40 lines
1.5 KiB
Plaintext
40 lines
1.5 KiB
Plaintext
|
Configuring IP Filter for firewall usage.
|
||
|
=========================================
|
||
|
|
||
|
Step 1 - Block out "bad" IP packets.
|
||
|
------------------------------------
|
||
|
|
||
|
Run the perl script "mkfilters". This will generate a list of blocking
|
||
|
rules which:
|
||
|
a) blocks all packets which might belong to an IP Spoofing attack;
|
||
|
b) blocks all packets with IP options;
|
||
|
c) blocks all packets which have a length which is too short for
|
||
|
any legal packet;
|
||
|
|
||
|
Step 2 - Convert Network Security Policy to filter rules.
|
||
|
---------------------------------------------------------
|
||
|
|
||
|
Draw up a list of which services you want to allow users to use on the
|
||
|
Internet (e.g. WWW, ftp, etc). Draw up a separate list for what you
|
||
|
want each host that is part of your firewall to be allowed to do, including
|
||
|
communication with internal hosts.
|
||
|
|
||
|
Step 3 - Create TCP "keep state" rules.
|
||
|
---------------------------------------
|
||
|
|
||
|
For each service that uses TCP, create a rule as follows:
|
||
|
|
||
|
pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
|
||
|
|
||
|
where
|
||
|
* "int-a" is the internal interface of the firewall. That is, it is the
|
||
|
closest to your internal network in terms of network hops.
|
||
|
|
||
|
* "int-net" is the internal network IP# subnet address range. This might
|
||
|
be something like 10.1.0.0/16, or 128.33.1.0/24
|
||
|
|
||
|
* "ext-service" is the service to which you wish to connect or if it doesn't
|
||
|
have a proper name, a number can be used. The translation of "ext-service"
|
||
|
as a name to a number is controlled with the /etc/services file.
|
||
|
|