Managing firewall filters

The interface for managing the kernel-level filter rules at user-level mainly consists of two parts:

• Firewall rules can be created or deleted via the setsockopt(2) system call. Via the same mechanism the default policy of a filter can be changed. All details of this interface are descibed in the ipfw(4) manual page.
• Filters can be inspected by reading the following pseudo-files in the /proc filesystem:

     /proc/net/ip_input
     /proc/net/ip_output
     /proc/net/ip_forward

  Each of these files lists the default policy, followed by the details of all rules (if any) belonging to that filter, in a compact format.

The ipfwadm command provides a command-level interface for managing the Linux firewall facilities: it can be used to change or inspect all aspects of the kernel filters. Let's start with a simple example:

   ipfwadm -I -a deny -S 192.168.22.0/24 -D 0.0.0.0/0

This command basically means ``refuse all incoming packets originally coming from network 192.168.22.0''. It appends (-a) a new rule to the list of filter rules belonging to the input firewall (-I). The output and forward filters can be changed by using the -O and -F options, respectively. After the append command the rule's policy is specified. Valid keywords are accept, deny, and reject (refuse the packet, but return an ICMP message). The source (-S) and destination (-D) addresses both include a mask: the suffixes /24 and /0 are equivalent to /255.255.255.0 and /0.0.0.0, respectively. Every IP address will match the specified destination, because the mask only contains 0's (we could also have written something like 11.22.33.44/0).

Another example:

   ipfwadm -I -a accept -k -P tcp -S 0.0.0.0/0 telnet \
           -D 192.168.37.1 1024:65535
   ipfwadm -O -a accept -P tcp -S 192.168.37.1 1024:65535 \
           -D 0.0.0.0/0 telnet

The command creates two rules (one for the input firewall, one for the output firewall) that accepts all packets belonging to an outgoing telnet connection (here it is assumed that our local IP address is 192.168.37.1). The protocol is specified via the -P option and after the IP address a service name (telnet, specifying port 23) and a port range (in this case all unpriviliged ports) are specified. The -k option makes the input rule only match with packets having the TCP ACK flag set. This prevents someone from trying to initiate a connection from the outside (using source port 23) to some unpriviliged port on our system.

Unfortunately, enabling a service is not as easy for all services. The ftp protocol, for example, uses a separate, incoming connection to transfer the data. So, using ftp (unless used in ``passive mode'') requires to allow a connection being initiated from outside your own network. Setting up a set of firewall rules for ftp would look like:

   ipfwadm -I -a accept -k -P tcp -S 0.0.0.0/0 ftp \
           -D 192.168.37.1 1024:65535
   ipfwadm -O -a accept -P tcp -S 192.168.37.1 1024:65535 \
           -D 0.0.0.0/0 ftp
   ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 ftp-data \
           -D 192.168.37.1 1024:65535
   ipfwadm -O -a accept -k -P tcp -S 192.168.37.1 1024:65535 \
           -D 0.0.0.0/0 ftp-data

Here it is assumed that ftp-data is a valid service name for TCP port 20.

With the -p (set policy) command a default policy is specified.

   ipfwadm -F -p deny

In this case, all forwarding is disabled, unless packets match with one of the forward rules, explicitly allowing them to pass the filter. Filters can be listed using the -l command, like in:

   ipfwadm -I -l

This command would produce the following result, after issuing the above ipfwadm commands for the input firewall:

   IP firewall input rules, default policy: accept
   typ prot source             destination        ports
   den all  192.168.22.0/24    anywhere           n/a
   acc tcp  anywhere           gw.foo.com         telnet -> 1024:65535
   acc tcp  anywhere           gw.foo.com         ftp -> 1024:65535
   acc tcp  anywhere           gw.foo.com         ftp-data -> 1024:65535

The printed hostname, gw.foo.com, corresponds to the local system, having IP address 192.168.37.1. There are several options to change or extend the given output of ipfwadm. The above example show the most simple format.

Some more hints for managing firewall filters:

• The order of the filter rules is important: only the first matching rule is taken into account, so the ipfwadm commands should be given in the correct order.
• Combine rules (by specifying multiple port numbers or service names) as much as possible, because checking filter rules for every IP packet uses some CPU-time.
• Be sure to define the filters at the appropriate time when starting up the system. The best place to do this is before the network devices are configured (using the ifconfig command).
• Although ipfwadm allows you to specify host or network names when defining filter rules, this will not work in most cases, because the system probably can't resolve names before the network is operational. For the same reason, use the -n option (numeric output) when listing filters on moments the network is not (yet) operational.
• When you need to change a filter on an operational system, issue the necessary commands in the right order:
  1. Set the default policy of the filter to deny.
  2. Remove all rules belonging to this filter (ipfwadm's -f option).
  3. Set up the new set of filter rules.
  4. Set the default policy to the desired value.

  This ensures that you don't have any time intervals, during which network traffic is not controlled by the firewall.

See the ipfwadm(8) manual page for more details and other options.

ÿÿÿ