How to Build a FreeBSD-STABLE Firewall with IPFILTER
Applicable to: FreeBSD 4.2-STABLE
Updated: March 8, 2001
Author:
Marty Schlacter
This procedure was written before the release of FreeBSD-4.3. While there probably aren't too many differences between FreeBSD-4.2 and 4.3 (at least from the perspective of installing & configuring), it has not been verified to work correctly with versions of FreeBSD later than 4.2. If you encounter problems, please e-mail me with suggested corrections.
This howto walks
you through the process of building one of the most stable and secure firewalls
available - a FreeBSD-STABLE firewall with IPFILTER. As a part of the
installation process, all services will be disabled except OpenSSH, which will
have its access controlled via TCP-Wrappers. The firewall will be configured to
log through the syslog facility, but will have its own firewall log files
(rather than filling up /var/log/messages). We'll add VESA support into the
kernel so that we can use 132x43 screen resolutions, as well as compile support
into the kernel for a second ISA Ethernet card if you have one. After we add a
warning banner to the system, we'll make BASH the default shell for root,
perform a rudimentary setup for root's BASH environment, and redirect root's
email to your "normal" account so that the root account on the firewall itself
doesn't fill up. Lasty, we'll download, compile, install, and configure
Tripwire, as well as install cvsup so that your ports collection stays up to
date.
This is an all-encompassing how-to, and should take 1/2 of a Saturday to
complete, but when you're finished, you'll not only have a great firewall, but
will be better able to compare and contrast FreeBSD/IPFILTER to
Linux2.4/IPTABLES so that you can consider the pros/cons of each on their
merits...and that learning process is what all of this about anyway. So, grab a
cup of coffee, sit down with that old Pentium, and get ready to broaden your
horizons.
Before we start, I'd like to thank Dan O'Connor for the work he put in on his
great site, FreeBSD Cheat
Sheets, since it was his great site that gave me the motivation to start
this howto. You will undoubtedly see some of his tips and tricks sprinkled
throughout this document. For those of you that are new to FreeBSD, I highly recommend his site.
And, as always, before performing this procedure, I highly recommend that you
review the Installing FreeBSD
chapter of the FreeBSD Handbook.
Installing FreeBSD-STABLE
To build the most stable and security-patched system you can, you'll want to make sure you're running the latest version of FreeBSD-STABLE. When I built my last system, the March 2, 2001 version of FreeBSD-4.2 was the latest snapshot in the 4.2-STABLE branch. For those of you new to FreeBSD, the STABLE branch is the version of the operating system that has all of the latest patches, bugfixes, and enhancements after the previous release was made. If you've installed FreeBSD-4.2 from CD-ROM, you probably installed 4.2-RELEASE, which is (simplistically) nothing more than a version of the 4.2-STABLE branch that was exhaustively tested, burned to CD-ROM and made available for sale. After the release date of 4.2-RELEASE (in late November, 2000), the 4.2 tree continued to evolve & be patched after that point. Since there's no way the folks at FreeBSD.org can burn & sell CD-ROMs for each day's version of the 4.2 tree, 4.2-RELEASE is the only one made available for sale on CD, and subsequent snapshots of the 4.2-STABLE tree are only available on-line.
So, what are the benefits of loading 4.2-STABLE rather than 4.2-RELEASE? Well, the biggest answer (if you're building a firewall, like we are here) is that all of the security patches have been applied to the O/S and the associated applications. For example, FreeBSD-4.2-RELEASE (which was released in November 2000) uses OpenSSH-2.2.0, which is a great product but also has a remote buffer overflow that wasn't discovered until early February, 2001. If a hacker exploits this vulnerability on your 4.2-RELEASE box, they can gain remote root access and ruin your day. The relevant info can be found on http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=2347. When you load FreeBSD-4.2-STABLE, by comparison, you're getting FreeBSD-4.2-RELEASE with all of the patches applied after the November 2000 release, so you're system will have OpenSSH-2.3.0 (not OpenSSH-2.2.0) which is not vulnerable to the remote buffer overflow. So loading the latest snapshot from the STABLE branch saves you a lot of time of loading patches after your OS load is finished.
[root@yoursys /tmp]# dd if=/tmp/kern.flp of=/dev/fd0
2880+1 records in
2880+0 records out
1474560 bytes transferred in 49.931306 secs (30135 bytes/sec)
C:\WINDOWS\TEMP>rawrite
RaWrite 1.3 - Write disk file to raw floppy diskette
Enter source file name: mfsroot.flp
Enter destination drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :
Number of sectors per track for this disk is 18
Writing image to drive A:. Press ^C to abort.
Track: 79 Head: 1 Sector: 16
Done.
Storage: ATA/ATAPI compatible disk controller ata0 14 0x1f0 ATA/ATAPI compatible disk controller ata1 15 0x170 Floppy disk controller fdc0 6 0x3f0 Networks: NE1000,NE2000,3C503,WD/SMC80xx Ethernet adapters ed0 10 0x280 Communications: Parallel Port chipset ppc0 7 8250/16450/16550 Serial port sio0 4 0x3f8 8250/16450/16550 Serial port sio1 3 0x2f8 Input: Keyboard atkbd0 1 Syscons console driver sc0 Multimedia: Miscellaneous: Math coprocessor npx0 13 0xf0
Note: If you have PCI-based Ethernet cards, you can delete all of the network cards in the list - yours will be found and configured automatically. If you're on the other end of the scale (like me) and you have two old NE2000-compliant ISA network cards, you'll only be able to configure one of them at this time (ed0). After your installation is complete, you'll have to build a custom kernel & add in a "placeholder" for the 2nd generic ISA card, and then run through the kernel configuration utility again after you reboot. We'll do this at the end of this document.
Hit 'Q' then 'Y' to save your changes and exit.
256MB swap partition
256MB (or more, if you can) file system mounted as /var
128MB file system mounted as /
Remainder of your hard drive mounted as /usr
(System Installs...With a cable modem, the download & install took
22 minutes.)
Type: Auto
Port: COM1
Flags: -3
WWW - lynx-2.8.3.1
Editors - vim-lite-5.7.24
FTP - ncftp3-3.0.2
Mail - pine-4.33
- mutt-1.2.5
- elm+ME-2.4.88_1,1
Net - cvsup-bin-16.1
Shells - bash-2.0.4
Then tab over and select "Install", select "OK" to confirm your choices
(Packages are installed...takes about 60 seconds)
Networking:
- Enable "ntpdate - Select a clock-synchronization server"
- Enable "sshd - This machine wants to run the ssh daemon"
Then select Exit and return to the previous menu, and then tab over and select "Exit Install"
(System reboots...)
Compiling IPFILTER into the Kernel, & Configuring the System
Now that you have FreeBSD-STABLE installed on the system, we need to spend about 2-3 hours adding in IPFILTER support as well as finishing the rest of the configuration. Here's what we're going to do in this section (in no particular order):
In order to save time, I'm going to do some steps in what will appear to be an "out of order" sequence. This is being done on purpose so that we will minimize the number of re-boots you'll have to do. In fact, the goal is to configure the system, then recompile the kernel, and when the system reboots, you're done. That's it.
umask 077
PS1="[\u@\h \W]\\$ "
alias ls='ls -alFG'
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin:$HOME/bin; export PATH
umask 077
PS1="[\u@\h \W]\\$ "
alias ls='ls -alFG'
192.168.1.1 firewall firewall.yourdomain.net
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR
OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO
MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
[root@numa /root]# cp /usr/share/examples/cvsup/ports-supfile /etc
[root@numa /root]# vi /etc/ports-supfile[root@numa /root]# cvsup /etc/ports-supfile- Change line 51 of the file so that it reads '*default host=cvsup2.FreeBSD.org'
ftp stream tcp nowait root /usr/libexec/ftpd ftpd=20 -l
telnet stream tcp nowait root /usr/libexec/telnetd telnetd
comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
# This is ssh server systemwide configuration file.
#
# Listen on port 22, the standard
Port 22
# Support SSH Protocol 1 only (SSH 1.X baseline), which means RSA
# keys are used
Protocol 1
# Listen on your internal network's address only so that hackers
# from the internet can't access the SSH daemon on your box and
# try to log on. Note that you'll have to change 192.168.1.1 to
# whatever IP address your internal NIC has.
ListenAddress 192.168.1.1
# Standard settings for a bunch of stuff...HostKey, ServerKeyBits,
# LoginGraceTime, etc.
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 120
KeyRegenerationInterval 3600
StrictModes yes
PrintMotd yes
KeepAlive yes
CheckMail no
# Permit 'root' login...that's the only account we have on this
# box anyway
PermitRootLogin yes
# After 10 unauthenticated connections, refuse 30% of the new
# ones, and refuse any more than 60 total.
MaxStartups 10:30:60
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
IgnoreUserKnownHosts yes
# Disable X11 forwarding...we're not even running X on our firewall
X11Forwarding no
# Implement severe logging...potentially invasive, but we're the
# only authorized users & we do have a legal warning banner,
# so everyone's been warned....
SyslogFacility AUTH
LogLevel DEBUG
# Set up SSHD so that you must have a RSA key in root's
# authorized_keys file to successfully log in. No Rhosts, no
# PasswordAuthentication, etc.
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
UseLogin no
#
# hosts.allow access control file for "tcp wrapped" applications.
#
ALL : localhost 127.0.0.1 : allow
sshd : 192.168.1.0/255.255.255.0 : allow
ALL : ALL : deny
[root@numa /root]# cd /usr/ports/devel/gmake
[root@numa gmake]# make && make install
[root@numa gmake]# cd /root
[root@numa /root]# lynx http://download.sourceforge.net/tripwire[root@numa /root]# gunzip tripwire-2.3.1-2.tar.gz- Use the down-arrow to move through the hyperlinks until the file, tripwire-2.3.1-2.tar.gz, is highlighted, then press [Enter]
- When asked if you want to D)ownload the file, or C)ancel, hit 'd'
- ...file downloads...
- After the file downloads, you'll be presented with lynx's Download Options screen. The 'Save to disk' hyperlink is automatically highlighted in red, so just hit [Enter].
- Either accept the original filename by pressing [Enter], or modify the filename then hit [Enter] to save it.
- After the file is saved, press 'q' to quit lynx.
[root@numa /root]# tar xvf tripwire-2.3.1-2.tar
[root@numa /root]# cd tripwire-2.3.1-2/src
[root@numa src]# vim Makefile- Add a comment at the beginning of line 82 (SYSPRE =3D i686-pc-linux)
- Remove the '#' comment delimeter at the beginning of line 84 (SYSPRE = i386-unknown-freebsd)
- Save and exit.
[root@numa src]# gmake release
[root@numa src]# cd ../install/
[root@numa install]# vim install.cfg- Change line 27 so that it reads 'TWBIN="/usr/local/sbin"'
- Change line 30 so that it reads 'TWPOLICY="/usr/local/etc/tripwire"'
- Change line 33 so that it reads 'TWMAN="/usr/share/man"'
- Change line 36 so that it reads 'TWDB="/usr/local/lib/tripwire"'
- Change line 39 so that it reads 'TWDOCS="/usr/share/doc/tripwire"'
- Change line 51 so that it reads 'TWEDITOR="/usr/local/bin/vim"'
- Change line 88 so that it reads 'TWMAILPROGRAM="/usr/sbin/sendmail -oi -t"'
- Save and exit.
[root@numa install]# vim install.sh- Change line 319 so that it reads 'EULA_PATH="../$TWLICENSEFILE"'
- Change line 491 so that it reads 'BIN_DIR="../bin/i386-unknown-freebsd_r"'
- Change lines 621-638 so that they read as follows:
f1=' ff=$README ; d="/.." ; dd=$TWDOCS ; rr=0444 '
f2=' ff=$REL_NOTES ; d="/.." ; dd=$TWDOCS ; rr=0444 '
f3=' ff=$TWLICENSEFILE ; d="/.." ; dd=$TWDOCS ; rr=0444 '
f4=' ff=tripwire ; d="/../bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
f5=' ff=twadmin ; d="/../bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
f6=' ff=twprint ; d="/../bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
f7=' ff=siggen ; d="/../bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
f8=' ff=TRADEMARK ; d="/.." ; dd=$TWDOCS ; rr=0444 '
f9=' ff=policyguide.txt ; d="/../policy" ; dd=$TWDOCS ; rr=0444 '
f10=' ff=twpol.txt ; d="/../policy" ; dd=$TWPOLICY ; rr=0640 '
f11=' ff=twpolicy.4 ; d="/../man/man4" ; dd=$TWMAN/man4 ; rr=0444 '
f12=' ff=twconfig.4 ; d="/../man/man4" ; dd=$TWMAN/man4 ; rr=0444 '
f13=' ff=twfiles.5 ; d="/../man/man5" ; dd=$TWMAN/man5 ; rr=0444 '
f14=' ff=siggen.8 ; d="/../man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
f15=' ff=tripwire.8 ; d="/../man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
f16=' ff=twadmin.8 ; d="/../man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
f17=' ff=twintro.8 ; d="/../man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
f18=' ff=twprint.8 ; d="/../man/man8" ; dd=$TWMAN/man8 ; rr=0444 '
- Save and exit.
[root@numa install]# ./install.sh- Answer 'y' to continue with the installation
- Press [Enter] to view the license agreement...when complete, type 'accept' and [Enter]
- The install script will verify that sendmail and vim are installed, then verify that the tripwire binaries are available, and then echo back all of the configuration parameters for the installation script (e.g. TWBIN, TWMAN, etc.). If everything looks good, answer 'y' to continue with the installation.
- The install script copies all of the files, the asks you to enter a new site keyfile passphrase. Enter it, and then enter it again when asked to verify it.
- The install script then asks you to enter a new local keyfile passphrase. Enter it, and then enter it again when asked to verify it.
- The install script will then create a signed configuration file, but will need you to enter the site passphrase you just set, above. Enter it.
- The install script will then create a signed policy file, but will need you to enter the site passphrase you just set, above. Enter it.
- ...installation is complete.
@@section GLOBAL
TWROOT="/usr/local";
TWBIN="/usr/local/sbin";
TWPOL="/usr/local/etc/tripwire";
TWDB="/usr/local/lib";
TWSKEY="/usr/local/etc/tripwire";
TWLKEY="/usr/local/etc/tripwire";
TWREPORT="/usr/local/lib/tripwire/report";
HOSTNAME=hostname.domain.net;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss any changes.
SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set.
SEC_TCB = $(ReadOnly); # Members of the Trusted Computing Base.
SEC_BIN = $(ReadOnly); # Binaries that shouldn't change
SEC_CONFIG = $(Dynamic); # Config files that are changed infrequently but accessed often.
SEC_LOG = $(Growing); # Files that grow, but that should never change ownership.
SEC_INVARIANT = +pug; # Directories that should never change permission or ownership.
SIG_LOW = 33; # Non-critical files that are of minimal security impact
SIG_MED = 66; # Non-critical files that are of significant security impact
SIG_HI = 100; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(rulename = "Tripwire Binaries", severity = $(SIG_HI))
{
$(TWBIN)/siggen -> $(SEC_TCB);
$(TWBIN)/tripwire -> $(SEC_TCB);
$(TWBIN)/twadmin -> $(SEC_TCB);
$(TWBIN)/twprint -> $(SEC_TCB);
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(rulename = "Tripwire Data Files", severity = $(SIG_HI))
{
# NOTE: Removing the inode attribute because when Tripwire creates a backup
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Leaving inode turned on for keys, which shouldn't
# ever change.
# NOTE: this rule will trigger on the first integrity check after database
# initialization, and each integrity check afterward until a database update
# is run, since the database file will not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN);
$(TWSKEY)/site.key -> $(SEC_BIN);
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0);
}
# These files are critical to a correct system boot.
(rulename = "Critical system boot files", severity = 100)
{
/boot -> $(SEC_CRIT);
/kernel -> $(SEC_CRIT);
}
# These files change the behavior of the root account
(rulename = "Root config files", severity = 100)
{
/root -> $(SEC_CRIT);
/root/.bash_history -> $(SEC_LOG);
/root/.bash_profile -> $(SEC_CRIT);
/root/.bashrc -> $(SEC_CRIT);
/root/.ssh/authorized_keys -> $(SEC_CRIT);
}
# Commonly accessed directories that should remain static with regards to owner and group
(rulename = "Invariant Directories", severity = $(SIG_MED))
{
/ -> $(SEC_INVARIANT) (recurse = 0);
/etc -> $(SEC_INVARIANT) (recurse = 0);
/usr/local/etc -> $(SEC_INVARIANT) (recurse = 0);
}
(rulename = "Shell Binaries", severity = $(SIG_HI))
{
/usr/local/bin/bash -> $(SEC_BIN);
/bin/csh -> $(SEC_BIN);
/bin/sh -> $(SEC_BIN);
/bin/tcsh -> $(SEC_BIN);
}
# Rest of critical system binaries
(rulename = "OS executables and libraries", severity = $(SIG_HI))
{
/bin -> $(SEC_BIN) (recurse = 1);
/usr/bin -> $(SEC_BIN) (recurse = 1);
/usr/lib -> $(SEC_BIN) (recurse = 1);
/sbin -> $(SEC_BIN) (recurse = 1);
/usr/sbin -> $(SEC_BIN) (recurse = 1);
}
# Local files
(rulename = "User executables and libraries", severity = $(SIG_MED))
{
/usr/local/bin -> $(SEC_BIN) (recurse = 1);
/usr/local/sbin -> $(SEC_BIN) (recurse = 1);
}
# Temporary directories
(rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW))
{
/usr/tmp -> $(SEC_INVARIANT);
/var/tmp -> $(SEC_INVARIANT);
/tmp -> $(SEC_INVARIANT);
}
# Include
(rulename = "OS Development Files", severity = $(SIG_MED))
{
/usr/include -> $(SEC_BIN);
/usr/local/include -> $(SEC_BIN);
}
# Shared
(rulename = "OS Shared Files", severity = $(SIG_MED))
{
/usr/share -> $(SEC_BIN);
!/usr/share/man;
/usr/local/share -> $(SEC_BIN);
}
# setuid/setgid root programs
(rulename = "setuid/setgid", severity = $(SIG_HI))
{
/bin/df -> $(SEC_SUID);
/bin/rcp -> $(SEC_SUID);
/sbin/ccdconfig -> $(SEC_SUID);
/sbin/dmesg -> $(SEC_SUID);
/sbin/dump -> $(SEC_SUID);
/sbin/ping -> $(SEC_SUID);
/sbin/ping6 -> $(SEC_SUID);
/sbin/rdump -> $(SEC_SUID);
/sbin/restore -> $(SEC_SUID);
/sbin/route -> $(SEC_SUID);
/sbin/rrestore -> $(SEC_SUID);
/sbin/shutdown -> $(SEC_SUID);
/usr/bin/at -> $(SEC_SUID);
/usr/bin/atq -> $(SEC_SUID);
/usr/bin/atrm -> $(SEC_SUID);
/usr/bin/batch -> $(SEC_SUID);
/usr/bin/chfn -> $(SEC_SUID);
/usr/bin/chpass -> $(SEC_SUID);
/usr/bin/chsh -> $(SEC_SUID);
/usr/bin/crontab -> $(SEC_SUID);
/usr/bin/cu -> $(SEC_SUID);
/usr/bin/fstat -> $(SEC_SUID);
/usr/bin/ipcs -> $(SEC_SUID);
/usr/bin/keyinfo -> $(SEC_SUID);
/usr/bin/keyinit -> $(SEC_SUID);
/usr/bin/lock -> $(SEC_SUID);
/usr/bin/login -> $(SEC_SUID);
/usr/bin/lpq -> $(SEC_SUID);
/usr/bin/lpr -> $(SEC_SUID);
/usr/bin/lprm -> $(SEC_SUID);
/usr/bin/man -> $(SEC_SUID);
/usr/bin/netstat -> $(SEC_SUID);
/usr/bin/nfsstat -> $(SEC_SUID);
/usr/bin/passwd -> $(SEC_SUID);
/usr/bin/quota -> $(SEC_SUID);
/usr/bin/rlogin -> $(SEC_SUID);
/usr/bin/rsh -> $(SEC_SUID);
/usr/bin/su -> $(SEC_SUID);
/usr/bin/systat -> $(SEC_SUID);
/usr/bin/top -> $(SEC_SUID);
/usr/bin/uucp -> $(SEC_SUID);
/usr/bin/uuname -> $(SEC_SUID);
/usr/bin/uustat -> $(SEC_SUID);
/usr/bin/uux -> $(SEC_SUID);
/usr/bin/vmstat -> $(SEC_SUID);
/usr/bin/wall -> $(SEC_SUID);
/usr/bin/write -> $(SEC_SUID);
/usr/bin/ypchfn -> $(SEC_SUID);
/usr/bin/ypchpass -> $(SEC_SUID);
/usr/bin/ypchsh -> $(SEC_SUID);
/usr/bin/yppasswd -> $(SEC_SUID);
/usr/libexec/sendmail/sendmail -> $(SEC_SUID);
/usr/libexec/uucp/uucico -> $(SEC_SUID);
/usr/libexec/uucp/uuxqt -> $(SEC_SUID);
/usr/local/bin/elm -> $(SEC_SUID);
/usr/local/bin/mutt_dotlock -> $(SEC_SUID);
/usr/sbin/ifmcstat -> $(SEC_SUID);
/usr/sbin/iostat -> $(SEC_SUID);
/usr/sbin/lpc -> $(SEC_SUID);
/usr/sbin/mrinfo -> $(SEC_SUID);
/usr/sbin/mtrace -> $(SEC_SUID);
/usr/sbin/ppp -> $(SEC_SUID);
/usr/sbin/pppd -> $(SEC_SUID);
/usr/sbin/pstat -> $(SEC_SUID);
/usr/sbin/sliplogin -> $(SEC_SUID);
/usr/sbin/swapinfo -> $(SEC_SUID);
/usr/sbin/timedc -> $(SEC_SUID);
/usr/sbin/traceroute -> $(SEC_SUID);
/usr/sbin/traceroute6 -> $(SEC_SUID);
/usr/sbin/trpt -> $(SEC_SUID);
}
(rulename = "Configuration Files", severity = $(SIG_MED))
{
/etc/hosts -> $(SEC_CONFIG);
/etc/inetd.conf -> $(SEC_CONFIG);
/etc/resolv.conf -> $(SEC_CONFIG);
/etc/syslog.conf -> $(SEC_CONFIG);
/etc/newsyslog.conf -> $(SEC_CONFIG);
}
(rulename = "Security Control", severity = $(SIG_HI))
{
/etc/group -> $(SEC_CRIT);
/etc/security/ -> $(SEC_CRIT);
}
(rulename = "Login Scripts", severity =3D $(SIG_HI))
{
/etc/csh.login -> $(SEC_CONFIG);
/etc/csh.logout -> $(SEC_CONFIG);
/etc/csh.cshrc -> $(SEC_CONFIG);
/etc/profile -> $(SEC_CONFIG);
}
# These files change every time the system boots
(rulename = "System boot changes", severity = $(SIG_HI))
{
/dev/log -> $(Dynamic);
/dev/cuaa0 -> $(Dynamic);
/dev/console -> $(Dynamic);
/dev/ttyv0 -> $(Dynamic);
/dev/ttyv1 -> $(Dynamic);
/dev/ttyv2 -> $(Dynamic);
/dev/ttyv3 -> $(Dynamic);
/dev/ttyv4 -> $(Dynamic);
/dev/ttyv5 -> $(Dynamic);
/dev/ttyv6 -> $(Dynamic);
/dev/ttyp0 -> $(Dynamic);
/dev/ttyp1 -> $(Dynamic);
/dev/ttyp2 -> $(Dynamic);
/dev/ttyp3 -> $(Dynamic);
/dev/ttyp4 -> $(Dynamic);
/dev/ttyp5 -> $(Dynamic);
/dev/ttyp6 -> $(Dynamic);
/dev/urandom -> $(Dynamic);
/var/run -> $(Dynamic);
/var/log -> $(Dynamic);
}
# Critical configuration files
(rulename = "Critical configuration files", severity = $(SIG_HI))
{
/etc/crontab -> $(ReadOnly);
/etc/periodic/daily -> $(ReadOnly);
/etc/periodic/weekly -> $(ReadOnly);
/etc/periodic/monthly -> $(ReadOnly);
/etc/defaults -> $(ReadOnly);
/etc/fstab -> $(ReadOnly);
/etc/hosts.allow -> $(ReadOnly);
/etc/ttys -> $(ReadOnly);
/etc/gettytab -> $(ReadOnly);
/etc/protocols -> $(ReadOnly);
/etc/services -> $(ReadOnly);
/etc/rc -> $(ReadOnly);
/etc/rc.conf -> $(ReadOnly);
/etc/rc.atm -> $(ReadOnly);
/etc/rc.devfs -> $(ReadOnly);
/etc/rc.diskless1 -> $(ReadOnly);
/etc/rc.diskless2 -> $(ReadOnly);
/etc/rc.firewall -> $(ReadOnly);
/etc/rc.firewall6 -> $(ReadOnly);
/etc/rc.i386 -> $(ReadOnly);
/etc/rc.isdn -> $(ReadOnly);
/etc/rc.network -> $(ReadOnly);
/etc/rc.network6 -> $(ReadOnly);
/etc/rc.pccard -> $(ReadOnly);
/etc/rc.resume -> $(ReadOnly);
/etc/rc.serial -> $(ReadOnly);
/etc/rc.shutdown -> $(ReadOnly);
/etc/rc.suspend -> $(ReadOnly);
/etc/rc.syscons -> $(ReadOnly);
/etc/rc.sysctl -> $(ReadOnly);
/etc/motd -> $(ReadOnly);
/etc/passwd -> $(ReadOnly);
/etc/master.passwd -> $(ReadOnly);
/etc/pwd.db -> $(ReadOnly);
/etc/spwd.db -> $(ReadOnly);
/etc/rpc -> $(ReadOnly);
/etc/shells -> $(ReadOnly);
/etc/ipf.rules -> $(ReadOnly);
/etc/ipnat.rules -> $(ReadOnly);
/etc/ssh/sshd_config -> $(ReadOnly);
}
# Critical devices
(rulename = "Critical devices", severity = $(SIG_HI), recurse = false)
{
/dev/kmem -> $(Device);
/dev/mem -> $(Device);
/dev/null -> $(Device);
/dev/zero -> $(Device);
}
[root@numa /root]# twadmin --create-polfile /usr/local/etc/tripwire/twpol.txt
[root@numa /root]# tripwire --init
[root@numa /root]# cd /etc
[root@numa /etc]# vi crontab
- Add the following line to the file:
0 4 * * * root /usr/local/bin/tripwire --check
[root@numa /root]# tripwire --check --interactive
font8x8="/usr/share/syscons/fonts/iso02-8x8.fnt"
allscreens_flags="132x43"
syslogd_flags="-ss"
sshd_flags="-4"
ipfilter_enable="YES"
ipmon_enable="YES"
ipmon_flags="-Dsvn"
ipnat_enable="YES"
network_interfaces="ed0 ed1 lo0"
ifconfig_ed1="inet 192.168.1.1 netmask 255.255.255.0"
[root@numa /root]# touch /var/log/firewall_logs
[root@numa /root]# chmod 600 /var/log/firewall_logs
local0.* /var/log/firewall_logs
/var/log/firewall_logs 600 5 100 * Z
#################################################################
# Outside Interface
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#----------------------------------------------------------------
pass out quick on ed0 proto tcp from any to any keep state
pass out quick on ed0 proto udp from any to any keep state
pass out quick on ed0 proto icmp from any to any keep state
block out quick on ed0 all
#----------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only.
# Replace X.X.X.X/32 with your ISP's DHCP server address.
#----------------------------------------------------------------
pass in quick on ed0 proto udp from X.X.X.X/32 to any port = 68 keep state
#----------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
block return-rst in log quick on ed0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on ed0 proto udp from any to any
block in log quick on ed0 all
#################################################################
# Inside Interface
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on ed1 proto tcp from any to any keep state
pass out quick on ed1 proto udp from any to any keep state
pass out quick on ed1 proto icmp from any to any keep state
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on ed1 proto tcp from any to any keep state
pass in quick on ed1 proto udp from any to any keep state
pass in quick on ed1 proto icmp from any to any keep state
map ed0 192.168.1.0/24 -> 0/32
cd /usr/src/sys/i386/conf
cp GENERIC FIREWALL
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options VESA
device ed1 at isa? port 0x280 irq 10 iomem 0xd8000
[root@numa conf]# /usr/sbin/config -g FIREWALL
[root@numa conf]# cd ../../compile/FIREWALL
[root@numa FIREWALL]# make depend
[root@numa FIREWALL]# make
[root@numa FIREWALL]# make install
[root@numa FIREWALL]# shutdown -r now
Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [kernel] in 9 seconds...
http://www.schlacter.dyndns.org/public/FreeBSD-STABLE_and_IPFILTER.html
Questions or Comments? E-mail: Marty
Schlacter