#!/bin/sh # Simple firewalling for Linux boxen, version 1.0. # See http://www.isaac.cs.berkeley.edu/simple-firewall.html for more info. # Copyright 1998 David Wagner, ISAAC research group, and UC Berkeley. # My IP address. ME=128.32.37.122 # The full path to the ipfwadm program. FW=/opt/sbin/ipfwadm # A list of trusted DNS servers. # This should probably include everything in /etc/resolv.conf # (but be careful not to include any servers in this list # which you don't trust). # A simple default. DNSSERVERS='128.32.37.121 128.32.37.25' # {abraham,barad-dur}.cs.berkeley.edu # Uncomment the next line to get a more inclusive list. ### DNSSERVERS='128.32.37.121 128.32.37.25 128.32.33.5 128.32.35.5 128.32.38.34 128.32.44.34 128.32.206.9 128.32.136.9 128.32.136.12 128.32.206.12' # {abraham,barad-dur,vangogh,huginn,orodruin}.cs.berkeley.edu, # {ns1,ns2}.berkeley.edu # A list of trusted NFS servers. # This should probably match what's in /etc/fstab as well # as the results of `mount | grep nfs`. # But be careful not to include any servers in this list # which you don't trust! # A simple, short default. You'll probably need to add what # servers you use to the following list. NFSSERVERS='128.32.37.24 128.32.37.25 208.1.75.96 208.1.75.97' # {orodruin,barad-dur,asterope,calaeno}.cs.berkeley.edu # A simple, pretty-insecure list that trusts just about # every host in Berkeley (and probably some not in Berkeley # as well). This is dangerous because there always seems to # be a handful of compromised hosts somewhere in UCB... # Uncomment the next line to get this simple inclusive list. ### NFSSERVERS='128.32.0.0/16 208.1.75.0/24' # Uncomment the following 12 lines to get a hack that generates # an awfully-inclusive list # (but beware; performance really suffers with the huge number of rules # that results). # # Here's a hack to generate an awfully-inclusive list, which # should probably work as a default (at the expense of conservative security). # But it's ugly. ### NFSSERVERS='' ### for server in orodruin.cs barad-dur.cs asterope.cs calaeno.cs tomorrow.cs \ ### nexus-134.eecs asterope-a.cs alcyone-a.cs calaeno-a.cs cochise.cs \ ### danube.eecs dwight.cs franklin.cs mailspool.cs parker.eecs pasteur.eecs \ ### saidar.eecs torus.cs ### do ### addrs=`host -t a $server.berkeley.edu. | grep 'has addr' | cut -d' ' -f4` ### for ipaddr in $addrs ### do ### NFSSERVERS="$NFSSERVERS $ipaddr" ### done ### done # A list of trusted time servers. TIMESERVERS='128.32.37.33' # kerberos1.cs.berkeley.edu # A list of trusted Kerberos servers. KERBSERVERS='128.32.37.33' # kerberos1.cs.berkeley.edu # Whether or not to allow incoming Kerberos logins. # By default, incoming Kerberos logins are allowed, if you # are running the necessary Kerberos servers. KERBDAEMONS='2105 2106 543 544' # eklogin, ekshell, klogin, kshell # Uncomment the next line to turn off Kerberos, # so folks can't log into your machine with Kerberos. ### KERBDAEMONS='' # Assumptions: # -- This machine is an endpoint, not a router. # -- The IP interface to the world is $ME. # -- There are no other IP addresses for this machine (other than loopback). # -- There's no IP forwarding, routing, or masquerading going on here. # ---- # You shouldn't need to change anything below this line unless you # enjoy hacking ipfwadm stuff. # ---- echo -n "Starting IP firewalling... " # Handle packets destined for this machine. # Our policy: # + Allow all outgoing packets. # + Be very careful about incoming packets. In more detail: # + Make sure to prevent IP spoofing. # + Everything coming over loopback interface is ok, since it didn't # come from outside hosts. # + TCP: Allow packets to come back in on all connections that were # initiated from this host; but be more careful about connections # initiated from the outside. # Allow new incoming connections to ssh, finger, $KERBDAEMONS # from anywhere in the world. # + UDP: Allow DNS packets from $DNSSERVERS (see below). # Open a giant gaping hole for NFS from $NFSSERVERS (see below) (blech). # Allow time data from $TIMESERVERS, and Kerberos data from $KERBSERVERS. # + Allow just enough ICMP for ping and traceroute in both directions. # + Deny (and log) the rest. # Note: be careful with '-a reject' or '-o' when eth0 is in PROMISC mode # (because someone on the machine might run tcpdump, and you don't want # to shoot down other people's connections). # Rules for the input filter. $FW -I -f $FW -I -p deny # Prevent IP spoofing from the world (and log any occurrences). $FW -I -a deny -S $ME -D 0.0.0.0/0 -V $ME -o $FW -I -a deny -S 127.0.0.0/8 -D 0.0.0.0/0 -V $ME -o # Accept everything from loopback. $FW -I -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 -V 127.0.0.1 # Allow incoming TCP packets on already-established connections # (i.e. connections initiated by us, not by outsiders). $FW -I -k -P tcp -a accept -S 0.0.0.0/0 -D $ME -V $ME # Allow outsiders unrestricted access to ssh. $FW -I -y -P tcp -a accept -S 0.0.0.0/0 -D $ME 22 -V $ME # Allow finger queries from anywhere. $FW -I -y -P tcp -a accept -S 0.0.0.0/0 -D $ME finger -V $ME # Allow access to time data from $TIMESERVERS. # This is useful, since a lot of folks set their clocks from there. for i in $TIMESERVERS do $FW -I -P udp -a accept -S $i time -D $ME 1025:65534 -V $ME done # Allow UDP Kerberos packets from $KERBSERVERS, so Kerberos works. for i in $KERBSERVERS do $FW -I -P udp -a accept -S $i kerberos -D $ME 1025:65534 -V $ME done # Allow incoming TCP connections to Kerberos services # running on this machine ($KERBDAEMONS). for i in $KERBDAEMONS do $FW -I -y -P tcp -a accept -S 0.0.0.0/0 -D $ME $i -V $ME done # Allow incoming DNS responses. # This is a bit of an ugly hack, but there's no better way to do it # without a lot more complicated gunk. for i in $DNSSERVERS do $FW -I -P udp -a accept -S $i domain -D $ME 1025:65534 -V $ME done # Allow NFS. # God, this is such an ugly hack it hurts, but I don't know of # any better solution. (I know, I know, ``don't use NFS''.) for i in $NFSSERVERS do # NFS itself $FW -I -P udp -a accept -S $i 2049 -D $ME 540:1023 -V $ME # Hack. I don't really understand this stuff, or why this is necessary # for 208.1.75.96 but not for anyone else. Yuck. XXX. if [ `echo $i | cut -d. -f1-3` = 208.1.75 ] then # portmapper goo (ick!) $FW -I -P udp -a accept -S $i 111 -D $ME 540:1023 -V $ME fi done # Allow ICMP for ping in both directions, and outgoing traceroute. # Note that incoming traceroute will break at the last hop; so be it. $FW -I -P icmp -a accept -S 0.0.0.0/0 0 8 3 11 -D $ME -V $ME $FW -I -P icmp -a accept -S 0.0.0.0/0 12 -D $ME -V $ME -o # It would be nice to '-a reject' identd crud, but unfortunately # it's not entirely reliable -- it occasionally breaks mail service # to some annoying mailservers (e.g. netcom.com). # # If you feel like it, you can uncomment the following line. # The right solution to prevent mail service disruption is to add a smart # relay host in your /etc/sendmail.cf by adding a line like # 'DSabraham.cs.berkeley.edu'. ### $FW -I -y -P tcp -a reject -S 0.0.0.0/0 -D $ME 113 # Ignore (and deny) some stuff from eagle.eecs.berkeley.edu and # ack.berkeley.edu that isn't dangerous and that we would otherwise drop. # Those hosts do periodic network mapping stuff: this isn't a # security threat, but it does clog our logs. $FW -I -P tcp -a deny -S 169.229.35.225 -D $ME 80 280 -V $ME $FW -I -P udp -a deny -S 169.229.35.225 -D $ME 161 -V $ME $FW -I -P udp -a deny -S 128.32.206.66 -D $ME 161 -V $ME # Log all incoming packets that weren't accepted above. $FW -I -a deny -S 0.0.0.0/0 -D $ME -o # But if we run tcpdump (or otherwise put our interface into promiscuous mode), # we don't want to spam our logs with the resulting packets. # Ignore stuff not destined for us without logging it. # Since default policy is deny ('-p deny'), this will just do the right thing. echo "Done."