

[garm]

It’s a bit more to it making sure there are no known exploits exposed

 

[Jailer]

It’s a bit more to it making sure there are no known exploits exposed

How so? Isn't it up to the developers to patch known exploits, which they do a fairly good job of.

 

[garm]

Sorry for the ambiguity in my reply. I meant that contrary to FreeNAS, pfSense is a hardened product all firewall rules being equal.