Configuring and Installing IP Filter (IPF)
Author: Ph33r (ph33r@isiclabs.org)
www.isiclabs.org


What is IPFilter (IPF)?
IPFilter or (IPF) is a software package that can be used to provide network address translation or (NAT) of some sort of firewall services. IPF can either be used either as a loadable kernel module or incorporated into your unix kernel instead. It's recommended using a loadable kernel module where possible. Scripts are provided to install and patch system files as required

IP Filters
Installing IPF is pretty easy and straightforward, following the documentation on the website, except for the config files that they seem to hide in a rather weird directory /etc/opt/ipf. I like to link these files to the ones in /etc

cd /etc
ln -s /etc/opt/ipf/ipf.conf
ln -s /etc/opt/ipf/ipnat.conf

NOTE:
Remember that the ipf.conf in /usr/kernel/drv is the configuration data for the module loader and not the ipfilter set of rules. Also, place all NAT rules into ipnat.conf and not ipf.conf.

If you wish to enable IPF Logging and I would recommend that you do since it's very handy to have logs etc to track errors and things down with. If so, edit /etc/rc2.d/S65ipfboot and remove the "#" from the line;

# ipmon -n &

What this does is makes the IPF logging run and report everything over to the syslog.If you wish to make a syslog record the log messages, you also need to edit /etc/syslog.conf on the relevant syslog host and add the line;

local0.debug /var/adm/messages

What this does is log every packet that passed through the firewall. You may need to play around with this if you get a lot of traffic through your firewall other-words your log files will become hudge.

NOTE:
Eric "Loki" Hines has recently written a very nice paper on setting up a secure remote logging server, which would be perfect. I personally love to do this since it always gives you another "untouched" source of your logs. Also, if you think your system has been compromised you can check your logs against the logging server to see if the one who compromised your system and/or network has edited anything, which they didn't want you to know about.

Configuring /etc/opt/ipf/ipf.conf
Unix/Linux systems offer a lot of different services to the world around them. Sometimes hackers or script-kiddies can compromise these services and grain root on that system or network. This is also bring to mind the word, 'security' which is one of the most important aspects in computers now-a-days. For a reference for newbies and secureing a Linux box, check out my last paper on Locking Down Linux Mandrake. Even if you ddon't run Linux,It's still a good read because it will give you a basic idea of what to look out for security wise.

Now, most ISPs already provide packet filtering that will stop all incoming connections to there dialup systems, so if this is the case, all you have to do is leave the file ipf.conf empty. If you have to setup your on packet filtering and I would think that you would want to enable all outgoing connections and to block any incoming connections. All you have to do is setup a set of rules for IP Filter for just that. Here is an example of ipf.conf:

#
#
# --------------------------------------------------------------
# Nasty Packets:
# Block any packets which are too short to be real.
block in log quick all with short
# Block any packets with source routing set
block in log quick all with opt lsrr
block in log quick all with opt ssrr
#
# --------------------------------------------------------------
# Private Network:
# Allow traffic on le0 and lo0 to pass unimpeded
pass in on le0 all
pass out on le0 all
pass in on lo0 all
pass out on lo0 all
#
# --------------------------------------------------------------
# Public Network (dp0):
# That which is not explicitly allowed is forbidden
block in log on dp0 all
block out log on dp0 all
#
# Invalid Internet packets
# Deny reserved addresses
block in log quick on dp0 from 10.0.0.0/8 to any
block in log quick on dp0 from 192.168.0.0/16 to any
block in log quick on dp0 from 172.16.0.0/12 to any
#
# ICMP Protocols
# Allow pings out
pass out log on dp0 proto icmp all keep state
#
# TCP/UDP Protocols
# Allow TCP/UDP requests to go out and keep the results
# flowing back in.
pass out log on dp0 proto tcp/udp from any to any keep state
# Allow FTP data channel back in
pass in quick on dp0 proto tcp from any to any port = ftp-data keep state
pass in quick on dp0 proto tcp from any port = ftp-data to any port > 1023 keep state
#
# Reset/Error for TCP/UDP services, send back TCP-Reset or
# Network unreachable to attempts to initiate connections.
block return-rst in log on dp0 proto tcp from any to any flags S/SAblock return-icmp(net-unr) in log on dp0 proto udp from any to any

Configuring /etc/opt/ipf/ipnat.conf
To begin using NAT, you will need to creat a NAT configuration file to begin with. Run the command, touch /etc/opt/ipf/ipnat.conf which should then creat an empty file called ipnat.conf in the location provided. Now, all you have to do is edit the file and add in your set of rules. Here is an example of the ipnat.conf file:

#
# Use the internal FTP proxy for outgoing FTP
#
map dp0 10.5.3.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
#
# Map anything going though dpn onto
# the dpn address
#
map dp0 10.5.3.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000map dp0 10.5.3.0/24 -> 0.0.0.0/32

This file would map all TCP and UDP connections coming from the 10.5.3 network onto a new port with the IP address of the dp0 interface. The IP address of the dp0 interface is assigned dynamically when the connection is made.

NOTE:
If you wish to make everything go through NAT, just edit the 10.5.3.0/24 to 0.0.0.0/0.

Ph33r claims to be nothing more then simply a computer geek. He has only been interested in computers over the last 2 years, durring of which he was introduced to the cyber world, known only as ‘The Internet’. While trying to keep a grasp on what is happening in the security world, he struggles to meet the standards in school and hold up his personal life. He enjoys experimenting with computers in his room late at night and loves having conversations with anyone half way across the world ;). He can be contacted at ph33r@fatelabs.com for any questions or suggestions you may have on this paper.

Ph33r
ph33r@isiclabs.org
www.isiclabs.org