Configuring and Installing IP Filter (IPF)
Author: Ph33r (ph33r@fatelabs.com)
Fri July 3 12:13:42 GMT 2001


What is IPFilter (IPF)?
IPFilter or (IPF) is a software package that can be used to provide network address translation or (NAT) of some sort of firewall services. IPF can either be used either as a loadable kernel module or incorporated into your unix kernel instead. It's recommended using a loadable kernel module where possible. Scripts are provided to install and patch system files as required

IP Filters
Installing IPF is pretty easy and straightforward, following the documentation on the website, except for the config files that they seem to hide in a rather weird directory /etc/opt/ipf. I like to link these files to the ones in /etc

cd /etc
ln -s /etc/opt/ipf/ipf.conf
ln -s /etc/opt/ipf/ipnat.conf

NOTE:
Remember that the ipf.conf in /usr/kernel/drv is the configuration data for the module loader and not the ipfilter set of rules. Also, place all NAT rules into ipnat.conf and not ipf.conf.

If you wish to enable IPF Logging and I would recommend that you do since it's very handy to have logs etc to track errors and things down with. If so, edit /etc/rc2.d/S65ipfboot and remove the "#" from the line;

# ipmon -n &

What this does is makes the IPF logging run and report everything over to the syslog.If you wish to make a syslog record the log messages, you also need to edit /etc/syslog.conf on the relevant syslog host and add the line;

local0.debug /var/adm/messages

What this does is log every packet that passed through the firewall. You may need to play around with this if you get a lot of traffic through your firewall other-words your log files will become hudge.

NOTE:
Eric "Loki" Hines has recently written a very nice paper on setting up a secure remote logging server, which would be perfect. I personally love to do this since it always gives you another "untouched" source of your logs. Also, if you think your system has been compromised you can check your logs against the logging server to see if the one who compromised your system and/or network has edited anything, which they didn't want you to know about.

Configuring /etc/opt/ipf/ipf.conf
Unix/Linux systems offer a lot of different services to the world around them. Sometimes hackers or script-kiddies can compromise these services and grain root on that system or network. This is also bring to mind the word, 'security' which is one of the most important aspects in computers now-a-days. For a reference for newbies and secureing a Linux box, check out my last paper on Locking Down Linux Mandrake. Even if you ddon't run Linux,It's still a good read because it will give you a basic idea of what to look out for security wise.

Now, most ISPs already provide packet filtering that will stop all incoming connections to there dialup systems, so if this is the case, all you have to do is leave the file ipf.conf empty. If you have to setup your on packet filtering and I would think that you would want to enable all outgoing connections and to block any incoming connections. All you have to do is setup a set of rules for IP Filter for just that. Here is an example of ipf.conf:

#
#
# --------------------------------------------------------------
# Nasty Packets:
# Block any packets which are too short to be real.
block in log quick all with short
# Block any packets with source routing set
block in log quick all with opt lsrr
block in log quick all with opt ssrr
#
# --------------------------------------------------------------
# Private Network:
# Allow traffic on le0 and lo0 to pass unimpeded
pass in on le0 all
pass out on le0 all
pass in on lo0 all
pass out on lo0 all
#
# --------------------------------------------------------------
# Public Network (dp0):
# That which is not explicitly allowed is forbidden
block in log on dp0 all
block out log on dp0 all
#
# Invalid Internet packets
# Deny reserved addresses
block in log quick on dp0 from 10.0.0.0/8 to any
block in log quick on dp0 from 192.168.0.0/16 to any
block in log quick on dp0 from 172.16.0.0/12 to any
#
# ICMP Protocols
# Allow pings out
pass out log on dp0 proto icmp all keep state
#
# TCP/UDP Protocols
# Allow TCP/UDP requests to go out and keep the results
# flowing back in.
pass out log on dp0 proto tcp/udp from any to any keep state
# Allow FTP data channel back in
pass in quick on dp0 proto tcp from any to any port = ftp-data keep state
pass in quick on dp0 proto tcp from any port = ftp-data to any port > 1023 keep state
#
# Reset/Error for TCP/UDP services, send back TCP-Reset or
# Network unreachable to attempts to initiate connections.
block return-rst in log on dp0 proto tcp from any to any flags S/SAblock return-icmp(net-unr) in log on dp0 proto udp from any to any

Configuring /etc/opt/ipf/ipnat.conf
To begin using NAT, you will need to creat a NAT configuration file to begin with. Run the command, touch /etc/opt/ipf/ipnat.conf which should then creat an empty file called ipnat.conf in the location provided. Now, all you have to do is edit the file and add in your set of rules. Here is an example of the ipnat.conf file:

#
# Use the internal FTP proxy for outgoing FTP
#
map dp0 10.5.3.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
#
# Map anything going though dpn onto
# the dpn address
#
map dp0 10.5.3.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000map dp0 10.5.3.0/24 -> 0.0.0.0/32

This file would map all TCP and UDP connections coming from the 10.5.3 network onto a new port with the IP address of the dp0 interface. The IP address of the dp0 interface is assigned dynamically when the connection is made.

Ph33r
ph33r@fatelabs.com
www.fatelabs.com