Firewall pour station : Ipfw

Ipfw (firewall à filtrage de paquet avec conservation d'Etat - statefull inspection)

Ipfw est un outil permettant de configurer les règles des firewalls présents sous diverses architectures (certains Bsd entre autres).


Quelques rappels :


Scripts présentés :

Les deux scripts présentés ont les caractéristiques suivantes :


Ils pourraient par exemple être utilisés sous Mac OS X.

Exemples de logs :

Nov 7 21:42:18 HOST mach_kernel: ipfw: 65002 Deny UDP 10.1.1.43:137 10.1.1.2:137 in via en0
Nov 7 21:42:27 HOST mach_kernel: ipfw: 65004 Deny TCP 10.1.1.42:3249 10.1.1.2:22 in via en0

Ipfw_rules_down.sh :

#!/bin/sh

### VARIABLES

IPFW="/sbin/ipfw -q"

### BEGIN

${IPFW} -f flush

echo "$0 done"

Ipfw_rules_up.sh :

#!/bin/sh

### VARIABLES

IPFW="/sbin/ipfw -q"

# Source system functions
. /etc/rc.common

# Turn on logging
if [ `/usr/sbin/sysctl -n net.inet.ip.fw.verbose` == 0 ] ; then
  /usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
fi

# Addresses
ADM_IP="10.1.1.77" # Ip Address of the remote allowed administration station

DNS_IP1="10.1.1.10"
DNS_IP2="10.1.1.11"
PROXY_IP1="10.1.1.20"
PROXY_IP2="10.1.1.21"
MAIL_IP1="10.1.1.30"
MAIL_IP2="10.1.1.31"

### BEGIN

# Flush rules
${IPFW} -f flush

### LOOPBACK, STATEFULL AND REMOTE MANAGEMENT

# Allow whatever on loopback
${IPFW} add 01000 allow ip from any to any via lo0

# Allow fragments
${IPFW} add 02000 allow ip from any to any frag

# Allow established connections
${IPFW} add 02001 allow tcp from any to any established

# Allow SSH remote management (TCP Syn) and log connections
${IPFW} add 03000 allow log tcp from ${ADM_IP} 1024- to any 22 setup in

### ALLOW THESE TCP CONNECTIONS

# Allow Syn TCP to SSH servers anywhere
${IPFW} add 07000 allow tcp from any 1024- to any 22 setup out

# Allow Syn TCP to HTTP Proxy servers
${IPFW} add 07010 allow tcp from any 1024- to ${PROXY_IP1} 8080 setup out
${IPFW} add 07011 allow tcp from any 1024- to ${PROXY_IP2} 8080 setup out

# Allow Syn TCP to SMTP/POP Servers
${IPFW} add 07020 allow tcp from any 1024- to ${MAIL_IP1} 25 setup out
${IPFW} add 07021 allow tcp from any 1024- to ${MAIL_IP1} 110 setup out
${IPFW} add 07022 allow tcp from any 1024- to ${MAIL_IP2} 25 setup out
${IPFW} add 07023 allow tcp from any 1024- to ${MAIL_IP2} 110 setup out

### ALLOW THESE UDP CONNECTIONS

# Allow DNS Protocol to DNS Servers
${IPFW} add 08000 allow udp from any to ${DNS_IP1} 53 out
${IPFW} add 08001 allow udp from ${DNS_IP1} 53 to any in
${IPFW} add 08002 allow udp from any to ${DNS_IP2} 53 out
${IPFW} add 08003 allow udp from ${DNS_IP2} 53 to any in

### ALLOW THESE ICMP CONNECTIONS

# Allow that kind of ICMP packets
# Note : ECHO REPL 0 / DEST UNREACH 3 / ECHO REQ 8 / TIME EXCEED 11
${IPFW} add 09000 allow icmp from any to any icmptype 8 out
${IPFW} add 09001 allow icmp from any to any icmptype 0,3,11 in

### AND LAST : LOG AND DENY

${IPFW} add 65000 deny log icmp from any to any in
${IPFW} add 65001 deny log icmp from any to any out
${IPFW} add 65002 deny log udp from any to any in
${IPFW} add 65003 deny log udp from any to any out
${IPFW} add 65004 deny log tcp from any to any in
${IPFW} add 65005 deny log tcp from any to any out
${IPFW} add 65006 deny log ip from any to any in
${IPFW} add 65007 deny log ip from any to any out

# This rule is set on default Mac Os X ipfw and is the default policy
# Flush it if you want
#${IPFW} zero 65535

echo "$0 done"

Simon Castro
Maj le 27 novembre 2002