Customizing Firewall Rules - System Wide Rules

Discussion in 'other firewalls' started by CrazyM, Oct 25, 2002.

Thread Status:
Not open for further replies.
  1. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Something I have not seen covered here yet and that may be helpful for new users of rule based firewalls is how to customize default/automatic rules. The following are presented as suggestions and food for thought only for those who may now want to get under the hood and tweak their rule sets.

    A couple of things to note first.

    How Firewall Rules Are Processed
    Rule based firewalls process rules in a set order, usually top to bottom. Once a rule is matched (permit or block) all remaining rules are ignored. So rule placement is important. Some firewalls, such as ConSeal, will prioritize rules by numeric value, but the principle is the same. Make sure you know how your firewall processes rules before attempting any customization of rule sets.

    Ephemeral Ports - Temp Range
    When initiating outbound requests for common remote services (ie. HTTP for web browsing), your system will use ports some refer to as "ephemeral ports" or the "temp range" for the local portion of these connections. The ephemeral ports or temp range is 1024-5000. These would be the standard ports used locally for most connections to remote services . Thus your custom rule would allow local service/port 1024-5000. Most firewalls default your rules to any local service/port. Restricting the rule to the ephemeral ports or temp range (the standard used by most services) for local service/port is just a means of tightening up your rule(s). It also would alert you to something using non-standard services/ports.

    This would apply for all rules using common remote services such as HTTP, POP3, SMTP, NNTP, etc.

    Example:
    Your Rule
    Direction: Outbound
    Remote service/port: 80 (HTTP)
    Local service/port: 1024-5000

    Restricting Local service/port to the ephemeral ports or "temp range" is also applicable to some non application specific rules that use common services. An example would be your DNS rules in System Wide Settings/Rules.

    Basic System Wide Rules that will be required by most users.

    The following are some examples of System Wide Rules rules that would be required and applicable to most rule based firewalls and how they can be customized/tightened up. These rules would normally be placed at the top of the rule set.

    Rule examples here were made with NIS v.4 which permits multiple remote addresses in a rule. Those using firewalls without this ability may have to make individual rules for each remote address where applicable.

    ------------------------------------------------------

    Rule: Permit Inbound ICMP - type 8
    Rule in use: YES
    Logging: NO
    Protocol: ICMP
    Action: Permit
    Direction: Inbound
    Application: -
    Local Service:
    ..........Type: 8
    Local Address: Any Address
    Remote service: Any Service
    Remote Address:
    ............IP: xxx.xxx.xxx.xxx
    ............IP: xxx.xxx.xxx.xxx

    ***Note: type 8 (echo request)
    To permit specified remote addresses to ping your system.

    ------------------------------------------------------

    Rule: Permit Inbound ICMP - type 0, 3, 11
    Rule in use: YES
    Logging: NO
    Protocol: ICMP
    Action: Permit
    Direction: Inbound
    Application: -
    Local Service:
    ..........Type: 0
    ..........Type: 3
    ..........Type: 11
    Local Address: Any Address
    Remote service: Any Service
    Remote Address: Any Address

    ***Note: type 0 (echo reply), type 3 (destination unreachable), type 11 (time exceeded)

    ------------------------------------------------------

    Rule: Permit Outbound ICMP - type 0, 3, 8
    Rule in use: YES
    Logging: NO
    Protocol: ICMP
    Action: Permit
    Direction: Outbound
    Application: -
    Local service: Any Service
    Local Address: Any Address
    Remote Service:
    ..........Type: 0
    ..........Type: 3
    ..........Type: 8
    Remote Address: Any Address

    ***Note: type 0 (echo reply), type 3 (destination unreachable), type 8 (echo request)
    The type type 0 (echo reply) in this rule will only respond to the permitted inbound type 8 (echo request) in the rule above. If you do not need to be pingable by certain remote systems and do not use the rule above, the type 0 can be removed from this rule. The rule order is important here for these ICMP rules.

    ------------------------------------------------------

    Rule: Block All Other ICMP
    Rule in use: YES
    Logging: YES
    Protocol: ICMP
    Action: Block
    Direction: Either
    Application: -
    Local service: Any Service
    Local Address: Any Address
    Remote service: Any Service
    Remote Address: Any Address

    ***Note: This could also be separate block rules for inbound and outbound traffic if desired. These ICMP rules will allow you to ping and traceroute others, but systems not permitted by the first rule will get no response when pinging your system.

    ------------------------------------------------------

    Rule: Permit DNS Servers
    Rule in use: YES
    Logging: NO
    Protocol: UDP
    Action: Permit
    Direction: Either
    Application: Any Application
    Local Service: (1024 - 5000)
    ...Range Begin: 1024
    .....Range End: 5000
    Local Address: Any Address
    Remote Service:
    ..........Port: 53
    Remote Address:
    ............IP: xxx.xxx.xxx.xxx
    ............IP: xxx.xxx.xxx.xxx

    ***Note: Restrict this rule to your ISP's DNS servers.

    ------------------------------------------------------

    Rule: Permit Inbound Bootp
    Rule in use: YES
    Logging: NO
    Protocol: UDP
    Action: Permit
    Direction: Inbound
    Application: Any Application
    Local Service:
    ..........Port: 68
    Local Address: Any Address
    Remote Service:
    ..........Port: 67
    Remote Address:
    ............IP: xxx.xxx.xxx.xxx
    ............IP: xxx.xxx.xxx.xxx

    ***Note: Although this rule would generally apply to one remote address (ISP's DHCP server), it is possible more than one of your ISP's servers/gateways could be acting as a DHCP server. It is best to allow this rule to any remote address first, enable logging and determine the remote addresses required for a specific rule.

    ------------------------------------------------------

    Rule: Permit Outbound Bootp
    Rule in use: YES
    Logging: NO
    Protocol: UDP
    Action: Permit
    Direction: Outbound
    Application: Any Application
    Local Service:
    ..........Port: 68
    Local Address: Any Address
    Remote Service:
    ..........Port: 67
    Remote Address: Any Address
    ***Note: As this outbound is a broadcast, no remote address should be used.

    ------------------------------------------------------

    Rule: Permit Inbound Loopback
    Rule in use: YES
    Logging: NO
    Protocol: TCP or UDP
    Action: Permit
    Direction: Inbound
    Application: Any Application
    Local service: Any Service
    Local Address: (127.0.0.1)
    ............IP: 127.0.0.1
    Remote service: Any Service
    Remote Address: Any Address

    ------------------------------------------------------

    Rule: Permit Outbound Loopback
    Rule in use: YES
    Logging: NO
    Protocol: TCP or UDP
    Action: Permit
    Direction: Outbound
    Application: Any Application
    Local service: Any Service
    Local Address: Any Address
    Remote service: Any Service
    Remote Address: (127.0.0.1)
    ............IP: 127.0.0.1

    ***Note: For persons using NIS/NPF you should leave the default loopback rules in place. Newer versions with the Transparent Proxy Server (and if you also use NAV) make extensive use of the loopback rules. Experienced users of other firewalls may find these rules a little broad, particularly if using something like Proxomitron and you are wanting to restrict access to it. Those users may want to restrict loopback rules to applications requiring it to suit their set up. The loopback rules also accommodate applications that need to listen on localhost (your system) - or what ZA users refer to as "act as local server".

    ------------------------------------------------------

    Although not required by all users, the following are a couple of common rules which also apply to this section of the rule set.

    ------------------------------------------------------
    Rule: Permit Inbound Auth/Ident
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Inbound
    Application: Any Application
    Local Service:
    ..........Port: 113
    Local Address: Any Address
    Remote service: Any Service
    Remote Address:
    ............IP: xxx.xxx.xxx.xxx
    ............IP: xxx.xxx.xxx.xxx

    ***Note: Some FTP sites and Email services will use Authentication/Ident when connecting to their service. Not allowing (blocking) this will usually slow down the connection to the service. Allow this service to those specific sites (addresses) that require it.

    ------------------------------------------------------

    Rule: Permit SNMP Trap
    Rule in use: YES
    Logging: NO
    Protocol: UDP
    Action: Permit
    Direction: Inbound
    Application: Any Application
    Local Service:
    ..........Port: 162
    Local Address: Any Address
    Remote service: Any Service
    Remote Address:
    ............IP: 192.168.1.1

    ***Note: If you log traffic from a router/gateway such as the Linksys you will require a rule for whatever service the router/gateway sends it's information on (this example is for Snmptrap UDP port 162, some router/gateways may use Syslog UDP port 514). Restrict the remote address to that of the router/gateway (this example is the Linksys default).

    ------------------------------------------------------

    One final note if you decide to venture into your rule set: Pay close attention to your logs to make sure everything is working as expected. They will provide the information required to make any corrections.

    Stay tuned for the next installment...

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.