Simple IPFW Rules to Defend Sensors
I'm considered deploying the following rule set on a new batch of network security monitoring sensors running the FreeBSD IPFW firewall. I'm running the IPSec tunnel scenario I outlined earlier to carry packets between the sensor and a VPN concentrator / firewall / gateway (VPN CFG) running FreeBSD.
My goal is to limit who the sensor can talk to, and to limit who the sensor accepts connections from. In this case, I'm telling the sensor to speak only with the VPN CFG and a specified DNS server. I leave the option of adding additional permitted systems, such as a trusted host that is allowed to SSH directly to the sensor for maintenance purposes.
Here is the rule set I plan to run on the sensors. 192.168.2.10 is the sensor management IP. 192.168.2.7 is the VPN CFG management IP. 192.168.2.1 is the nameserver.
Does anyone have any comments?
My goal is to limit who the sensor can talk to, and to limit who the sensor accepts connections from. In this case, I'm telling the sensor to speak only with the VPN CFG and a specified DNS server. I leave the option of adding additional permitted systems, such as a trusted host that is allowed to SSH directly to the sensor for maintenance purposes.
Here is the rule set I plan to run on the sensors. 192.168.2.10 is the sensor management IP. 192.168.2.7 is the VPN CFG management IP. 192.168.2.1 is the nameserver.
#!/bin/sh
int="fxp0"
cmd="ipfw -q add "
mgt_ip="192.168.2.10"
vpncfg_ip="192.168.2.7"
nameserver="192.168.2.1"
ipfw -q -f flush
$cmd 00500 check-state
# Allow connections initiated by remote systems
# SSH from specified hosts
$cmd 01000 allow tcp from $vpncfg_ip any to $mgt_ip 22 in via $int keep-state
# ISAKMP
$cmd 01100 allow udp from $vpncfg_ip any to $mgt_ip 500 in via $int keep-state
# IPSec ESP
$cmd 01200 allow esp from $vpncfg_ip to $mgt_ip in via $int keep-state
# ICMP
$cmd 01300 allow icmp from $vpncfg_ip to $mgt_ip in via $int keep-state
# Allow connections initiated by local system
# SSH to VPNCFG
$cmd 02000 allow tcp from $mgt_ip any to $vpncfg_ip 22 out via $int keep-state
# ISAKMP
$cmd 02100 allow udp from $mgt_ip any to $vpncfg_ip 500 out via $int keep-state
# IPSec ESP
$cmd 02200 allow esp from $mgt_ip any to $vpncfg_ip any out via $int keep-state
# ICMP
$cmd 02300 allow icmp from $mgt_ip any to $vpncfg_ip out via $int keep-state
# DNS resolution
$cmd 02400 allow udp from $mgt_ip any to $nameserver 53 out via $int keep-state
# Default deny all
$cmd 03000 deny log all from any to any
Does anyone have any comments?
Comments
Bammkkkk