Baldo's web log

IPFW is one of the firewalls sponsored, authored and maintained by the FreeBSD team.

Firewall designs

• Exclusive: Deny everything that is not specifically allowed. This is the most secure design.

• Inclusive: Allow everything that is not specifically denied.

Note: I focus only on describe an exclusive design.

IPFW rules

Note: To prevent spoofing attacks, I will be using a set of rules only as an example for this post.

To hold the firewall rules create a text file, in this way the set of roles will be available when your system restarts. My firewall rules will be stored in /etc/my.ipfw.conf file.

Rules syntax

Basically the set of rules has the following syntax.

CMD RULE_NUMBER ACTION PROTOCOL from [OPTION] to [OPTION] PORT_NUMBER

CMD = add

ACTION = allow | accept | pass | permit | deny | drop

PROTOCOL = all | udp | tcp | icmp …

FROM = any | all | host | ip

TO = any | all | host | ip

Note 1: it is not mandatory requirement to specify a RULE _NUMBER or PORT_NUMBER

 
add allow tcp from any to 192.168.3.10 80
add allow all from trusted.host.org to any
add 8000 deny all from any to any
    

Note 2: The rules are read in sequential order, be aware of this issue when trying to build your own IPFIREWALL.

Enabling the IPFW

Configure the file /etc/rc.conf by adding the following lines:

 
firewall_enable = “Yes”
firewall_type = ”/etc/my.ipfw.conf”
    

Finally reboot your system.

For more configuration options refer to the IPFW man page or visit the online FreeBSD handbook.

---

This is a basic configuration for a Secure Shell Server under Linux. I assume you already have installed the SSH Server, if not, please refer to the documentation of your favorite Linux Distribution, you will find that it’s quite easy to install.

I will be using FreeBSD as a client and Linux as SSH Server.

SSH public/private key

Public/private key is one effective method to secure access to our server. A public key is placed on the server, whereas the private key is placed on the local computer. If someone login onto our server, they must have to provide the private key, instead of just a simple password.

Generating public/private rsa key pair on the local computer(client)

 
$ ssh-keygen -t rsa
Generating public/private rsa key pair.		
Enter file in wich to save the key (/home/baldo/.ssh/id_rsa):		
Created directory ’/home/baldo/.ssh’.
Enter passphrase (empty for no passphrase):
Enter the same passphrase again:
Your indetification has been saved in /home/baldo/.ssh/id_rsa.
Your indetification has been saved in /home/baldo/.ssh/id_rsa.pub.
The key fingerprint is:
c0:a7:25:c0:4a:aa:32:58:88:16:f9:56:97:f2:05:1f baldo@baldiyo.com
    

Once the rsa key pair is generated copy the id_rsa.pub(public key) to the server.

Note: Since FreeBSD does not have a ssh-copy-id as a part of OpenSSH package, copy the id_rsa.pub to the server and setup it manually.

 
$ scp  ~ /.ssh/id_rsa.pub baldo@192.168.1.68:/home/baldo/.ssh/id_rsa.pub.tmp
baldo@192.168.1.68’s password:
id_rsa.pub         100% 399    0.4KB/s 00:00   

I already have created a user called baldo on the server.

 
$ ssh baldo@192.168.1.68
baldo@192.168.1.68’s password:
			

The programs included with the Debian GNU/Linux system are free software;	
the exact distribution terms for each program are described in the	
individual files in /usr/share/doc/ * /copyright.


Debian GNU/Linux comes with ABSOLUTELY NO WARRATY, to the extent
permitted by applicable law.
You have mail.
Last login: Tue Nov 11 02:45:51 2008 from 192.168.1.12
baldo@baldiyo: ~ $ cat .ssh/id_rsa.pub.tmp >> authorized_keys
baldo@baldiyo: ~ $ rm .ssh/id_rsa.pub.tmp

Configuring the ssh server

I highly recommend do not use the default configuration. As root modify the ”/etc/ssh/sshd_config” file.

This is my configuration.

 
# Package generated configuration file
# See the sshd(8) manpage for details


# What ports, IPs and protocols we listen for
Port 70000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes


# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768


# Logging
SyslogFacility AUTH
LogLevel INFO


# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes


RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile    %h/.ssh/authorized_keys


# Don’t read the user’s ~ /.rhosts and ~ /.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don’t trust ~ /.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes


# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no


# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no


# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no


# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes


# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes


X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no


#MaxStartups 10:30:60
#Banner /etc/issue.net


# Allow client to pass locale environment variables
AcceptEnv LANG LC_*


Subsystem sftp /usr/lib/openssh/sftp-server


UsePAM no


UseDNS no


AllowUsers baldo

Finally restart the SSH Server and log out to test the configuration.

 
# /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.


$ ssh -p 7000 baldo@192.168.1.68
Enter passphrase for key ’/home/baldo/.ssh/id_rsa’:
Last login: Wed Nov 12 01:41:45 from 192.168.1.12
baldo@baldiyo.com:~$
    

---

Prerequisites

Virtual LAN

Before boot up the FreeBSD Virtual Machine, ensure to choose PCnet-PCI II (Am79C979A) as Adapter Type. There is a bug with PCnet-FAST III (Am79C973) which is reported here: bug.

Once FreeBSD is up and you are logged in, as root type:

 
# ifconfig
le0: flags=8802 < BROADCAST,SIMPLEX,MULTICAST > metric 0 mtu 1500
options=8 < VLAN_MTU >
ether 08:00:27:a6:8a:b4
media: Ethernet autoselect
lo0: flags=8049 < UP,LOOPBACK,RUNNING,MULTICAST > metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×2
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
    

Unlike Linux that uses eth0, eth1 …, FreeBSD has different device names for each of the drives it uses of network interface cards. In this instance “le0” is the device name for my interface card.

Configuring network settings

 
# ifconfig le0 192.168.1.12 netmask 255.255.255.0 up
# route add default 192.168.1.254
# add net default: gateway 192.168.1.254
    

If you want changes to be permanent edit the /etc/rc.conf file.

Finally provide your DNS by editing the ”/etc/resolv.conf” file and test your network settings with a simple “ping”.

 
# vi /etc/resolv.conf
    

 
search gateway.2wire.net
nameserver 192.168.1.254
    

 
# ping google.com
PING google.com (64.233.187.99): 56 data bytes
64 bytes from 64.233.187.99: icmp_seq=0 ttl=245 time=129.131 ms
64 bytes from 64.233.187.99: icmp_seq=1 ttl=245 time=130.949 ms
64 bytes from 64.233.187.99: icmp_seq=2 ttl=245 time=130.437 ms
64 bytes from 64.233.187.99: icmp_seq=3 ttl=245 time=131.801 ms
64 bytes from 64.233.187.99: icmp_seq=4 ttl=245 time=130.174 ms
64 bytes from 64.233.187.99: icmp_seq=5 ttl=245 time=118.693 ms
64 bytes from 64.233.187.99: icmp_seq=6 ttl=245 time=123.617 ms
64 bytes from 64.233.187.99: icmp_seq=7 ttl=245 time=127.784 ms


– - – google.com ping statistics – - – 
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 118.693/127.823/131.801/4.194 ms

It’s done, Поздравляю!

---

What is FreeBSD?

The Free Berkeley Software Distribution (FreeBSD) is a freely available and open source implementation of the Berkeley version of the UNIX operating system. That means is in the same family of Operating Systems as AIX, HP-UX, Solaris, and Digital UNIX. In many ways, it is similar to Linux, but it has some important differences.

Some of the companies that are using FreeBSD include Microsoft, Yahoo!, Sony and the Apache Project. FreeBSD is used to setup: Email Services, DNS and Routing Services, Powerful web Servers, Database Services, File Servers and Printer Sharing Servers; and much more.

FreeBSD VS Linux

For most administration tasks FreeBSD and Linux are quite similar. There are some variances.

• With linux you have to deal with more than 30 distributions, each distribution has slightly different ways of doing things. For example, I have been using a very boring Distribution called Debian for a long time, I know how to do almost everything with Debian, this can cause problems if I need to migrate to a different distribution.

• FreeBSD is a complete operating system, that means there are no different utilities included with.

• FreeBSD is more stable than Linux and it might be more suitable for production servers.

• Although FreeBSD has less software available than Linux, it can run most Linux software well.

FreeBSD and Mac

The Apple’s Mac OS X has a fully functional BSD UNIX environment that is based on FreeBSD. It will compile and run most BSD software without modification, and it includes the majority of the BSD system utilities.

There are another BSD Operating Systems like NetBSD that is focused mostly on PC hardware and OpenBSD main focused on security, but by far the most popular is FreeBSD.

If you want to learn programming or if you need to learn UNIX, FreeBSD is a great platform to do it on.

---