[FUG-BR] firewall com PF
Cleyton Bertolim
cbertolim em gmail.com
Segunda Junho 4 08:21:11 BRT 2007
Pessoal, sempre utilizei o IPFilter no FreeBSD pra montar meus
firewalls, mas agora estou comecando a estudar o PF, pois me parece
ser muito bom. Sempre que montava um firewall em ipfilter, eu rodava o
nessus pra verificar a seguranca, e sempre estava muito bem
configurado, e o nessus na maioria das vezes nao encontrava nenhum
problema de seguranca, e muitas vezes, o nessus ate pensava que o IP
nao existia ou coisa parecida, pois ele dava uma mensagem que nao era
possivel encontrar o host. Pois bem, agora com o PF, nao estou
acertando nas configuracoes de firewall, pois o nessus sempre encontra
furos. Ja li varias vezes o documento oficial do PF no site do
OpenBSD, ja olhei todos os arquivos dentro de /usr/share/examples/pf/
no FreeBSD, e tambem varias dicas na internet, mas ate agora nada
resolveu meu problema.
No firewall de teste que estou montando aqui, tenho rodando pra rede
Externa apenas o SSH, que no meu caso roda na porta 50.000, e pra rede
interna o Apache (porta 80) por causa dos relatorios do Sarg e o Squid
na porta 3128. E dentro dos arquivos squid.conf e httpd.conf, esta
configurado pra rodar no ip da rede local. exemplo:
192.168.0.1:3128(squid) 192.168.0.1:80(apache). quando executo o
comando sockstat ele mostra que esta rodando apenas na interface da
rede local mesmo. Mas pelo nessus, ele diz que a porta 80 esta livre e
com furos.
Tenho redes separadas aqui na empresa onde trabalho, e varios links de
internet separados tambem, entao quando utilizo o nessus pra fazer
esses testes, tenho certesa de que nao estou testando pela rede
interna LAN.
As configuracoes deste firewall sao exatamente iguais as dos firewall
que montava usando IPFilter, a unica coisa que esta diferente agora e
que uso o PF.
Abaixo colocarei algumas informacoes dos arquivos de configuracao que
tenho neste novo firewall, e tambem o relatorio que o nessus me da
quando rodo o teste.
Se alguem puder me apontar onde estou errando, ou como melhorar a
seguranca deste firewall, agradeco desde ja a ajuda!!!
------------------ RELATORIO NESSUS --------------------------
201.24.73.106 1 Open Ports, 11 Notes, 2 Warnings, 1 Holes.
http (80/tcp)
The proxy, allows everyone to perform requests
against arbitrary ports, like
'GET http://cvs.nessus.org:110'.
This problem may allow attackers to go through your
firewall, by connecting to sensitive ports like 25 (sendmail)
using your proxy. In addition to that, your proxy may be used
to perform attacks against other networks.
Solution reconfigure your proxy so that it only accepts
connections against non-dangerous ports (> 1024).
Risk Factor : High
Plugin ID : 10193
Synopsis :
The remote web proxy server accepts requests.
Description :
The remote web proxy accepts unauthenticated HTTP requests from the
Nessus scanner. By routing requests through the affected proxy, a
user may be able to gain some degree of anonymity while browsing web
sites, which will see requests as originating from the remote host
itself rather than the user's host.
Solution
Reconfigure the remote proxy so that it only accepts requests coming
from inside your network.
Risk Factor :
Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
Plugin ID : 10195
The proxy accepts gopher:// requests.
Gopher is an old network protocol which predates HTTP and
is nearly unused today. As a result, gopher-compatible
software is generally less audited and more likely to contain
security bugs than others.
By making gopher requests, an attacker may evade your firewall
settings, by making connections to port 70, or may even exploit
arcane flaws in this protocol to gain more privileges on this
host (see the attached CVE id for such an example).
Solution: reconfigure your proxy so that it refuses gopher requests.
Risk Factor : Medium
CVE : CVE-2002-0371
BID : 4930
Other references : OSVDB:3004
Plugin ID : 11305
Port is open
Plugin ID : 11219
A web server is running on this port
Plugin ID : 10330
An HTTP proxy is running on this port
Plugin ID : 10330
The GET method revealed those proxies on the way to this web server :
HTTP/1.0 hercules-mmc.redesuperauto.com.br:3128 (squid/2.6.STABLE10)
Plugin ID : 11040
Synopsis :
A web server is running on the remote host.
Description :
This plugin attempts to determine the type and the version of
the remote web server.
Risk Factor :
None
Plugin output :
The remote web server type is :
squid/2.6.STABLE10
Plugin ID : 10107
Synopsis :
Some information about the remote HTTP configuration can be
extracted.
Description :
This test gives some information about the remote HTTP protocol - the version
used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem
Solution:
None.
Risk Factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin output :
Protocol version : HTTP/1.0
SSL : no
Pipelining : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :
------------- PF.CONF -----------------
external = "xl0"
internal = "xl1"
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, \
172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, \
192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, \
255.255.255.255/32 }"
set loginterface $external
set skip on lo0
scrub in all
nat on $external from 192.168.0.0/24 to any -> $external
block all
antispoof quick for $internal inet
#--- Loopback @ 127.0.0.1/8 ----------------------------####
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
#--- Rede Local @ 192.168.0.1/24 --------------------####
pass out quick on $internal from any to any keep state
pass in quick on $internal from any to any keep state
#--- Link BrT/ADSL @ 201.24.73.106/29 ------------------------####
block out log quick on $external from any to $nonroutable
pass out quick on $external from any to any keep state
pass in log quick on $external inet proto tcp from any to any port
50000 flags S/SA keep state
block in quick on $external proto tcp from any to any port = 113
block in log quick on $external inet proto icmp from any to any icmp-type redir
block in log quick on $external from $nonroutable to any
block return-rst in log quick on $external inet proto tcp from any to
any flags S/SA
block return-icmp in log quick on $external inet proto udp from any to any
block return-icmp(net-unr) in log quick proto udp from any to any
block return
block in log quick on $external all
------- SYSCTL.CONF ------------------
# SISTEMA
security.bsd.see_other_uids=0
kern.coredump=0
kern.fallback_elf_brand=3
kern.ipc.shm_use_phys=1
kern.ipc.maxsockbuf=4000000
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
vfs.vmiodirenable=1
# IP
net.inet.ip.check_interface=1
net.inet.ip.random_id=1
net.inet.ip.forwarding=1
net.inet.ip.process_options=0
# ICMP
net.inet.icmp.maskrepl=0
# TCP
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
net.inet.tcp.rfc1323=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=300000
net.inet.tcp.keepintvl=150
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536
net.inet.tcp.syncookies=1
net.inet.tcp.blackhole=2
net.inet.tcp.log_in_vain=1
net.inet.tcp.sack.enable=1
net.inet.tcp.inflight.enable=0
net.inet.tcp.path_mtu_discovery=0
# UDP
net.inet.udp.blackhole=1
net.inet.udp.log_in_vain=1
net.inet.udp.recvspace=65536
# LOCAL
net.local.stream.recvspace=65536
net.local.stream.sendspace=65536
--------- SOCKSTAT --------------
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
suporte sshd 3637 3 tcp4 201.24.73.106:50000 201.24.210.30:50824
suporte sshd 3637 4 stream -> ??
root sshd 3635 3 tcp4 201.24.73.106:50000 201.24.210.30:50824
root sshd 3635 5 stream -> ??
www httpd 904 3 tcp4 192.168.0.1:80 *:*
www httpd 903 3 tcp4 192.168.0.1:80 *:*
www httpd 902 3 tcp4 192.168.0.1:80 *:*
www httpd 901 3 tcp4 192.168.0.1:80 *:*
www httpd 900 3 tcp4 192.168.0.1:80 *:*
root bandwidthd 891 4 dgram -> /var/run/logpriv
root bandwidthd 890 4 dgram -> /var/run/logpriv
root bandwidthd 889 4 dgram -> /var/run/logpriv
root bandwidthd 887 4 dgram -> /var/run/logpriv
uucp duende 867 4 dgram -> /var/run/log
bind maradns 866 5 udp4 127.0.0.1:53 *:*
bind maradns 866 6 udp4 192.168.0.1:53 *:*
root httpd 787 3 tcp4 192.168.0.1:80 *:*
clamav clamd 778 4 stream /var/run/clamav/clamd
root sshd 773 3 tcp4 201.24.73.106:50000 *:*
root sshd 773 4 tcp4 192.168.0.1:50000 *:*
squid ncsa_auth 770 0 stream -> ??
squid squid 758 5 udp4 *:56839 *:*
squid ncsa_auth 765 1 stream -> ??
squid ncsa_auth 764 0 stream -> ??
squid ncsa_auth 764 1 stream -> ??
squid ncsa_auth 763 0 stream -> ??
squid ncsa_auth 763 1 stream -> ??
Se precisarem de mais informacoes e so falar!
Obrigado!
Cleyton Bertolim.
Mais detalhes sobre a lista de discussão freebsd