[FUG-BR] firewall com PF

Cleyton Bertolim cbertolim em gmail.com
Segunda Junho 4 08:21:11 BRT 2007


Pessoal, sempre utilizei o IPFilter no FreeBSD pra montar meus
firewalls, mas agora estou comecando a estudar o PF, pois me parece
ser muito bom. Sempre que montava um firewall em ipfilter, eu rodava o
nessus pra verificar a seguranca, e sempre estava muito bem
configurado, e o nessus na maioria das vezes nao encontrava nenhum
problema de seguranca, e muitas vezes, o nessus ate pensava que o IP
nao existia ou coisa parecida, pois ele dava uma mensagem que nao era
possivel encontrar o host. Pois bem, agora com o PF, nao estou
acertando nas configuracoes de firewall, pois o nessus sempre encontra
furos. Ja li varias vezes o documento oficial do PF no site do
OpenBSD, ja olhei todos os arquivos dentro de /usr/share/examples/pf/
no FreeBSD, e tambem varias dicas na internet, mas ate agora nada
resolveu meu problema.

No firewall de teste que estou montando aqui, tenho rodando pra rede
Externa apenas o SSH, que no meu caso roda na porta 50.000, e pra rede
interna o Apache (porta 80) por causa dos relatorios do Sarg e o Squid
na porta 3128. E dentro dos arquivos squid.conf e httpd.conf, esta
configurado pra rodar no ip da rede local. exemplo:
192.168.0.1:3128(squid) 192.168.0.1:80(apache). quando executo o
comando sockstat ele mostra que esta rodando apenas na interface da
rede local mesmo. Mas pelo nessus, ele diz que a porta 80 esta livre e
com furos.

Tenho redes separadas aqui na empresa onde trabalho, e varios links de
internet separados tambem, entao quando utilizo o nessus pra fazer
esses testes, tenho certesa de que nao estou testando pela rede
interna LAN.

As configuracoes deste firewall sao exatamente iguais as dos firewall
que montava usando IPFilter, a unica coisa que esta diferente agora e
que uso o PF.

Abaixo colocarei algumas informacoes dos arquivos de configuracao que
tenho neste novo firewall, e tambem o relatorio que o nessus me da
quando rodo o teste.

Se alguem puder me apontar onde estou errando, ou como melhorar a
seguranca deste firewall, agradeco desde ja a ajuda!!!

------------------ RELATORIO NESSUS --------------------------
201.24.73.106 1 Open Ports, 11 Notes, 2 Warnings, 1 Holes.

http (80/tcp)

 The proxy, allows everyone to perform requests
against arbitrary ports, like
'GET http://cvs.nessus.org:110'.

This problem may allow attackers to go through your
firewall, by connecting to sensitive ports like 25 (sendmail)
using your proxy. In addition to that, your proxy may be used
to perform attacks against other networks.

Solution reconfigure your proxy so that it only accepts
connections against non-dangerous ports (> 1024).

Risk Factor : High
Plugin ID : 10193

 Synopsis :

The remote web proxy server accepts requests.

Description :

The remote web proxy accepts unauthenticated HTTP requests from the
Nessus scanner. By routing requests through the affected proxy, a
user may be able to gain some degree of anonymity while browsing web
sites, which will see requests as originating from the remote host
itself rather than the user's host.

Solution
Reconfigure the remote proxy so that it only accepts requests coming
from inside your network.

Risk Factor :

Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:N/I:P/A:N/B:N)
Plugin ID : 10195

 The proxy accepts gopher:// requests.

Gopher is an old network protocol which predates HTTP and
is nearly unused today. As a result, gopher-compatible
software is generally less audited and more likely to contain
security bugs than others.

By making gopher requests, an attacker may evade your firewall
settings, by making connections to port 70, or may even exploit
arcane flaws in this protocol to gain more privileges on this
host (see the attached CVE id for such an example).

Solution: reconfigure your proxy so that it refuses gopher requests.

Risk Factor : Medium
CVE : CVE-2002-0371
BID : 4930
Other references : OSVDB:3004
Plugin ID : 11305

 Port is open
Plugin ID : 11219

 A web server is running on this port
Plugin ID : 10330

 An HTTP proxy is running on this port
Plugin ID : 10330

 The GET method revealed those proxies on the way to this web server :
HTTP/1.0 hercules-mmc.redesuperauto.com.br:3128 (squid/2.6.STABLE10)

Plugin ID : 11040

 Synopsis :

A web server is running on the remote host.

Description :

This plugin attempts to determine the type and the version of
the remote web server.

Risk Factor :

None

Plugin output :

The remote web server type is :

squid/2.6.STABLE10

Plugin ID : 10107

 Synopsis :

Some information about the remote HTTP configuration can be
extracted.

Description :

This test gives some information about the remote HTTP protocol - the version
used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem

Solution:

None.

Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

Protocol version : HTTP/1.0
SSL : no
Pipelining : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

------------- PF.CONF -----------------
external = "xl0"
internal = "xl1"

nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, \
172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, \
192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, \
255.255.255.255/32 }"

set loginterface $external
set skip on lo0
scrub in all

nat on $external from 192.168.0.0/24 to any -> $external

block all
antispoof quick for $internal inet

#--- Loopback @ 127.0.0.1/8 ----------------------------####
pass out quick on lo0 from any to any

pass in quick on lo0 from any to any


#--- Rede Local @ 192.168.0.1/24 --------------------####
pass out quick on $internal from any to any keep state

pass in quick on $internal from any to any keep state


#--- Link BrT/ADSL @ 201.24.73.106/29 ------------------------####
block out log quick on $external from any to $nonroutable
pass out quick on $external from any to any keep state

pass in log quick on $external inet proto tcp from any to any port
50000 flags S/SA keep state

block in quick on $external proto tcp from any to any port = 113
block in log quick on $external inet proto icmp from any to any icmp-type redir
block in log quick on $external from $nonroutable to any
block return-rst in log quick on $external inet proto tcp from any to
any flags S/SA
block return-icmp in log quick on $external inet proto udp from any to any
block return-icmp(net-unr) in log quick proto udp from any to any
block return
block in log quick on $external all

------- SYSCTL.CONF ------------------
# SISTEMA
security.bsd.see_other_uids=0
kern.coredump=0
kern.fallback_elf_brand=3
kern.ipc.shm_use_phys=1
kern.ipc.maxsockbuf=4000000
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
vfs.vmiodirenable=1

# IP
net.inet.ip.check_interface=1
net.inet.ip.random_id=1
net.inet.ip.forwarding=1
net.inet.ip.process_options=0

# ICMP
net.inet.icmp.maskrepl=0

# TCP
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
net.inet.tcp.rfc1323=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=300000
net.inet.tcp.keepintvl=150
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536
net.inet.tcp.syncookies=1
net.inet.tcp.blackhole=2
net.inet.tcp.log_in_vain=1
net.inet.tcp.sack.enable=1
net.inet.tcp.inflight.enable=0
net.inet.tcp.path_mtu_discovery=0

# UDP
net.inet.udp.blackhole=1
net.inet.udp.log_in_vain=1
net.inet.udp.recvspace=65536

# LOCAL
net.local.stream.recvspace=65536
net.local.stream.sendspace=65536

--------- SOCKSTAT --------------
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
suporte  sshd       3637  3  tcp4   201.24.73.106:50000    201.24.210.30:50824
suporte  sshd       3637  4  stream -> ??
root     sshd       3635  3  tcp4   201.24.73.106:50000    201.24.210.30:50824
root     sshd       3635  5  stream -> ??
www      httpd      904   3  tcp4   192.168.0.1:80        *:*
www      httpd      903   3  tcp4   192.168.0.1:80        *:*
www      httpd      902   3  tcp4   192.168.0.1:80        *:*
www      httpd      901   3  tcp4   192.168.0.1:80        *:*
www      httpd      900   3  tcp4   192.168.0.1:80        *:*
root     bandwidthd 891   4  dgram  -> /var/run/logpriv
root     bandwidthd 890   4  dgram  -> /var/run/logpriv
root     bandwidthd 889   4  dgram  -> /var/run/logpriv
root     bandwidthd 887   4  dgram  -> /var/run/logpriv
uucp     duende     867   4  dgram  -> /var/run/log
bind     maradns    866   5  udp4   127.0.0.1:53          *:*
bind     maradns    866   6  udp4   192.168.0.1:53        *:*
root     httpd      787   3  tcp4   192.168.0.1:80        *:*
clamav   clamd      778   4  stream /var/run/clamav/clamd
root     sshd       773   3  tcp4   201.24.73.106:50000    *:*
root     sshd       773   4  tcp4   192.168.0.1:50000     *:*
squid    ncsa_auth  770   0  stream -> ??
squid    squid      758   5  udp4   *:56839               *:*
squid    ncsa_auth  765   1  stream -> ??
squid    ncsa_auth  764   0  stream -> ??
squid    ncsa_auth  764   1  stream -> ??
squid    ncsa_auth  763   0  stream -> ??
squid    ncsa_auth  763   1  stream -> ??


Se precisarem de mais informacoes e so falar!

Obrigado!



Cleyton Bertolim.


Mais detalhes sobre a lista de discussão freebsd