| blob | 681a81da20b6b47875f4584f73ff6f006efda556 |
1 Configuring IP Filter for firewall usage.
2 =========================================
4 Step 1 - Block out "bad" IP packets.
5 ------------------------------------
7 Run the perl script "mkfilters". This will generate a list of blocking
8 rules which:
9 a) blocks all packets which might belong to an IP Spoofing attack;
10 b) blocks all packets with IP options;
11 c) blocks all packets which have a length which is too short for
12 any legal packet;
14 Step 2 - Convert Network Security Policy to filter rules.
15 ---------------------------------------------------------
17 Draw up a list of which services you want to allow users to use on the
18 Internet (e.g. WWW, ftp, etc). Draw up a separate list for what you
19 want each host that is part of your firewall to be allowed to do, including
20 communication with internal hosts.
22 Step 3 - Create TCP "keep state" rules.
23 ---------------------------------------
25 For each service that uses TCP, create a rule as follows:
27 pass in on <int-a> proto tcp from <int-net> to any port <ext-service> flags S/SA keep state
29 where
30 * "int-a" is the internal interface of the firewall. That is, it is the
31 closest to your internal network in terms of network hops.
33 * "int-net" is the internal network IP# subnet address range. This might
34 be something like 10.1.0.0/16, or 128.33.1.0/24
36 * "ext-service" is the service to which you wish to connect or if it doesn't
37 have a proper name, a number can be used. The translation of "ext-service"
38 as a name to a number is controlled with the /etc/services file.