# # firewall - http://fwup.org/ # # Copyright (C) 1999-2004 raf # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # or visit http://www.gnu.org/copyleft/gpl.html # # name: /etc/firewall.policy # # This file tells fwup who and what to trust or not. # # Read it carefully. # # 20041231 raf ############################################################################## # About the policy file # # The policy file is composed of sections in which you need to specify much # information: this host's trusted and untrusted network interfaces; this # host's role and function within the network topology; and the incoming and # outgoing services to allow and the internal and external hosts that may # take part in them. It has been designed so as to make this as painless and # flexible as possible. # # Each section contains detailed explanations and advice on things such as # when to start the firewall and the security implications of various well # known internet services and advice on how to allow them safely. It is # intended to introduce administrators to some subtleties of packet # filtering quickly so that they can make better informed security decisions # and achieve and maintain effective network security (at least the packet # filtering part) in a very short time. Of course, it will not prevent you # from achieving bad network security, but you will have been warned :) # # Each section also contains commented out variables that can be uncommented # and possibly edited to supply policy information to fwup. Some of them # show the default values used by fwup. Others are choices. Others still are # just examples. Hopefully it's clear which is which. Let me know if it # isn't. Each policy variable is explained when encountered. # # After setting up a firewall, don't forget to run port scanners (e.g. nmap) # on your untrusted interfaces (as root from the inside and the outside) to # make sure that you got what you wanted. If there are any surprises, # investigate. The tools directory contains a portscan script that uses nmap # to perform many different port scans, looking for common filtering errors. # ############################################################################## # Network Interfaces # # Note: If the firewall is started when an interface is down, the rules # created for that interface will use 0/0 as it's address. If it is started # when the interface is up, it's real, current address(es) will be used. # However, starting the firewall after an untrusted interface is up creates # a window of opportunity in which an attacker might crash the system (I # doubt that there'd be enough time for anything sophisticated but I could # easily be wrong). The easiest way to eliminate the possibility is to start # the firewall at boot time both before and after the network interfaces are # brought up. If this host receives dynamic IP addresses (e.g. via PPP or # DHCP), reload the firewall after receiving each new address as well (e.g. # in /etc/ppp/ip-up.local or /etc/dhcp/*). If all of the network interfaces # have static addresses (and port forwarding is not required), the firewall # can safely be started just once, at boot time, by specifying all of the # required addresses in the policy file (see INTERNAL_NETWORKS and # UNTRUSTED_ADDRESSES below). If port forwarding is required, the firewall # must be started after the interfaces are brought up. This firewall's # installation procedure ensures that the firewall will be reloaded at all # the right times. # # Note: All addresses/aliases on an interface are treated equally. This is # justified by the fact that it is the interface that is trusted or # untrusted, not one of it's addresses. The real reason, however, is that # differentiating between aliases isn't well supported and it's only needed # for M:N NAPT. # Packets on trusted interfaces will be accepted (e.g. eth0 lo) TRUSTED_INTERFACES="lo" # Packets on untrusted interfaces will be filtered (e.g. ppp0) UNTRUSTED_INTERFACES="" # Identify the internal networks for use in spoof protection and masquerading. # Note: By default, fwup will use the addresses and network masks of the # trusted interfaces (except lo), including those of any aliases. This only # works if the trusted interfaces are up. If the firewall is to be started # before the trusted interfaces are up, identify the internal networks # explicitly. You also need to identify internal networks explicitly if # masquerading and there are multiple untrusted interfaces or there are # internal networks that are not directly connected, otherwise, fwup will # masquerade packets forwarded across internal, untrusted interfaces. # INTERNAL_NETWORKS="" # Identify the addresses of the untrusted interfaces iff the addresses of all # untrusted interfaces are statically known. Otherwise, fwup will determine # all of the addresses at runtime. If all of the untrusted addresses can be # specified here, it is safe to start the firewall just once, at boot time. # The format of UNTRUSTED_ADDRESSES is one word per untrusted interface. # Each word contains the address of the corresponding interface in # $UNTRUSTED_INTERFACES. If an interface has multiple addresses/aliases, # the word contains all of the addresses separated by commas. # UNTRUSTED_ADDRESSES="" # State which untrusted interfaces are connected to internal networks. This # prevents spoof protection from occurring on those interfaces. Otherwise, # private IP addresses would be blocked on internal interfaces. # INTERNAL_UNTRUSTED_INTERFACES="" # Identify the private networks that are illegal on the internet. You only # need to change this (removing certain items from the default, below) when # partitioning private netorks in which these addresses are used. # ILLEGAL_NETWORKS="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" ############################################################################## # Network Topology # # Various network topologies are supported: standalone host, forwarding # host, simple masquerading host, simple port forwarding/masquerading host, # alias port porwarding host and static NAT host. The following sections # specify and configure this host's role in the network topology. # # Topology Required Variables # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Single Host # Forwarding FORWARDING="yes" # Masquerading MASQUERADING="yes" # Port Forwarding PORT_FORWARDING="yes" (implies MASQUERADING) # Alias Port Forwarding ALIAS_PORT_FORWARDING="yes" (implies PORT_FORWARDING) # Static NAT STATIC_NAT="yes" # ############################################################################## # Perimeter Network # # If there is a perimeter network, there will be two firewalls. The first # (on the router between the external network and the perimeter network) # should be a forwarding firewall. The second (on the router between the # perimeter network and the internal networks) should either be a forwarding # or a masquerading firewall. Consider using meta-firewall to manage the # two firewalls from the location of your choice. # ############################################################################## # Demilitarized Zone (DMZ) # # If there is a DMZ, the interface to it must be listed in the # UNTRUSTED_INTERFACES variable and rules to allow specific services across # that interface must be defined as described below (see Service Policy). # # It is assumed that traffic for the DMZ is not masqueraded. If traffic for # the private nmetworks is also not masqueraded, then the firewall can be # configured with FORWARDING="yes". # # If traffic for the private networks requires masquerading (consider # generic proxies instead), then the firewall must be configured with # MASQUERADING="yes" and the MASQUERADED_NETWORKS variable must contain the # private network addresses but not the DMZ network address. Otherwise, # leave the MASQUERADED_NETWORKS variable blank. # # Since traffic for the DMZ arrives at the external interface, that # interface will need rules pertaining to server hosts within the DMZ so # TARGET variables will need to be defined for the DMZ hosts (see Service # Policy). # # Also, the interface to the DMZ will need rules to specify the allowed DMZ # traffic. Note that the direction of services is the reverse of the normal # direction for external interfaces. To allow a DMZ host to receive a # request, the external interface requires an incoming service rule (for the # DMZ host's address) and the DMZ interface requires an outgoing service # rule. # # Also note that the concept of a DMZ used here is very different to # that used by some cable modem routers which seem to think that a DMZ # is a host on the local network that is completely unprotected from # the Internet. The DMZ is a public internal network that should be # protected from the Internet (as much as possible) and a network that # the rest of your network(s) must be protected from. # ############################################################################## # Single Host (no forwarding, no address/port translation) # # This is for a single host that connects to an external network. # ############################################################################## # Forwarding (no address/port translation) # # This is for a host that performs normal routing between internal and # external networks. # # Note: This is a good place to define TARGET variables (see Service Policy). # # FORWARDING="no" ############################################################################## # Masquerading (outgoing M:1 NAPT) # # This is for a host that needs to masquerade internal networks behind the # single IP address by which it is known to an external network. # # Note: Masquerading is only supported across one untrusted interface. If # there are multiple untrusted interfaces, the masquerading interface is the # one that appears first in $UNTRUSTED_INTERFACES. # # Note: Allowing outgoing services (with some exceptions) applies not only # to this host but also to all masqueraded hosts. If you need to restrict # certain internal, masqueraded hosts from using a particular incoming or # outgoing service, allow the service across the external interface, make # the internal network interface(s) untrusted, then disallow the service # to or from specific hosts across the internal interface. # MASQUERADING="no" # Unless all internal networks are to be masqueraded, specify those networks # that will be masqueraded. Any other internal networks (such as a DMZ) will # be forwarded normally. # Blank means all internal networks will be masqueraded. # MASQUERADED_NETWORKS="" # Timeouts used for masquerading (zero means leave timeout as it is) # Timeout in seconds for masqueraded tcp addresses # MASQ_TCP_TIMEOUT="0" # Timeout in seconds for masqueraded tcp addresses after receiving FIN # MASQ_TCPFIN_TIMEOUT="0" # Timeout in seconds for masqueraded udp addresses # MASQ_UDP_TIMEOUT="0" # Masquerading modules that need to be loaded. They will only be loaded once. # # Note: fwup doesn't contain rules for cuseeme, quake or vdolive so loading # the corresponding modules would be pointless. If you need them, add the # rules to fwup and please send me the patch. # MASQ_MODULES="" # e.g. # MASQ_MODULES="$MASQ_MODULES portfw" # MASQ_MODULES="$MASQ_MODULES mfw" # MASQ_MODULES="$MASQ_MODULES h323" # MASQ_MODULES="$MASQ_MODULES cuseeme" # MASQ_MODULES="$MASQ_MODULES ftp" # MASQ_MODULES="$MASQ_MODULES irc" # MASQ_MODULES="$MASQ_MODULES icq" # MASQ_MODULES="$MASQ_MODULES quake" # MASQ_MODULES_quake="26000,27000,27910,27960" # MASQ_MODULES="$MASQ_MODULES raudio" # MASQ_MODULES="$MASQ_MODULES user" # MASQ_MODULES="$MASQ_MODULES vdolive" # Extra modules support. # IPV4_MASQ_UDP_DEST_LOOSE="no" ############################################################################## # Port Forwarding (Masquerading + incoming 1:M NAPT) # # This is for a host that needs to masquerade internal networks behind the # single IP address by which it is known to an external network and to # forward incoming connections to certain ports at that address to internal # hosts. # # Note: Requires ipmasqadm. Implies MASQUERADING="yes". # # PORT_FORWARDING="no" # Specify (protocol, dstport, toaddr, toport, preference) tuples where # protocol and dstport identify the destination of an incoming packet (the # destination address is implicitly that/those of the untrusted/external # interface(s)) and toaddr and toport specify the internal address and port # to which the packet is to be forwarded and preference is the preference # given to each particular internal address. This can be useful for load # sharing. Unfortunately, due to the way in which port forwarding policy is # specifed, the preference is required even when it isn't useful. # PORTFW="" # e.g. PORTFW="$PORTFW tcp 80 10.0.0.1 80 10" # If you need to port forward a range of ports without changing the port # number, specify (protocol, portrange, toaddr) tuples where protocol and # portrange identify the destination of an incoming packet (the destination # address in implicitly that of the untrusted/external interface) and toaddr # specifies the internal address to which the packet is to be forwarded. # The portrange must be of the form #:# where each # represents the lowest # and highest ports in the range, respectively. There is no preference since # this behaviour can only be useful when port forwarding to a single internal # host. # PORTRANGEFW="" # e.g. PORTRANGEFW="$PORTRANGEFW tcp 4000:4400 10.0.0.1" ############################################################################## # Alias Port Forwarding (Masquerading + incoming N:M NAPT) # # This is for a host that needs to translate between real IP addresses by # which it is known to an external network (aliased to a single network # interface) and private IP addresses used by internal networks. # # Note: Requires iproute2. Implies PORT_FORWARDING="yes". # # ALIAS_PORT_FORWARDING="no" # Specify (protocol, dstaddr, dstport, toaddr, toport, preference) tuples # where protocol, dstaddr and dstport identify the destination of an # incoming packet (dstaddr must be one of the addresses/aliases of an # untrusted/interface interface) and toaddr and toport specify the internal # address and port to which the packet is to be forwarded. and preference is # the preference given to each particular internal address. This can be # useful for load sharing. Unfortunately, due to the way in which port # forwarding policy is specifed, the preference is required even when it # isn't useful. # ALIAS_PORTFW="" # e.g. ALIAS_PORTFW="$ALIAS_PORTFW tcp 222.222.222.222 80 10.0.0.1 80 10" ############################################################################## # Static NAT (incoming and outgoing 1:1 NAT) # # This is for a host that needs to perform static network address translation. # # Note: Requires iproute2. # # STATIC_NAT="no" # Specify (fromaddr, toaddr) tuples where fromaddr is the address to be # translated and toaddr is the address into which fromaddr is to be # translated. # NAT="" # e.g. NAT="$NAT 222.222.222.222 10.0.0.1" ############################################################################## # Redirecting # # This is for host's that perform transparent proxying. # # Note: Requires CONFIG_IP_TRANSPARENT_PROXY in kernel configuration. # # REDIRECTING="no" # Redirection occurs to packets as they arrive. Specify which network # interfaces packets will arrive on that need to be redirected. Usually, # this will be the same as the internal interfaces. # REDIRECT_INTERFACES="$TRUSTED_INTERFACES" # Specify (protocol, dstaddr, dstport, redirport) tuples where protocol is # either tcp or udp, dstaddr/dstport is the original destination of the # incoming packets to be redirected, and redirport is the port on the # localhost to which the packets are to be redirected. # REDIRECT="" # e.g. REDIRECT="$REDIRECT tcp $any 80 3128" ############################################################################## # Configure other kernel supplied protection # # Note: These should all be left alone unless your kernel doesn't support # something and you're sick of seeing the corresponding failure messages. A # better alternative, though, is to upgrade or reconfigure your kernel. # # IPV4_SPOOF_PROTECT="yes" # IPV4_SOURCE_ROUTE_PROTECT="yes" # IPV4_ICMP_REDIRECT_PROTECT="yes" # IPV4_TCP_SYN_COOKIE_PROTECT="yes" # IPV4_FRAGMENT_PROTECT="yes" # IPV4_ICMP_BROADCAST_ECHO_PROTECT="yes" # IPV4_BOGUS_ERROR_RESPONSE_PROTECT="yes" # IPV4_LOG_MARTIANS="yes" # Turn this on if you receive dynamic IP addresses from PPP or DHCP but only # if this is not a multi-homed host or router. It tells the kernel to fix # the source address of your packets if some software got it wrong by using # a previous address, say. This sort of behaviour can break a router. # IPV4_DYNADDR="no" ############################################################################## # Paranoia # # Disallow all packets between this network and untrusted networks # Note: This is not particularly useful. If it's really hostile, they can # spoof some other network's addresses anyway. In fact, they may have been # doing so all along. # UNTRUSTED_NETWORKS="" # Range of X Window server ports to avoid like the plague # XWIN_PORTS="6000:6063" # List of hosts that are allowed to connect to this host's X server. # Note: Don't use this. # Blank means no hosts. # XWIN_CLIENTS="" # List of X servers that this netowrk may connect to. # Note: Don't use this. # Blank means no hosts. # XWIN_SERVERS="" # List of other tcp ports to avoid like the plague (NFS, SOCKS, OpenWindows) # These will be blocked before anything else is accepted. # Note: You'll have to remove 2000:2010 from here for incoming ICQ but don't # do that. # EVIL_TCP_PORTS="2049 1080 2000:2010" # # e.g. The trojan cavalry (Note: Some of these will interfere with masquerading) # EVIL_TCP_PORTS="$EVIL_TCP_PORTS 2 24 30:31 41 48 50 59 99 121 133 142 146 170 334 420 421 456 510 531 555 605 666:667 669 692 777 808 911 999:1001 1010:1012 1015:1016 1019:1020 1024 1027 1029 1035 1042 1045 1049:1050 1054 1080:1083 1090 1095 1097:1099 1150:1151 1170 1207 1212 1234 1243 1245 1255:1256 1269 1313 1338 1492 1509 1524 1600 1777 1807 1966 1969 1981 1999 2023 2080 2115 2140 2155 2222 2255 2283 2300 2339 2345 2565 2583 2589 2600 2716 2773 2801 2989 3000 3024 3129 3148 3150 3456 3459 3700 3777 3791 3801 4000 4092 4242 4321 4444 4567 4590 4950 5000:5002 5010:5011 5025 5031:5032 5321 5333 5343 5400:5402 5512 5534 5550 5555:5557 5569 5636:5638 5742 5760 5880 5882 5888:5889 6006 6272 6400 6661 6666 6669:6671 6711:6713 6723 6771 6776 6883 6912 6939 6969:6970 7000:7001 7215 7300:7301 7306:7308 7424 7597 7626 7777 7789 7891 7983 8787 8988:8989 9000 9400 9872:9876 9878 9989 9998:10000 10005 10008 10067 10085 10086 10100:10101 10167 10520 10528 10607 10752 11000 11050:11051 11223 12076 12223 12345 12346 12349 12361:12363 12624 12631 12701 12754 12973 12975 13000 13010 13013:13014 13223 13473 14500:14503 15000 15092 15104 15382 15858 16484 16660 16772 16969 17166 17300 17449 17499:17500 17569 17593 17777 18959 19864 20000:20002 20005 20023:20034 20139 20331 20432 21544 21554 22222 23005:23006 23023 23032 23432 23456 23476 23477 23777 24000 25685 25686 25982 26681 27374 27573 27665 28678 29104 29369 29891 30000:30001 30003 30029 30100:30103 30133 30303 30464 30947 30999 31335:31339 31557 31666 31785 31787:31788 31789:31790 31791:31792 32001 32100 32418 32768 33270 33333 33567 33577 33777 33911 34324 34444 37237 37651 40412 40421:40423 40425:40426 41337 41666 44444 44575 46626 46882 49301 50130 50505 50766 51966 52317 53001 54283 54320 54321 55165:55166 57341 58339 60000:60001 60008 60068 60411 61348 61466 61603 63485 64101 65000 65390 65421 65432 65534 65535" # Note: You might also want to add 6667 here (SubSeven, NetBus, IRC used by # DDos Zombies but not if you use IRC), and 8080 (RingZero, Brown Orifice, but # not if need to use websites/proxies with this port). # List of particularly nasty udp ports to avoid like the plague. # These will be blocked before anything else is accepted. # EVIL_UDP_PORTS="" # # e.g. The trojan cavalry (Note: Some of these will interfere with masquerading) # EVIL_UDP_PORTS="$EVIL_UDP_PORTS 1 2 31 41 146 456 531 555 666 911 1001 1019 1170 1200 1201 1234 1245 1349 1492 1600 1807 1981 1999 2001 2023 2115 2140 2339 2565 2583 2801 2989 3024 3150 3700 3801 4092 4567 4950 5000:5001 5321 5400:5402 5555 5569 5742 5882 5888 6400 6670 6711 6838 6939 6969 7000 7301:7308 7424 7789 9325 9872 10067 10167 10520 10607 10666 11223 12223 12345 12361:12362 12623 12631 13000 16969 18753 20000:20001 20034 20433 21544 22222 23476 26274 27374 27444 28431 28432 29891 30103 31335 31337:31339 31666 31789 31791 33333 34324 34555 35555 40412 40421:40423 40426 47262 50505 50766 50776 53001 54321 61446 65000 65432 65532 65535" # Log all denied/rejected packets # Note: See below for blocking selected packets without logging them. # LOG="yes" # Set the blocking policies # Note: Some people prefer DENY for the input blocking policy because it makes # port scans take much longer (like a steering lock on a car). Others prefer # REJECT because it makes your network look dumb and hence less attractive to # attackers (ports look closed rather than filtered but only if you also allow # 3 (not just fragmentation-needed) in OTHER_OUTGOING_ICMP). # BLOCKIN="DENY" # BLOCKOUT="REJECT" # BLOCKFWD="REJECT" ############################################################################## # Service Policy # # Note: Services added to the "SERVICES" variable (below) will be permitted # on all interfaces listed in "UNTRUSTED_INTERFACES". This allows multiple, # untrusted interfaces to share the same policy. If you need each untrusted # interface to maintain unique policies, add services to the "SERVICES_#" # variables, where "#" is the number corresponding the relevant interface's # position within "UNTRUSTED_INTERFACES" (from 0 to 9). The same naming # scheme and semantics apply to the "*_SERVERS" and "*_CLIENTS" variables. # You can use any combination of numbered variables and their corresponding # un-numbered variables. The un-numbered variables will be used for all # untrusted interfaces. The numbered variables will only be used for their # corresponding interface. # # For example, the following would allow outgoing HTTP across all untrusted # interfaces, outgoing SMTP across untrusted interface 0 and incoming POP # across untrusted interface 1. # # SERVICES="$SERVICES ohttp" # SERVICES_0="$SERVICES_0 osmtp" # SERVICES_1="$SERVICES_1 ipop" # # Note: The SERVICES variables contain words of the form: service[.target] # (e.g. ihttp.www) where service is the name of a supported service and target # refers to the value of a target variable (e.g. TARGET_www) which contains # a set of IP addresses for which the service is to be allowed. If the target # is omitted from a SERVICES variable, the service will be allowed for all the # IP addresses of the corresponding untrusted interface. # # So if an interface has multiple addresses (a.k.a. IP Aliasing) and you # only want to allow a service for some of those addresses, you must # supply a target. For example, eth0 is 10.0.0.1, 10.0.0.2 and 10.0.0.3 # and you want to allow incoming HTTPS to 10.0.0.1 and 10.0.0.2 only: # # TARGET_wwwssl="10.0.0.1 10.0.0.2" # SERVICES="$SERVICES ihttps.wwwssl" # ############################################################################## # Incoming Client DNS # # Note: This is needed when this host runs a registered DNS server that can # be accessed by external hosts (resolvers or BIND 8 servers without # "query-source port 53"). For a bastion DNS slave server host, give access # to all hosts. For an internal DNS master server host, give access to the # bastion DNS server host for zone transfers if it runs BIND 8 without # "query-source port 53". However, it would be better for the bastion DNS # slave server to "query-source port 53" so that only incoming Server DNS # from the bastion host is required for this host. # # Open: tcp/53, udp/53 # SERVICES="$SERVICES icdns" # List of hosts which may connect to this host's DNS server. # Blank means all hosts. # ICDNS_CLIENTS="" ############################################################################## # Outgoing Client DNS # # Note: Don't use this. It leaves too many udp ports open. # Note: This is needed when this host's resolver queries external DNS # servers. This is also needed even when the resolver queries the local DNS # server if that server is BIND 8 without "query-source port 53". If the # resolver only queries the local DNS server which has been configured with # "query-source port 53", only outgoing Server DNS is required for this # host. # # Open: tcp(ack)/1024-4999,61000-65096 udp/1024-4999,61000-65096 # SERVICES="$SERVICES ocdns" # List of DNS servers to which this network may connect. # Blank means no hosts. # if [ -x "$awk_cmd" ] # then # OCDNS_SERVERS="`$awk_cmd '/^nameserver/ { if ($2 != "127.0.0.1") { printf "%s/32\n", $2 } }' /etc/resolv.conf`" # else # without awk # OCDNS_SERVERS="`grep '^nameserver' /etc/resolv.conf | sed -e 's/^nameserver //' -e 's/$/\/32/' | grep -v 127.0.0.1`" # fi ############################################################################## # Incoming Server DNS # # Note: This is only needed when this host runs a registered DNS server that # can be accessed by external DNS servers (BIND 4 servers and BIND 8 servers # with "query-source port 53"). For a bastion DNS slave server host, give # access to all hosts. For an internal DNS master server host, give access # to the bastion DNS slave server host for zone transfers if it runs BIND 4 # or BIND 8 with "query-source port 53". # # Open: tcp/53 udp/53 # SERVICES="$SERVICES isdns" # List of DNS server hosts which may connect to this host's DNS server. # Blank means all hosts. # ISDNS_CLIENTS="" ############################################################################## # Outgoing Server DNS # # Note: This is needed when this host runs a DNS server (BIND 4 or BIND 8 # with "query-source port 53") that queries external DNS servers. For an # internal host, forward all queries to a bastion (or your ISP's) DNS server # and give access to only those servers. For a bastion DNS server host, give # access to all hosts. # # Note: Unless $ALLOW_MASQUERADED_OSDNS is "yes", masquerading is ignored # for this service. It is assumed that the internal DNS server will reside # on this firewall host rather than on an internal, masqueraded host. # This allows us to avoid accepting packets to the masquerading ports # (i.e. 61000:65096) from hostile hosts that impersonate your external # DNS servers. # # Open (no $MASQUERADING): tcp(ack)/53 udp/53 # Open ($MASQUERADING and no $ALLOW_MASQUERADED_OSDNS): tcp(ack)/53 udp/53 # Open ($MASQUERADING and $ALLOW_MASQUERADED_OSDNS): tcp(ack)/53,61000-65096 udp/53,61000-65096 # SERVICES="$SERVICES osdns" # List of DNS server hosts to which this networks DNS servers may connect. # Blank means no hosts. # OSDNS_SERVERS="" ############################################################################## # Incoming SMTP # # Note: If this is a bastion host, run smap and permit all hosts to connect. # Otherwise, run smap and only permit connections from the bastion host. # # Open: tcp/25 # SERVICES="$SERVICES ismtp" # List of hosts which may connect to this host's SMTP server. # Blank means all hosts. # SMTP_CLIENTS="" ############################################################################## # Outgoing SMTP # # Note: If this host is a bastion, permit connections to all hosts, # otherwise only permit connections to the bastion host. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES osmtp" # List of SMTP servers to which this network may connect. # Blank means all hosts. # SMTP_SERVERS="" ############################################################################## # Incoming POP # # Note: This is an extremely bad idea since real user names and passwords # and private mail will be transmitted over the net in plaintext. Use # SSL-POP instead. # # Open: tcp/109-110 # SERVICES="$SERVICES ipop" # List of hosts which may connect to this host's POP server. # Blank means all hosts. # POP_CLIENTS="" ############################################################################## # Outgoing POP # # Note: This is an extremely bad idea when the user name and password or # people's private mail are too sensitive to be transmitted over the net in # plaintext. Use $EVIL_POP_SERVERS to deny such uses while allowing less # sensitive POP access. Use SSL-POP instead. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES opop" # List of POP servers to which this network may not connect (to prevent # plaintext password transmission). # Blank means no hosts. # EVIL_POP_SERVERS="" # List of POP servers to which this network may connect. # Blank means all hosts. # POP_SERVERS="" ############################################################################## # Incoming IMAP # # Note: This is an extremely bad idea if any external IMAP clients or # internal IMAP servers don't support and use the "AUTHENTICATE" command # instead of the "LOGIN" command since user names, passwords and people's # private mail will be transmitted over the net in plaintext. Use SSL-IMAP # instead. # # Open: tcp/143 # SERVICES="$SERVICES iimap" # List of hosts which may connect to this host's IMAP server. # Blank means all hosts. # IMAP_CLIENTS="" ############################################################################## # Outgoing IMAP # # Note: This is an extremely bad idea if any internal IMAP clients or # external IMAP servers don't support and use the "AUTHENTICATE" command # instead of the "LOGIN" command since user names, passwords and people's # private mail will be transmitted over the net in plaintext. Use # $EVIL_IMAP_SERVERS to deny such uses while allowing less sensitive IMAP # access. Use SSL-IMAP instead. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES oimap" # List of IMAP servers to which this network may not connect (to prevent # plaintext password transmission). # Blank means no hosts. # EVIL_IMAP_SERVERS="" # List of IMAP servers to which this network may connect. # Blank means all hosts. # IMAP_SERVERS="" ############################################################################## # Incoming LDAP # # Note: Don't allow this across a firewall if your ldap server contains # information that the world at large does not need to see. This should # probably only be used for public key servers. Otherwise, use SSL-LDAP. # # Open: tcp/389 # SERVICES="$SERVICES ildap" # List of hosts which may connect to this host's LDAP server. # Blank means all hosts. # LDAP_CLIENTS="" ############################################################################## # Outgoing LDAP # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES oldap" # List of LDAP servers to which this network may connect. # Blank means all hosts. # LDAP_SERVERS="" ############################################################################## # Incoming SSL-POP # # Open: tcp/995 # SERVICES="$SERVICES ispop" # List of hosts which may connect to this host's SSL-POP server. # Blank means all hosts. # SPOP_CLIENTS="" ############################################################################## # Outgoing SSL-POP # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ospop" # List of SSL-POP servers to which this network may connect. # Blank means all hosts. # SPOP_SERVERS="" ############################################################################## # Incoming SSL-IMAP # # Open: tcp/993 # SERVICES="$SERVICES isimap" # List of hosts which may connect to this host's SSL-IMAP server. # Blank means all hosts. # SIMAP_CLIENTS="" ############################################################################## # Outgoing SSL-IMAP # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES osimap" # List of SSL-IMAP servers to which this network may connect. # Blank means all hosts. # SIMAP_SERVERS="" ############################################################################## # Incoming SSL-LDAP # # Open: tcp/636 # SERVICES="$SERVICES isldap" # List of hosts which may connect to this host's SSL-LDAP server. # Blank means all hosts. # SLDAP_CLIENTS="" ############################################################################## # Outgoing SSL-LDAP # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES osldap" # List of SSL-LDAP servers to which this network may connect. # Blank means all hosts. # SLDAP_SERVERS="" ############################################################################## # Incoming SSH1 # # Note: Permit this rather than telnet or ftp. You can restrict this to # specific, trusted hosts. # # Open: tcp/22 # SERVICES="$SERVICES issh1" # List of hosts which may connect to this host's SSH1 server. # Blank means all hosts. # SSH1_CLIENTS="" ############################################################################## # Outgoing SSH1 # # Note: Permit this rather than telnet or ftp. You can restrict this to # specific, trusted hosts. # # Open: tcp(ack)/513-1023,61000-65096 # SERVICES="$SERVICES ossh1" # List of SSH1 servers to which this network may connect. # Blank means all hosts. # SSH1_SERVERS="" ############################################################################## # Incoming SSH2/LSH # # Note: Permit this rather than telnet or ftp. You can restrict this to # specific, trusted hosts. # # Open: tcp/22 # SERVICES="$SERVICES issh2" # List of hosts which may connect to this host's SSH2 server. # Blank means all hosts. # SSH2_CLIENTS="" ############################################################################## # Outgoing SSH2/LSH # # Note: Permit this rather than telnet or ftp. You can restrict this to # specific, trusted hosts. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ossh2" # List of SSH2 servers to which this network may connect. # Blank means all hosts. # SSH2_SERVERS="" ############################################################################## # Incoming Normal/Passive FTP # # Note: This is an extremely bad idea if this host is running a # non-anonymous FTP server since real user names, passwords and private # files will be transmitted over the net in plaintext. Use rsync over ssh # instead. This should only be used on a bastion host running an anonymous # FTP server. # # Also, incoming passive mode ftp is an extremely bad idea since it may # allow any host to connect to any tcp port above 1023. # # Open (normal): tcp/21 tcp(ack)/1024-4999,61000-65096 # Open (passive): tcp/21,1024-4999 # SERVICES="$SERVICES inftp" # SERVICES="$SERVICES ipftp" # List of hosts which may connect to this host's FTP server. # Blank means all hosts. # FTP_CLIENTS="" ############################################################################## # Outgoing Normal/Passive FTP # # Note: This is an extremely bad idea if used for non-anonymous FTP access # since real user names, passwords and private files will be transmitted # over the net in plaintext. Use $EVIL_FTP_SERVERS to deny such uses and # require that users use rsync over ssh instead. # # Also, outgoing normal mode ftp is an extremely bad idea since it allows # any host to connect to any tcp port above 1023. Instead, restrict # connections to a bastion host running an FTP proxy. # # Also, outgoing passive mode ftp is bad because it allows client hosts # to connect to any external host on any tcp port above 1023. This defeats # egress filtering and allows trojans to function unhindered. Instead, # restrict connections to a bastion host running an FTP proxy. Or at least # turn on tcp trojan blocking above (EVIL_TCP_PORTS). # # Open (normal): tcp/1024-4999 tcp(ack)/1024-4999,61000-65096 # Open (passive): tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES onftp" # SERVICES="$SERVICES opftp" # List of non-anonymous FTP servers to which this network may not connect # (to prevent plaintext password transmission). # Blank means no hosts. # EVIL_FTP_SERVERS="" # List of FTP servers to which this network may connect. # Blank means all hosts. # FTP_SERVERS="" ############################################################################## # Incoming TELNET # # Note: This is an extremely bad idea since real user names, passwords and # login sessions will be transmitted over the net in plaintext. Require that # users use ssh instead. # # Open: tcp/23 # SERVICES="$SERVICES iteln" # List of hosts which may connect to this host's TELNET server. # Blank means no hosts. # TELNET_CLIENTS="" ############################################################################## # Outgoing TELNET # # Note: This is an extremely bad idea since real user names, passwords and # login sessions will be transmitted over the net in plaintext. Require that # users use ssh instead. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES oteln" # List of TELNET servers to which this network may not connect (to prevent # plaintext password transmission). # Blank means no hosts. # EVIL_TELNET_SERVERS="" # List of TELNET servers to which this network may connect. # Blank means all hosts. # TELNET_SERVERS="" ############################################################################## # Incoming HTTP # # Note: Only run public HTTP servers on bastion hosts. # # Open: tcp/80 # SERVICES="$SERVICES ihttp" # Allowable HTTP server port numbers for this host. # Blank means no ports. # INTERNAL_HTTP_PORTS="80" ############################################################################## # Outgoing HTTP # # Note: You can limit HTTP connections to certain ports on external hosts # with $EXTERNAL_HTTP_PORTS. By default, this is "80 81 800 8000 8080 8088". # It is safe to make $EXTERNAL_HTTP_PORTS empty, permitting local clients to # connect to any port (potentially an HTTP server) on any host and receive # the responses but you'd be better off using a caching HTTP proxy on a # bastion host anyway. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ohttp" # Allowable port numbers for external HTTP servers (this is stupid, use a proxy). # Blank means all ports. # EXTERNAL_HTTP_PORTS="80 81 800 8000 8080 8088" ############################################################################## # Incoming HTTPS # # Note: Only run public HTTPS servers on bastion hosts. # # Open: tcp/443 # SERVICES="$SERVICES ihttps" # Allowable HTTPS port numbers for this host. # Blank means no ports. # INTERNAL_HTTPS_PORTS="443" ############################################################################## # Outgoing HTTPS # # Note: You can limit HTTPS connections to certain ports on external hosts # with $EXTERNAL_HTTPS_PORTS. By default, this is "443". It is safe to make # $EXTERNAL_HTTPS_PORTS empty, permitting local clients to connect to any # port (potentially an HTTPS server) on any host and receive the responses # but you'd be better off using a caching HTTPS proxy on a bastion host # anyway. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ohttps" # Allowable port numbers for external HTTPS servers (this is stupid, use a proxy) # Blank means all ports. # EXTERNAL_HTTPS_PORTS="443" ############################################################################## # Incoming HTTP PROXY # # Note: You need this if your web proxy is internal and it has external # clients (don't do that), or if this host is a bastion and the interface # being filtered connects to the internal network. # # Open: tcp/8080 # SERVICES="$SERVICES iproxy" # List of hosts which may connect to this host's web proxy server. # Blank means no hosts. # INTERNAL_HTTP_PROXY_CLIENTS="" # Allowable port numbers for this host's web proxy server. # Blank means no ports. # INTERNAL_HTTP_PROXY_PORTS="8080" ############################################################################## # Outgoing HTTP PROXY # # Note: You need this if your HTTP PROXY is running on a bastion host. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES oproxy" # List of HTTP PROXY servers to which this network may connect. # Blank means no hosts. # EXTERNAL_HTTP_PROXY_SERVERS="" # Allowable port numbers for external HTTP PROXY servers. # Blank means all no ports. # EXTERNAL_HTTP_PROXY_PORTS="8080" ############################################################################## # Incoming SQUID # # Open: tcp/3128,3130,4287 # # SERVICES="$SERVICES isquid" # List of hosts which may connect to this host's squid server. # Blank means all hosts. # SQUID_CLIENTS="" # List of squid children that connect to this host's ICP port. # Blank means no hosts. # ICP_CLIENTS="" # List of squid children that connect to this host's HTCP port. # Blank means no hosts. # HTCP_CLIENTS="" ############################################################################## # Outgoing SQUID # # Open: tcp(ack)/1024-4999,61000-65096 udp/1024-4999,61000-65096 # # SERVICES="$SERVICES osquid" # List of SQUID servers to which this network may connect. # Blank means no hosts. # SQUID_SERVERS="" # List of SQUID parents using ICP to which this network may connect. # Blank means no hosts. # ICP_SERVERS="" # List of SQUID parents using HTCP to which this network may connect. # Blank means no hosts. # HTCP_SERVERS="" # The NLANR registrar host (sd.cache.nlanr.net). # Blank means no hosts. # NLANR_REGISTRAR="" ############################################################################## # Incoming NNTP # # Note: Don't run an NNTP server on a bastion host. Run it on an internal # host and only permit connections from trusted external NNTP servers. # # Open: tcp/119 # SERVICES="$SERVICES inntp" # List of hosts which may connect to this host's NNTP server. # Blank means no hosts. # NNTP_CLIENTS="" ############################################################################## # Outgoing NNTP # # Note: Only permit NNTP connections to trusted external NNTP servers. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES onntp" # List of NNTP servers to which this network may connect. # Blank means no hosts. # NNTP_SERVERS="" ############################################################################## # Incoming RSYNC # # Note: Don't allow this over a firewall. Use rsync over ssh instead. # # Open: tcp/873 # SERVICES="$SERVICES irsync" # List of hosts which may connect to this host's RSYNC server. # Blank means no hosts. # RSYNC_CLIENTS="" ############################################################################## # Outgoing RSYNC # # Note: Don't allow this over a firewall. Use rsync over ssh instead. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES orsync" # List of RSYNC servers to which this network may connect. # Blank means no hosts. # RSYNC_SERVERS="" ############################################################################## # Incoming CVS # # Note: Don't allow this over a firewall. Use rsync over ssh instead. # # Open: tcp/2401 # SERVICES="$SERVICES icvs" # List of hosts which may connect to this host's CVS server. # Blank means no hosts. # CVS_CLIENTS="" ############################################################################## # Outgoing CVS # # Note: Don't allow this over a firewall. Use rsync over ssh instead. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ocvs" # List of CVS servers to which this network may connect. # Blank means no hosts. # CVS_SERVERS="" ############################################################################## # Incoming GNATS # # Open: tcp/1529 # SERVICES="$SERVICES ignats" # List of hosts which may connect to this host's GNATS server. # Blank means no hosts. # GNATS_CLIENTS="" ############################################################################## # Outgoing GNATS # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ognats" # List of GNATS servers to which this network may connect. # Blank means no hosts. # GNATS_SERVERS="" ############################################################################## # Incoming MYSQL # # Open: tcp/3306 # SERVICES="$SERVICES imysql" # List of hosts which may connect to this host's MYSQL server. # Blank means no hosts. # MYSQL_CLIENTS="" ############################################################################## # Outgoing MYSQL # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES omysql" # List of MYSQL servers to which this network may connect. # Blank means no hosts. # MYSQL_SERVERS="" ############################################################################## # Incoming SMB # # Note: This is probably a bad idea over a firewall. # # Open: tcp/139 udp/137-138 # SERVICES="$SERVICES ismb" # List of hosts which may connect to this host's SMB server. # Blank means no hosts. # SMB_CLIENTS="" ############################################################################## # Outgoing SMB # # Note: This is probably a bad idea over a firewall. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES osmb" # List of SMB servers to which this network may connect. # Blank means no hosts. # SMB_SERVERS="" ############################################################################## # Incoming IRC # # Note: If this host runs an internal IRC server, make sure it can't # communicate with external IRC servers or it will attach itself to the IRC # spanning tree through which this host can be attacked. Also, DCC # connections between IRC clients isn't supported because it's a very bad # idea across a firewall. # # Open: tcp/6667 # SERVICES="$SERVICES iirc" # List of hosts which may connect to this host's IRC server. # Blank means all hosts. # IRC_CLIENTS="" ############################################################################## # Outgoing IRC # # Note: IRC clients can be dangerous and you shouldn't allow IRC across a # firewall. It's best to run them on a victim host. Also, DCC connections # between IRC clients isn't supported because it's a very bad idea across a # firewall. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES oirc" # List of IRC servers to which this network may connect. # Blank means all hosts. # IRC_SERVERS="" ############################################################################## # Incoming ICQ # # Note: Don't allow this through a firewall. ICQ is dangerous. Run ICQ # servers on an external victim host. # # Open: tcp/2000-4000 udp/4000 # SERVICES="$SERVICES iicq" # List of hosts which may connect to this host's ICQ server. # Blank means all hosts. # ICQ_CLIENTS="" ############################################################################## # Outgoing ICQ # # Note: Don't allow this through a firewall. ICQ is dangerous. Run ICQ # clients on an external victim host. # # Open: tcp(ack)/1024-4999,61000-65096 udp/1024-4999,61000-65096 # SERVICES="$SERVICES oicq" # List of ICQ servers to which this network may connect. # Blank means all hosts. # ICQ_SERVERS="" ############################################################################## # Incoming RealAudio/QuickTime # # Note: Don't allow this through a firewall. You probably don't need it. It's # a bad idea since it leaves all the udp ports open. # # Open: tcp/554,7070-7071 udp/1024-4999 # SERVICES="$SERVICES ireal" # List of hosts which may connect to this host's RealAudio server. # Blank means all hosts. # REALAUDIO_CLIENTS="" ############################################################################## # Outgoing RealAudio/QuickTime # # Note: You may need to load the radio masquerading module (see $MASQ_MODULES). # This is a bad idea since it leaves many udp ports open. # # Open: tcp(ack)/1024-4999,61000-65096 udp/6970-6999,61000-65096 # SERVICES="$SERVICES oreal" # List of Realaudio servers that this network may connect to. # Blank means all hosts. # REALAUDIO_SERVERS="" ############################################################################## # Incoming VNC # # Note: VNC provides remote control of other hosts so don't allow it across # a firewall. If you need to run internal VNC servers, restrict access to # known clients. Also, there is a known current vulnerability in the # authorisation mechanism used. # # Open: tcp/5800-5801,5900-5902 # SERVICES="$SERVICES ivnc" # List of hosts which may connect to local VNC servers. # Blank means no hosts. # VNC_CLIENTS="" # Ports used by the local VNC servers (determined by number of displays) # INCOMING_VNC_PORTS="5800:5801 5900:5902" ############################################################################## # Outgoing VNC # # Note: Permit this if you need to remotely control external hosts running # VNC servers. # # Open: tcp/1024-4999,61000-65096 # SERVICES="$SERVICES ovnc" # List of VNC servers to which this network may connect. # Blank means all hosts. # VNC_SERVERS="" # Ports used by external VNC servers (determined by number of displays) # OUTGOING_VNC_PORTS="5800:5801 5900:5902" ############################################################################## # Incoming REACHOUT # # Note: REACHOUT provides remote control of other hosts so don't allow it # across a firewall. If you need to run internal REACHOUT servers, restrict # access to known clients. # # Open: tcp/43188 # SERVICES="$SERVICES ireach" # List of hosts which may connect to local REACHOUT servers. # Blank means no hosts. # REACHOUT_CLIENTS="" ############################################################################## # Outgoing REACHOUT # # Note: Permit this if you need to remotely control external hosts running # REACHOUT servers. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES oreach" # List of REACHOUT servers to which this network may connect. # Blank means all hosts. # REACHOUT_SERVERS="" ############################################################################## # Incoming PCANYWHERE # # Note: This is inherently dangerous so limit it to specific hosts. # # Open: tcp/5631, udp/5632 # SERVICES="$SERVICES ipcany" # List of hosts which may connect to local PC ANYWHERE servers. # Blank means no hosts. # PCANYWHERE_CLIENTS="" ############################################################################## # Outgoing PCANYWHERE # # Note: This uses udp so limit it to specific hosts. # # Open: tcp(ack)/1024-4999,61000-65096, udp/1024-4999,61000-65096 # SERVICES="$SERVICES opcany" # List of PC ANYWHERE servers to which this network may connect. # Blank means no hosts. # PCANYWHERE_SERVERS="" ############################################################################## # Incoming WINDOWS TERMINAL SERVER # # Note: This is inherently dangerous so limit it to specific hosts. # # Open: tcp/3389 # SERVICES="$SERVICES iwterm" # Lists of hosts which may connect to local WINDOWS TERMINAL SERVER servers. # Blank means no hosts. # WINTERM_CLIENTS="" ############################################################################## # Outgoing WINDOWS TERMINAL SERVER # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES owterm" # Lists of WINDOWS TERMINAL SERVER servers to which this network may connect. # Blank means all hosts. # WINTERM_SERVERS="" ############################################################################## # Incoming NTP # # Note: Only permit this if this host is running a public NTP server. If # it's an internal host, only permit connections from a proxy NTP server # running on a bastion host. # # Open: udp/123 # SERVICES="$SERVICES intp" # List of hosts which may connect to this host's NTP server. # Blank means all hosts. # NTP_CLIENTS="" ############################################################################## # Outgoing NTP # # Note: Permit this if you synchronize your network from external NTP # servers. Restrict NTP connections to only those NTP servers. # # Open: udp/123,1024-4999,61000-65096 # SERVICES="$SERVICES ontp" # List of NTP servers to which this network may connect. # Blank means no hosts. # NTP_SERVERS="" ############################################################################## # Incoming DAYTIME (RFC 867) # # Note: Only permit this if this host is running a public DAYTIME server. If # it's an internal host, only permit connections from a proxy DAYTIME server # running on a bastion host. # # Open: tcp/13, udp/13 # SERVICES="$SERVICES idayt" # List of hosts which may connect to this host's DAYTIME server. # Blank means all hosts. # DAYTIME_CLIENTS="" ############################################################################## # Outgoing DAYTIME (RFC 867) # # Note: Permit this if you synchronize your network from external DAYTIME # servers (e.g. time-b.nist.gov). Restrict DAYTIME connections to only those # DAYTIME servers because it leaves many UDP ports open. # # Open: tcp(ack)/1024-4999,61000-65096, udp/1024-4999,61000-65096 # SERVICES="$SERVICES odayt" # List of DAYTIME servers to which this network may connect. # Blank means no hosts. # DAYTIME_SERVERS="" ############################################################################## # Incoming TIME (RFC 868) # # Note: Only permit this if this host is running a public TIME server. If # it's an internal host, only permit connections from a proxy TIME server # running on a bastion host. # # Open: tcp/37, udp/37 # SERVICES="$SERVICES itime" # List of hosts which may connect to this host's TIME server. # Blank means all hosts. # TIME_CLIENTS="" ############################################################################## # Outgoing TIME (RFC 868) # # Note: Permit this if you synchronize your network from external TIME # servers (e.g. time.nist.gov). Restrict TIME connections to only those # TIME servers because it leaves many UDP ports open. # # Open: tcp(ack)/1024-4999,61000-65096, udp/1024-4999,61000-65096 # SERVICES="$SERVICES otime" # List of TIME servers to which this network may connect. # Blank means no hosts. # TIME_SERVERS="" ############################################################################## # Incoming GOPHER # # Note: Don't use this. It's for GOPHER servers. I'm just being silly. If # you must run a public GOPHER server, run it on a bastion host. # # Open: tcp/70 # SERVICES="$SERVICES igoph" # Allowable GOPHER server port numbers for this host. # Blank means no ports. # INTERNAL_GOPHER_PORTS="70" ############################################################################## # Outgoing GOPHER # # Note: Don't use this. Use an HTTP-GOPHER gateway. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ogoph" # Allowable port numbers for external GOPHER servers (this is stupid, use a proxy). # Blank means all ports. # EXTERNAL_GOPHER_PORTS="70" ############################################################################## # Incoming WAIS # # Note: Don't use this. It's for WAIS servers. I'm just being silly. If you # must run a public WAIS server, run it on a bastion host. # # Open: tcp/210 # SERVICES="$SERVICES iwais" # Allowable WAIS server port numbers for this host. # Blank means no ports. # INTERNAL_WAIS_PORTS="210" ############################################################################## # Outgoing WAIS # # Note: Don't use this. Use an HTTP-WAIS gateway instead. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES owais" # Allowable port numbers for external WAIS servers (this is stupid, use a proxy). # Blank means all ports. # EXTERNAL_WAIS_PORTS="210" ############################################################################## # Outgoing ARCHIE # # Note: Don't use this. Use an HTTP-ARCHIE gateway instead. If you must # permit this, restrict it to the well known ARCHIE servers. # # Open: udp/1024-4999,61000-65096 # SERVICES="$SERVICES oarch" # List of ARCHIE servers to which this network may connect. # Blank means no hosts. # ARCHIE_SERVERS="" # These are the archie servers I found that seem to be operational # ARCHIE_SERVERS="193.63.255.1 195.139.251.51 130.54.23.62 213.188.8.51 140.115.1.72 130.206.1.5 165.230.4.73 195.176.255.9 140.111.1.10 213.188.8.51 203.178.136.180" # These are their names (for dns2ip when the above IP addresses go stale) # ARCHIE_SERVERS="archie.doc.ic.ac.uk archie.funet.fi archie.kuis.kyoto-u.ac.jp archie.luth.se archie.ncu.edu.tw archie.rediris.es archie.rutgers.edu archie.switch.ch archie.twnic.net archie.uninett.no archie.wide.ad.jp" ############################################################################## # Incoming FINGER # # Note: Only run a public (secure) FINGER server on a bastion host. # # Open: tcp/79 # SERVICES="$SERVICES ifing" # List of hosts which may connect to this host's FINGER server. # Blank means all hosts. # FINGER_CLIENTS="" ############################################################################## # Outgoing FINGER # # Note: Make sure this host's finger clients can handle non-printable # characters in FINGER output otherwise programmable terminals may get # themselves reprogrammed. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES ofing" # List of FINGER servers to which this network may connect. # Blank means all hosts. # FINGER_SERVERS="" ############################################################################## # Outgoing WHOIS # # Note: Restrict WHOIS connections to the well known WHOIS servers. # Do not run a WHOIS server. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES owhois" # List of WHOIS servers to which this network may connect. # Blank means all hosts. # WHOIS_SERVERS="" ############################################################################## # Incoming AUTH # # Note: Permitting this speeds up outgoing SMTP and FTP communications since # some SMTP and FTP servers attempt to identify their clients. However, # handing out local user names to anonymous FTP servers is not necessarily a # good idea. See man identd for details. Another way to speed these services # up is to allow incoming AUTH connections here but don't run identd. # # Open: tcp/113 # SERVICES="$SERVICES iauth" # List of hosts which may connect to this host's AUTH server. # Blank means all hosts. # AUTH_CLIENTS="" ############################################################################## # Outgoing AUTH # # Note: It is safe to permit this except that it may be used by local # attackers to gain information about external hosts. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES oauth" # List of AUTH servers to which this network may connect. # Blank means all hosts. # AUTH_SERVERS="" ############################################################################## # Incoming NOTES # # Note: You only need this if external Lotus Notes servers connect to # internal Lotus Notes servers. # # Open: tcp/1352 # SERVICES="$SERVICES inotes" # List of hosts which may connect to this host's NOTES server. # Blank means all hosts. # NOTES_CLIENTS="" ############################################################################## # Outgoing NOTES # # Note: You only need this if internal Lotus Notes servers connect to # external Lotus Notes servers. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES onotes" # List of NOTES servers to which this network may connect. # Blank means all hosts. # NOTES_SERVERS="" ############################################################################## # Client DIALPAD # # Note: You only need this if you use the internet telephony service provided # by www.dialpad.com. Check http://www.dialpad.com/support/helpsys.html#firewall # for updates to the list of dialpad networks used below. # # Note: If your dialpad software runs on an mswin host (almost certainly) # and it's in a masqueraded network, you'll need to port forward # udp/51200:51201 and tcp/51210 to that host (see $PORTFW). # # Open: tcp(ack)/1024-4999,61000-65096, tcp/51210, udp/51200-51201 # SERVICES="$SERVICES cdial" # List of hosts which may connect to this host's DIALPAD client. # Blank means all hosts. # DIALPAD_SERVERS="4.2.40.0/24 4.2.42.0/24 4.2.46.0/24 4.2.47.0/24 4.2.54.0/24 4.2.64.0/24 4.2.68.0/24 4.2.74.0/24 63.74.89.0/24 209.191.173.0/24 216.52.249.0/24" # e.g. # PORTFW="$PORTFW tcp 51210 $target 51210 10" # PORTFW="$PORTFW udp 51200 $target 51200 10" # PORTFW="$PORTFW udp 51201 $target 51201 10" ############################################################################## # Client WEBPHONE # # Note: You only need this if you use the internet telephony service provided # by the webphone software (www.webphone.com). # # Note: If your webphone software runs on an mswin host (almost certainly) and # it's in a masqueraded network, you probably need to port forward tcp/21845 # and udp/21845 to that host (see $PORTFW). # # Open: tcp(ack)/1024-499,61000-65096, tcp/21845, udp/21845 # SERVICES="$SERVICES cwbfn" # List of hosts which may communicate with local WEBPHONE software. # Blank means no hosts. # WEBPHONE_PEERS="" # e.g. # PORTFW="$PORTFW tcp 21845 $target 21845 10" # PORTFW="$PORTFW udp 21845 $target 21845 10" ############################################################################## # Client NET2PHONE # # Note: You only need this if you use the internet telephony service provided # by www.net2phone.com. There may be other sites that provide this service # using the same protocol. # # Note: If your net2phone client runs on an mswin host (almost certainly) and # it's in a masqueraded network, you probably need to port forward the ports # specified in $NET2PHONE_UDP_PORT and $NET2PHONE_TCP_PORT to that host # (see $PORTFW). # # Open: tcp(ack)/1024-4999,61000-65096, tcp/6802, udp/6801-6802 # SERVICES="$SERVICES cnt2fn" # List of hosts which may communicate with the local NET2PHONE client. # Blank means no hosts. # NET2PHONE_PEERS="" # TCP/UDP port pair needed by NET2PHONE. # You must inform your NET2PHONE client software of these ports. # Blank means 6802 for both. # NET2PHONE_TCP_PORT="" # NET2PHONE_UDP_PORT="" # e.g. # PORTFW="$PORTFW tcp $NET2PHONE_TCP_PORT $target $NET2PHONE_TCP_PORT 10" # PORTFW="$PORTFW udp $NET2PHONE_UDP_PORT $target $NET2PHONE_UDP_PORT 10" ############################################################################## # Client HOTTELEPHONE/WEB2CALL # # Note: You only need this if you use the internet telephony service provided # by www.hottelephone.com and www.web2call.com. There may be other sites that # provide this service using the same protocol. # # Note: If your hottelephone/web2call client runs on an mswin host (almost # certainly) and it's in a masqueraded network, you probably need to port # forward tcp/1720, udp/1717-1719 and the udp ports specified in $RTP_PORTS # to that host (see $PORTRANGEFW) and load the h323 masquerading module (see # $MASQ_MODULES). # # Note: Don't use this. It leaves far too many ports open. $RTP_PORTS # contains a port range starting at 4000 that contains either 400, 800, # 1200 or 1600 ports. So there will be at least 400 and up to 1600 ports # open! If you must use this service, only allow in on a victim host. # # Open: tcp(ack)/1024-4999,61000-65096, tcp/1720, udp/1717-1719,4000-5600 # SERVICES="$SERVICES chotel" # List of hosts which may communicate with the local HOTTELEPHONE client. # Blank means no hosts. # HOTTELEPHONE_PEERS="" # List of UDP ports to use for the RTP (Real Time Protocol). # Possible values are shown below. # Blank means 4000:4400. # RTP_PORTS="4000:4400" # For 1 E1 # RTP_PORTS="4000:4800" # For 2 E1 # RTP_PORTS="4000:5200" # For 3 E1 # RTP_PORTS="4000:5600" # For 4 E1 # e.g. # PORTFW="$PORTFW tcp 1720 $TARGET_phone 1720 10" # PORTFW="$PORTFW udp 1717 $TARGET_phone 1717 10" # PORTFW="$PORTFW udp 1718 $TARGET_phone 1718 10" # PORTFW="$PORTFW udp 1719 $TARGET_phone 1719 10" # PORTRANGEFW="$PORTRANGEFW udp $RTP_PORTS $TARGET_phone" ############################################################################## # Incoming NETMEETING # # Note: Don't use this except on a victim host. This application is extremely # dangerous in that it can allow outsiders to exert control over your pc!!! # # Note: If you allow the audio/video conferencing features of netmeeting, it # will also require all unprivileged tcp and udp ports be open to incoming # connections! # # Note: If the host running netmeeting is in a masqueraded network and you # allow audio/video conferencing, you probably need to port forward all # unprivileged tcp and udp ports to the mswin host running netmeeting # (see $PORTRANGEFW) and load the h323 masquerading module (see $MASQ_MODULES). # Otherwise (when masquerading), only tcp/522,1503 need to be port forwarded # to the netmeeting host and the h323 module does not need to be loaded. # # Note: You might also need to allow incoming LDAP. # # Open (no A/V): tcp/522,1503 # Open (with A/V): tcp/1024-65535, udp/1024-65535 # SERVICES="$SERVICES intmt" # Allow audio/video conferences and open all unprivileged tcp and udp ports? # INCOMING_NETMEETING_AUDIO_VISUAL_CONFERENCING="no" # List of hosts which may connect to the local netmeeting software. # Blank means no hosts. # NETMEETING_CLIENTS="" # e.g. (without audio/video conferencing) # PORTFW="$PORTFW tcp 522 $target 522 10" # PORTFW="$PORTFW tcp 1503 $target 1503 10" # # e.g. (with audio/video conferencing) # PORTRANGEFW="$PORTRANGEFW tcp 1024: $target" # PORTRANGEFW="$PORTRANGEFW udp 1024: $target" ############################################################################## # Outgoing NETMEETING # # Note: Don't use this except on a victim host. This application is extremely # dangerous in that it can allow outsiders to exert control over your pc!!! # # Note: If you allow the audio/video conferencing features of netmeeting, it # will also require all unprivileged udp ports be open to incoming packets! # # Note: If the host running netmeeting is in a masqueraded network and you # allow audio/video conferencing, you probably need to port forward all # unprivileged udp ports to the mswin host running netmeeting (see # $PORTRANGEFW) and load the h323 masquerading module (see $MASQ_MODULES). # Otherwise no ports need to be port forwarded and the h323 module does not # need to be loaded. # # Note: You might also need to allow outgoing LDAP. # # Open (no A/V): tcp(ack)/1024-4999,61000-65096 # Open (with A/V): tcp(ack)/1024-4999,61000-65096, udp/1024-4999,61000-65096 # SERVICES="$SERVICES ontmt" # Allow audio/video conferences and open all unprivileged udp ports? # OUTGOING_NETMEETING_AUDIO_VISUAL_CONFERENCING="no" # List of hosts to which the local netmeeting software may connect. # Blank means no hosts. # NETMEETING_SERVERS="" # e.g. (with audio/video conferencing) # PORTRANGEFW="$PORTRANGEFW tcp 1024: $target" # PORTRANGEFW="$PORTRANGEFW udp 1024: $target" ############################################################################## # Incoming SYSLOG # # Note: Only use this to collect syslog messages from a bastion host. # # Open: udp/514 # SERVICES="$SERVICES ilog" # List of hosts which may connect to this host's SYSLOG server. # Blank means no hosts. # SYSLOG_CLIENTS="" ############################################################################## # Outgoing SYSLOG # # Note: Only use this to send syslog messages from the bastion host to an # internal host. # # Open: none # SERVICES="$SERVICES olog" # List of SYSLOG servers to which this network may connect. # Blank means no hosts. # SYSLOG_SERVERS="" ############################################################################## # DHCP Server # # Note: You probably don't need this. # # Open: udp/67 # SERVICES="$SERVICES sdhcp" # List of DHCP servers with which this network may communicate. # Blank means all hosts. # DHCP_CLIENTS="" ############################################################################## # DHCP Client # # Note: Only allow DHCP traffic to/from trusted external DHCP servers. # # Use dhclient rather than pump. # # Open: udp/68 # SERVICES="$SERVICES cdhcp" # List of DHCP servers with which this network may communicate. # Blank means no hosts. # DHCP_SERVERS="" ############################################################################## # Incoming TACACS+ # # Open: tcp/49 # SERVICES="$SERVICES itacacs" # List of TACACS+ clients that may connect to this network. # Blank means all hosts. # TACACS_CLIENTS="" ############################################################################## # Outgoing TACACS+ # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES otacacs" # List of TACACS+ server to which this network mamy connect. # Blank means all hosts. # TACACS_SERVERS="" ############################################################################## # Incoming SNMP # # Note: You probably don't want to permit this across a firewall. # If you do, only allow connections from trusted SNMP management stations. # # Open: udp/161 # SERVICES="$SERVICES isnmp" # List of hosts which may connect to this host's SNMP server. # Blank means no hosts. # SNMP_CLIENTS="" ############################################################################## # Outgoing SNMP # # Note: You probably don't want to permit this across a firewall. # If you do, only allow connections to trusted SNMP network devices. # # Open: udp/1024-4999,61000-65096 # SERVICES="$SERVICES osnmp" # List of SNMP servers to which this network may connect. # Blank means no hosts. # SNMP_SERVERS="" ############################################################################## # Incoming SNMP TRAP # # Note: You probably don't want to permit this across a firewall. # If you do, only allow connections from trusted SNMP management stations. # # Open: 162 # SERVICES="$SERVICES isnmpt" # List of hosts which may connect to this host's SNMP trap server. # Blank means no hosts. # SNMP_TRAP_CLIENTS="" ############################################################################## # Outgoing SNMP TRAP # # Note: You probably don't want to permit this across a firewall. # If you do, only allow connections to trusted SNMP network devices. # # Open: none # SERVICES="$SERVICES osnmpt" # List of SNMP trap servers to which this network may connect. # Blank means no hosts. # SNMP_TRAP_SERVERS="" ############################################################################## # Incoming BGP # # Note: You probably don't want to permit this across a firewall. # If you do, only allow connections from trusted BGP peers. # # Open: tcp/179 # SERVICES="$SERVICES ibgp" # List of routers which may connect to this host's BGP server. # Blank means no routers. # BGP_CLIENTS="" ############################################################################## # Outgoing BGP # # Note: You probably don't want to permit this across a firewall. # If you do, only allow connections to trusted BGP peers. # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES obgp" # List of BGP routers to which this router may connect. # Blank means no routers. # BGP_SERVERS="" ############################################################################## # OSPF # # Note: You must have ospf(89) in /etc/protocols to use this. # # Open: ospf # SERVICES="$SERVICES ospf" # List of routers with which this host's OSPF server communicates. # Blank means no routers. # OSPF_ROUTERS="" ############################################################################## # Incoming RIP # # Note: You probably don't want to permit this across a firewall. # # Open: udp/520 # SERVICES="$SERVICES irip" # List of hosts which may connect to this host's RIP server. # Blank means no hosts. # RIP_CLIENTS="" ############################################################################## # Outgoing RIP # # Note: You probably don't want to permit this across a firewall. # # Open: udp/1024-4999,61000-65096 # SERVICES="$SERVICES orip" # List of RIP servers to which this network may connect. # Blank means no hosts. # RIP_SERVERS="" ############################################################################## # Incoming KERBEROS # # Open: tcp/88,543-544,749 # SERVICES="$SERVICES ikerb" # List of hosts which may connect to this host's KERBEROS server. # Blank means all hosts. # KERBEROS_CLIENTS="" ############################################################################## # Outgoing KERBEROS # # Open: tcp(ack)/1024-4999,61000-65096 # SERVICES="$SERVICES okerb" # List of KERBEROS servers to which this network may connect. # Blank means all hosts. # KERBEROS_SERVERS="" ############################################################################## # Incoming PPTP # # Note: You must have pptp(47) in /etc/protocols to use this. # Warning: If you are using microsoft's PPTPv1, upgrade to PPTPv2 # immediately. It's almost secure. Better yet, upgrade to IPSEC. # # Open: tcp/1723 pptp # SERVICES="$SERVICES ipptp" # List of hosts which may make PPTP connections to this host. # Blank means all hosts. # PPTP_CLIENTS="" # List of networks handed out by the local pptp server. # Blank means none. # PPTP_NETWORKS="" ############################################################################## # Outgoing PPTP # # Note: You must have pptp(47) in /etc/protocols to use this. # Warning: If you are using microsoft's PPTPv1, upgrade to PPTPv2 # immediately. It's almost secure. Better yet, upgrade to IPSEC. # # Open: tcp(ack)/1024-4999,61000-65096 pptp # SERVICES="$SERVICES opptp" # List of PPTP servers to which this network may connect. # Blank means all hosts. # PPTP_SERVERS="" ############################################################################## # Incoming IPSEC # # Note: You must have esp(50) and ah(51) in /etc/protocols to use this. # # Open: udp/500 esp ah # SERVICES="$SERVICES iipsec" # List of hosts which may make IPSEC connections to this host. # Blank means all hosts. # IPSEC_CLIENTS="" ############################################################################## # Outgoing IPSEC # # Note: You must have esp(50) and ah(51) in /etc/protocols to use this. # # Open: udp/500 esp ah # SERVICES="$SERVICES oipsec" # List of IPSEC servers to which this network may connect. # Blank means all hosts. # IPSEC_SERVERS="" ############################################################################## # Incoming PING # # Note: Only permit incoming pings from external hosts that have a reason to # be pinging this host (e.g. your ISP). # # Open: icmp/echo-request # SERVICES="$SERVICES iping" # List of hosts which may ping this network. # Blank means no hosts. # PING_CLIENTS="" ############################################################################## # Outgoing PING # # Note: This can be used by local attackers to flood external hosts but it # is very useful. You can restrict outgoing PING to specific hosts if you # want. # # Note: This can also be used to tunnel Loki commands and hence is extremely # dangerous. If you do allow this, restrict to very few remote addresses. # # Open: icmp/echo-reply # SERVICES="$SERVICES oping" # List of hosts that this network may ping. # Blank means all hosts. # PING_SERVERS="" ############################################################################## # Incoming TRACEROUTE # # Note: Only permit incoming traceroute from external hosts that have a # reason to be tracing this network (e.g. your ISP). You can also limit # which udp ports may be used for incoming traceroute by prior arrangement # with those wishing to trace your network (recommended). # # Open: udp/33434-33523 # SERVICES="$SERVICES itrace" # List of hosts which may trace this network. # This range can be tightened by prior agreement with those clients # that have a need to trace your network. # Blank means no hosts. # TRACEROUTE_CLIENTS="" # Range of udp ports that may be used by an incoming traceroute. # ITRACEROUTE_SRC_PORTS="32769:65535" # ITRACEROUTE_DST_PORTS="33434:33523" ############################################################################## # Outgoing TRACEROUTE # # Note: This can be used by local attackers to gather information about # external hosts but it is very useful. You can restrict outgoing TRACEROUTE # to specific hosts if you want. # # Open: icmp/time-exceeded,destination-unreachable # SERVICES="$SERVICES otrace" # List of hosts that this network may trace. # Blank means all hosts. # TRACEROUTE_SERVERS="" # Range of udp ports that may be used by an outgoing traceroute. # OTRACEROUTE_SRC_PORTS="32769:65535" # OTRACEROUTE_DST_PORTS="33434:33523" ############################################################################## # Other ICMP packets # # Note: The default icmp rules allow incoming destination-unreachable and # outgoing fragmentation-needed, incoming and outgoing source-quench, # incoming and outgoing time-exceeded and incoming and outgoing # parameter-problem. There's probably no reason to change this unless you # have set BLOCKIN to be REJECT (or are using REJECT_TCP_PORTS below) in # which case you need to put destination-unreachable (or 3) into # OTHER_OUTGOING_ICMP (instead of fragmentation-needed). # # Open: destination-unreachable, source-quench, time-exceeded, parameter-problem # List of incoming icmp packet types to accept. # OTHER_INCOMING_ICMP="3 4 11 12" # List of outgoing icmp packet types to accept. # OTHER_OUTGOING_ICMP="fragmentation-needed 4 11 12" ############################################################################## # Packet Fragments # # Note: Fragments are denied/rejected iff $IPV4_FRAGMENT_PROTECT != "no". # ############################################################################## # Other TCP Services # # Note: This only works for applications with a simple, single-connection # application protocol. Also, it can't be restricted to certain external # servers or clients. All external hosts will be allowed to engage in these # services so it should only be used for safe applications. # # Open (incoming): whatever you add # Open (outgoing): tcp(ack)/1024-4999,61000-65096 # List of ports on this host that any external host can connect to. # Blank means no other services. # OTHER_INCOMING_TCP_SERVICES="" # List of ports on any host that this network may connect to. # Blank means no other services. # OTHER_OUTGOING_TCP_SERVICES="" ############################################################################## # REJECT TCP Ports # # Specify TCP ports to REJECT even though the default policy is DENY. This # is one way to prevent 30 second delays when connecting to FTP and SMTP # servers that attempt to connect to your IDENT/AUTH server and when # connecting to IRC servers that attempt to connect to your SOCKS server. # # Another way to prevent these delays is to leave the ports open and don't # have those servers running. You could also demand that the administrators # of such FTP, SMTP and IRC servers modify their servers' behaviour to # timeout after a few seconds. After all, packets can probably get to Mars # and back in less than 30 seconds. # # Note: You will also need to allow outgoing ICMP 3 (destination # unreachable) for the REJECT to work. # # Note: This has no effect if BLOCKIN="REJECT". It also has no effect if # the ports listed here are for services that are accepted above. # # Note: Don't do this. By allowing outgoing destination unreachable packets, # you are allowing attackers to identify your operating systems and map your # network and obtain valuable strategic information which helps them to # focus future attacks. # # Open: icmp/destination-unreachable (via OTHER_OUTGOING_ICMP) # Specific TCP ports to REJECT. # Blank means no ports. # REJECT_TCP_PORTS="" # e.g. # REJECT_TCP_PORTS="113" # auth/ident ############################################################################## # No Log # # After you've set up your firewall, you may find regular, harmless packets # being blocked and logged (e.g. netbios broadcasts). If you don't want them # to be logged, you can add port numbers and protocol names to these variables # and they will be blocked but not logged. # # Incoming and outgoing udp and tcp destination ports to block without # logging. Blank means no ports are blocked without logging. i.e. all # blocked packets are logged. # INOLOG_UDP_PORTS="" # ONOLOG_UDP_PORTS="" # INOLOG_TCP_PORTS="" # ONOLOG_TCP_PORTS="" # Incoming and outging packets for other protocols to block without # logging. Blank means no other protocols are blocked without logging. # i.e. all blocked packets are logged. # INOLOG_PROTO="" # ONOLOG_PROTO="" ############################################################################## # Multicasting # # Specify which multicast sessions are allowed in or out of your networks. # Note: To make this work well, users need to be able to specify the # multicast sessions that they wish to receive and the policy file should be # modified and the firewall reloaded when appropriate. # # List of multicast sessions allowed in to your networks. # Blank means none. # INCOMING_MULTICAST="" # e.g. INCOMING_MULTICAST="sap.mcast.net 9875" # List of multicast sessions allowed out of your networks. # Blank means none. # OUTGOING_MULTICAST="" # e.g. OUTGOING_MULTICAST="sap.mcast.net 9875" ############################################################################## # Glossary # # Perimeter Network # ~~~~~~~~~~~~~~~~~ # An intermediate network between your internal networks and the external, # untrusted networks. All traffic to or from the external networks passes # through this network. The perimeter network can be seen from the outside, # and is the first point of attack from the outside. Hosts within the # perimeter network must be highly secured yet you cannot trust them. This is # the recommended topology as attackers must break through a highly secured # network before they can break into your internal network (and vice versa). # # Bastion Host # ~~~~~~~~~~~~ # A host on the perimeter network. These hosts are visible to the external, # untrusted networks and generally provide services to the internet or provide # proxy services to the internal networks. They must be highly secure as they # will be the first point of attack. # # Victim Host # ~~~~~~~~~~~ # A host either on the perimeter network or beyond that is needed to provide # an unsafe service. It is expected that, if an unsafe service is required, # the victim host serving it will become compromised sooner rather than later. # ############################################################################## # Kernel Configuration Requirements # # Your kernel will need to be configured with some or all of the following # kernel parameters depending on your network topology [as noted]: # # General Setup # ~~~~~~~~~~~~~ # Networking support (CONFIG_NET) # - networking [all] # # Sysctl support (CONFIG_SYSCTL) # - runtime kernel configuration [all] # # Networking options # ~~~~~~~~~~~~~~~~~~ # Packet socket (CONFIG_PACKET) # - tcpdump [all] # # Kernel/User netlink socket (CONFIG_NETLINK) # - firewall logs [all] # # Routing messages (CONFIG_RTNETLINK) # - /dev/route [probably not needed] # # Network firewalls (CONFIG_FIREWALL) # - firewall [all] # # TCP/IP networking (CONFIG_INET) # - tcp/ip [all] # # IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) # - policy routing [aliasportfw, staticnat] # # IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) # - policy routing [aliasportfw, staticnat] # # IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) # - route (ip spoof) log messages [all] # # IP: fast network address translation (CONFIG_IP_ROUTE_NAT) # - nat [aliasportfw, staticnat] # # IP: firewalling (CONFIG_IP_FIREWALL) # - firewall [all] # # IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) # - let ipchains pass packets to userspace [iff your IDS needs it] # # IP: use FWMARK value as routing key (CONFIG_IP_ROUTE_FWMARK) # - fwmark policy routing/nat [aliasportfw] # # IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY) # - transparent proxy [iff REDIRECT is used] # # IP: masquerading (CONFIG_IP_MASQUERADE) # - masquerading [masq, portfw, aliasportfw] # # IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) # - icmp masquerading [masq, portfw, aliasportfw] # # IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) # - port forwarding [portfw, aliasportfw] # # IP: ipportfw masq support (CONFIG_IP_MASQUERADE_IPPORTFW) # - port forwarding [portfw, aliasportfw] # # IP: ip fwmark masq-forwarding support (CONFIG_IP_MASQUERADE_MFW) # - mfw port forwarding [portfw iff PORTRANGEFW used, aliasportfw] # # IP: aliasing support (CONFIG_IP_ALIAS) # - multiple addresses per interface [aliasportfw] # # IP: TCP syncookie support (CONFIG_SYN_COOKIES) # - synflood protection [all] # # If you have a 2.4.x kernel, you will need the ipchains backwards # compatibility module rather than the new netfilter code. # # IP: Netfilter Configuration (CONFIG_IP_NF_COMPAT_IPCHAINS) # # Filesystems: # ~~~~~~~~~~~~ # /proc filesystem support (CONFIG_PROC_FS) # - runtime kernel configuration [all] # ############################################################################## # Kernel module requirements # # If you are masquerading, you may need any of several application helper # modules. I'm not entirely sure when these modules are needed since I don't # use them myself. You'll have to read their respective documentation to see # whether or not you need them. # # ip_masq_portfw - comes with the kernel # ip_masq_mfw - comes with the kernel # ip_masq_h323 - http://www.coritel.it/coritel/ip/sofia/nat/nat2/nat2.htm # ip_masq_ftp - comes with the kernel # ip_masq_irc - comes with the kernel # ip_masq_icq - http://members.tripod.com/~djsf/masq-icq/ # ip_masq_raudio - comes with the kernel # ############################################################################## # Software Requirements # # Your firewall/masquerading host will need some or all of the following # software installed depending on your network topology [as noted]: # # ipchains-1.3.10 - http://netfilter.kernelnotes.org/ipchains/ [all] # ipmasqadm-0.4.2 - http://juanjox.kernelnotes.org/ [portfw, aliasportfw] # iproute2-000305 - ftp://ftp.inr.ac.ru/ [aliasportfw, staticnat] # # vim:set filetype=sh: