O'Reilly - How To Build A FreeBSD-STABLE Firewall With IPFILTER - From The O'Reilly Anthology.pdf - Security - Yohoho25

How to Build a FreeBSD-STABLE Firewall with

IPFILTER

Applicable to: FreeBSD 4.6

Updated: Sep 3, 2002

Author: Marty Schlacter

Source URL:

http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html

This howto walks you through the process of building one of the most stable and

secure firewalls available - a FreeBSD-STABLE firewall with IPFILTER. As a part of

the installation process, all services will be disabled except OpenSSH, which will

have its access controlled via TCP-Wrappers. The firewall will be configured to log

through the syslog facility, but will have its own firewall log files (rather than filling

up /var/log/messages). We'll add VESA support into the kernel so that we can use

132x43 screen resolutions, as well as compile support into the kernel for a second

ISA Ethernet card if you have one. After we add a warning banner to the system,

we'll make BASH the default shell for root, perform a rudimentary setup for root's

BASH environment, and redirect root's email to your "normal" account so that the

root account on the firewall itself doesn't fill up. Next, we'll download, compile,

install, and configure Tripwire, as well as install cvsup so that your ports collection

stays up to date. And, lastly, we'll modify the /etc/fstab entries so that some of

your partitions are mounted 'nosuid', 'noexec', or 'ro' so that your installation is as

secure as possible.

This is an all-encompassing how-to, and should take most of a complete day to

complete, but when you're finished, you'll not only have a great firewall, but will

be better able to compare and contrast FreeBSD/IPFILTER to Linux/IPTABLES or

OpenBSD/PF so that you can consider the pros/cons of each on their merits...and

that learning process is what all of this about anyway. So, grab a cup of coffee, sit

down with that old Pentium, and get ready to broaden your horizons.

Before we start, I'd like to thank Dan O'Connor for the work he put in on his great

site, FreeBSD Cheat Sheets , since it was his great site that gave me the

motivation to start this howto. You will undoubtedly see some of his tips and tricks

sprinkled throughout this document. For those of you that are new to FreeBSD, I

highly recommend his site. His site is a little out of date, due to changing priorities

in his life, but the info on his site is still very applicable to any version of FreeBSD

4.X.

In addition, there have been several other people on the Internet who have given

me great suggestions & and feedback on this HOWTO. The majority (if not all) of

their comments have been incporporated into this document in some form or

another. There are too many to list here by name, but (rest assured) the Open

Source community has helped to make this the best document it can be.

And, as always, before performing this procedure, I highly recommend that you

review the Installing FreeBSD chapter of the FreeBSD Handbook.

Network Schematic & System Configuration

The intent of this document is to show you how to build a firewall for your home

network. Just to make sure that we're "working off the same sheet of music"

here's a quick ASCII-schematic of what our notional home network will look like -

to include device names for the Ethernet interfaces. In addition, I'm including a

quick synopsis of the configuration of my own hardware - so that you can use it as

a reference point throughout this procedure.

Notional Network Schematic Machine Configuration

-------------------------- ---------------------

ISP / Internet - 200MHz Pentium-MMX (overclocked

(UNTRUSTED) - 96MB EDO RAM

| - 4GB UDMA/33 hard drive

| - 2-button serial mouse

--------- - S3 Virge/DX (4MB)

| Cable | - NE2000-compatible ISA Ethernet

| Modem | - no CD-ROM drive

---------

ed0 |

---------------

| xx.xx.xx.xx |

| |

| FreeBSD |

| Firewall |

| |

| 192.168.1.1 |

---------------

ed1 |

-----------

| 10BaseT |

| Hub |

-----------

| | | | |

Internal Network

(TRUSTED)

Installing FreeBSD

To build the most stable and security-patched system you can, you'll want to

make sure you're running the latest version of FreeBSD-STABLE. For those of you

new to FreeBSD, the STABLE branch is the version of the operating system that

has all of the latest patches, bugfixes, and enhancements after the previous

release was made. In fact, there's actually two different versions of the STABLE

branch...one that has all of the patches, bugfixes, and enhancements, and a

second that only has the bugfixes and patches (no enhancements). The second

version is usually more stable than the first, but not always so. For a production

firewall, you'll probably want to install the 2nd version of STABLE (without the

enhancements), but it's ultimately your call.

If you've installed FreeBSD-4.6 from CD-ROM (either one that your purchased or

'burned' from a downloaded ISO image), you probably installed 4.6-RELEASE,

which is (simplistically) nothing more than a version of the 4.X branch that was

exhaustively tested, burned to CD-ROM and made available for sale. After the

release date of 4.6-RELEASE, the 4.6 tree continued to evolve & be patched (for

security reasons) after that point. Since there's no way the folks at FreeBSD.org

can burn & sell CD-ROMs for each day's version of the 4.6 tree, 4.6-RELEASE is

the only one made available for sale on CD, and subsequent snapshots of the 4.6

tree are only available on-line and are labelled '4.6-STABLE'. Once 4.6-STABLE is

sufficiently enhanced/patched (perhaps 4-6 months later), the code enters a

freeze and will officially become the 'RELEASE' version of the next FreeBSD

release (say, 4.7-RELEASE...or 5.0-RELEASE). If you're installing FreeBSD 4.6 well

after the release date, you will definitely want to install 4.6-RELEASE, and then

immediately update your kernel and binaries to 4.6-STABLE.

So, what are the benefits of upgrading to 4.6-STABLE rather than staying with

4.6-RELEASE? Well, the biggest answer (if you're building a firewall, like we are

here) is that all of the security patches have been applied to the O/S and the

associated applications. To use a prior baseline of FreeBSD (4.2) as an example,

FreeBSD-4.2-RELEASE (which was released in November 2000) uses

OpenSSH-2.2.0, which is a great product but also has a remote buffer overflow

that wasn't discovered until early February, 2001. If a hacker exploited this

vulnerability on your 4.2-RELEASE box, they would gain remote root access and

ruin your day. The relevant info on this vulnerability can be found on

SecurityFocus' website . When you upgraded to FreeBSD-4.2-STABLE (if you were

following this HOWTO in mid-March of 2001), by comparison, you would have

gotten FreeBSD-4.2-RELEASE with all of the patches applied after the November

2000 release...so your system would have OpenSSH-2.3.0 (not OpenSSH-2.2.0)

which is not vulnerable to the remote buffer overflow. So upgrading to the latest

snapshot from the STABLE branch saves you a lot of time associated with loading

individual security-related patches after your OS load is finished. For a complete

listing of security-related patches, see the FreeBSD Security Information page .

OK, now that we've talked about the benefits of FreeBSD-STABLE, let's get to

work...the installation...

Inventory your computer hardware and ensure that it is compatible with

FreeBSD. The latest compatibility list (for the 4.6 baseline) can be found in

the FreeBSD 4.6 Hardware Notes .

Verify that you have at least 1.1G available on your hard drive. After the

initial install of FreeBSD (the first section of this document), you will have

taken up about 350M. After downloading the latest kernel sources, and

updating your ports tree, you will have taken up about 650M (depending on

the number of ports sections you wish to keep up to date). And, finally, after

you finish installing & compiling tripwire and recompiling the kernel, you will

have taken up about 1.1G. Which directories are the biggest disk space

hogs? /usr/obj (& sub-directories) takes up about 377MB. /usr/src (&

sub-directories) takes up about 350MB. /usr/ports (& sub-directores) takes

up about 160MB. All other directories take up less than 90MB apiece.

Download the boot floppy images:

FTP to ftp://ftp.freebsd.org/

Change directory into

/pub/FreeBSD/releases/i386/4.6-RELEASE/floppies

Download the kern.flp and mfsroot.flp images & store them in your

/tmp directory (on Linux or FreeBSD) or c:\windows\temp directory

(for Windows), depending on what system you're downloading from.

260.

Download the floppy creation tools if you're a DOS/Windows users.

FTP to ftp://ftp.freebsd.org/

Change directory into /pub/FreeBSD/tools

Download the program, fdimage.exe, and store it in the same directory

that you used, above.

261.

Create Boot Floppies

If you're using Linux or FreeBSD, use the dd command as follows, and

create one floppy from the kern.flp image, and another disk from the

mfsroot.flp image.

[root@yoursys /tmp]# dd if=/tmp/kern.flp of=/dev/fd0

2880+1 records in

2880+0 records out

1474560 bytes transferred in 49.931306 secs (30135 bytes/sec)

If you're using DOS/Windows, use the fdimage program that you

downloaded. Just like with Linux, make one floppy from the kern.flp

image, and another one from the mfsroot.flp image.

C:\WINDOWS\TEMP>fdimage kern.flp A:

C:\WINDOWS\TEMP>fdimage mfsroot.flp A:

262.

On the FreeBSD machine, insert the kernel floppy (kern.flp) in your floppy

drive and boot from it. When prompted, insert the 'MFS root' floppy

(mfsroot.flp).

263.

Run the kernel configuration utility in full-screen visual mode to clear any

conflicts and ensure the kernel matches your hardware. For example,

remove SCSI controllers if you don't have any, etc. On my system (where I

don't have any SCSI controllers or a PS/2 mouse), here's the only active

drivers I left enabled (I deleted the rest):

Storage:

ATA/ATAPI compatible disk controller

ata0

14 0x1f0

ATA/ATAPI compatible disk controller

ata1

15 0x170

Floppy disk controller

fdc0

6 0x3f0

Networks:

NE1000,NE2000,3C503,WD/SMC80xx Ethernet

adapters

ed0

10 0x280

Communications:

Parallel Port chipset

ppc0

8250/16450/16550 Serial port

sio0

4 0x3f8

8250/16450/16550 Serial port

sio1

3 0x2f8

Input:

Keyboard

atkbd0 1

Syscons console driver

sc0

Multimedia:

Miscellaneous:

Math coprocessor

npx0

13 0xf0

Note: If you have PCI-based Ethernet cards, you can delete all of the

network cards in the list - yours will be found and configured automatically.

If you're on the other end of the scale (like me) and you have two old

NE2000-compliant ISA network cards, you'll only be able to configure one of

them at this time (ed0). After your installation is complete, you'll have to

build a custom kernel & add in a "placeholder" for the 2nd generic ISA card,

and then run through the kernel configuration utility again after you reboot.

We'll do this at the end of this document.

Hit 'Q' then 'Y' to save your changes and exit.

380.

From the main menu, choose a 'Standard' installation.

381.

In the FDISK Partition Editor , first 'D' delete any disk slices that already

exist, then choose 'A' to use the entire disk. This will let FreeBSD take the

entire disk and eliminate the need for a bootloader. Press 'Q' to continue.

382.

Now, you will now be presented with the Install Boot Manager for drive...

screen. Select 'Standard' to install a standard MBR (no boot manager).

After all, you won't be dual-booting this machine...it's your firewall.

Therefore, you won't need a boot loader.

383.

In the Disklabel Editor , create the following partitions, then choose 'Q' to

continue. Note that I'm using a 4GB hard drive. You can decrease the sizes

of the partitions if you don't have a 4GB hard drive for your system. The

/usr/local and /usr/home partitions can go as low as 64MB since this won't

be a common-user system and there won't be a lot of user-specific files or

binaries...but the /usr partition should never go below 650MB since that's

where all of your kernel source code and ports tree is located. Here's a

partition scheme if you have a 4GB drive:

256MB swap partition (or at least 2x your RAM)

128MB file system mounted as /

512MB file system mounted as /tmp

512MB file system mounted as /var

1,500MB file system mounted as /usr

640MB file system mounted as /usr/local

500MB file system mounted as /usr/home (...the remainder of the

hard drive)

Here's a partition scheme if you only have one of those old 1.1 GB drives.

People have reported success when using this partitioning scheme on a drive

this small. But, as always, 'caveat emptor'. You'll probably run out of space if

you're not careful. One recommendation is to not install the ports collection

at all. That'll save about 160MB in the /usr partition. Another

recommendation is to only re-compile the kernel and not all of the system

binaries (i.e. only run the "build kernel" command when you get to the

appropriate section at the end of this howto). Apply security-related patches

O'Reilly - How To Build A FreeBSD-STABLE Firewall With IPFILTER - From The O'Reilly Anthology.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: