Custom Firewall Rule Sets
Thursday, June 17, 2010 at 4:59 pm
Windows 2000 Annoyances Discussion Forum
Posted by BigMouthBarker
(3 messages posted)
Greetings!!! This will be my first time visiting your forum board. The subject that
I would like to discuss with the board members today is the current custom rule sets
that I have in place on my Nat Router to date. Router in question: Westell 327W VersaLink.
Platform: Windows XP Home 2000 SP3, IE8, Toshiba Satellite 1135/S155. Laptop (Stand
Alone). 1 GB Ram 2 GB Virtual 60 GB HDD. Connection: ATT/DSL. Downstream Rate: 8124
(Kbits/Sec) Upstream Rate: 511 (Kbits/Sec).
If the moderator of this board will allow me to post the following rule sets, I would
like additional insight from the members in how I can harden the current rule sets
even further from a security point of view if any one is familiar with the router
model. To understand the logic behind the TTL and Bits Logic perspective that has
been implemented within the rule sets presented, please visit the following web site:
http://www.dslreports.com/forum/remark,16694222
To further compliment the rule sets and to strengthen security, I have taken the
following step(s):
1) Local DNS Servers: I was tired of trusting the security of my local service provider
DNS Servers so I moved upstream to www.OpenDNS.com and began using their servers.
This move has made a tremendous difference in performance and security.
2) PCTools Firewall Plus (Stand Alone Free Edition) on the “Local Machine”. To assist
in tightening the router firewall down even further, I disengaged the Windows Firewall
and installed this firewall behind the Nat Router. Custom Rules are in place to makeup
for any short falls that the router firewall may be lacking in. I like the flexibility
of this firewall for I am able to direct a lot of my App’s and Process’s including
the Browser to the OpenDNS Servers with ease for additional security.
3) To lock down my platform even further I went to the following website: http://www.pctools.com/guides/registry
and done an extensive hack on my registry.
Your time is valuable, so please allow me to present my current Inbound/Outbound
rule sets for review. The current rule sets in use was taken from: http://www.dslreports.com/forum/remark,16694222
Inbound Rules
title [ Security Level 1 IN rules ]
begin
pass from port >= 135, from port <= 139 >> done
drop icmp-type request, to addr %WANADDR%:32 >> done
RulesDropFrom192
drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]
RulesPass
pass all
RulesDropAddress
drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]
RulesPassUDP
pass protocol udp, to port 53 >> done
pass protocol udp, from port 53 >> done
RulesDropICMP
drop protocol icmp >> alert 4 [ICMP Message To WAN IP]
RulesDropWANUDP
drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [UDP WAN Traffic to WAN
IP]
RulesDropWANTCP
drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN
IP]
RulesPassGoodICMP
pass protocol icmp, to addr %WANADDR%:32 >> done, alert 0 [Responding to WAN Ping]
RulesPassGoodICMP
pass protocol icmp, to addr %LANADDR%:%LANMASK% >> done, alert 0 [Nat'ed LOCAL PING]
End
Inbound Firewall Rules - Low
Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching
Session State Table Entry.
title [ Security Level Custom (Low) IN rules ]
begin
# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply
(trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo
Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo
Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP -
TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP
- Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP -
Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block
all others)
# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching
Session State Table Entry.
Permitted
pass all
end
Inbound Firewall Rules - Medium
Deny All Inbound Packets That Are Not Explicitly Permitted or Do Not Have a Matching
Session State Table Entry (Unsolicited)
title [ Security Level Custom (Medium) IN rules ]
begin
# Drop and Log Packets with Time to Live (TTL) of 0 or 1
TTL
#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]
# Drop and Log Packets of Prohibited Source Address
Address
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]
# Internet Control Message Protocol (ICMP)
# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP
ICMP
pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply
(trace route))
drop protocol icmp, icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo
Reply - Dropped] # Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP -
TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 3 [ICMP Message To WAN IP
- Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 3 [ICMP Message To WAN IP -
Echo Request - Dropped] # Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block
all others)
# Deny All Inbound Packets That Do Not Have a Matching Session State Table Entry
(Unsolicited)
Unsolicited
drop all >> alert 3 [Unsolicited Inbound - Drop]
end
Outbound Rules
NOTE: I have disengaged the FTP box with the custom settings in the router and have
Strict UDP Control engaged. For FTP Control I am using Passive FTP (for firewall
and DSL compatibility & Enable FTP folder view (outside of Internet Explorer) engaged
within Internet Properties.
title [ Security Level Custom (Medium) OUT rules ]
begin
# Protocol Match conditions
RulesPass
#pass to port 80 >> state, done # HTTP
#pass from port 80 >> state, done # HTTP
#pass protocol udp, to port 53 >> state, done # DNS
#pass to port 20 >> state, done # FTP
#pass from port 20 >> state, done # FTP
#pass to port 21 >> state, done # FTP
#pass to port 23 >> state, done # Telnet
#pass to port 110 >> state, done # POP
#pass to port 119 >> state, done # NNTP
##pass to port 143 >> state, done ## USENET News Service
##pass to port 220 >> state, done ## IMAP v.3
#pass to port 25 >> state, done # SMTP
#pass to port 443 >> state, done # HTTPS
##pass to port 500 >> state, done ## IPSEC ALG
##pass protocol 50 >> state, done ## IPSEC ESP
#pass to port >= 1024, to port <= 5000 >> state, done # WE/IE Passive FTP P #Uncheck
"Use Passive FTP" in IE Advanced Options and enable the FTP firewall service or enable
above statement
# Failed to match
RulesDropNETBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
# Pass and Log ICMP Echo Request
RulesPassICMP
pass icmp-type request >> done, state, alert 0 [ICMP - Echo Request - Pass] # Type:
8 (allow ping requests)
# Drop and Log all ICMP Except Echo Request
RulesDropICMP
drop icmp-type reply >> done, alert 3 [ICMP - Echo Reply - Drop] # Type: 0 (block
ping reply)
drop icmp-type exceeded >> done, alert 3 [ICMP - TTL Exceeded - Drop] # Type: 11
(block tracert reply)
drop icmp-type unreachable >> done, alert 3 [ICMP - Dst Unreachable - Drop] # Type:
3 (block unreachable reply)
#drop icmp-type request >> done, alert 0 [ICMP - Echo Request - Drop] # Type: 8 (block
ping requests)
drop protocol icmp >> done, alert 3 [ICMP - Unknown Reply - Drop] # Type: (block
all others replies)
# Save Session State for Enabled Services
RulesSaveState
pass all >> state
# Drop All Unless Service is Enabled
RulesDrop
drop all >> alert 1 [Packet to be dropped unless Service enabled]
end
Final Output Of Outebound Rules
title [ Security Level 1 OUT rules ]
begin
pass protocol udp, to port 53 >> done
pass to port 194 >> done
pass to port 6667 >> done
RulesDropNETBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]
RulesPass
pass all
end
Outbound Firewall Rules - Low
Permit All Outbound Packets That Are Not Explicitly Denied
title [ Security Level Custom (Low) OUT rules ]
begin
# Protocol Match conditions
# Internet Control Message Protocol
# Pass Specific ICMP Types, Drop and Log all other ICMP Types
ICMP
pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping)
requests)
drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] #
Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop]
# Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable
- Drop] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop]
# Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block
all others)
# Failed Protocol Match Conditions
# Network Basic Input/Output System (NetBIOS)
# Drop NetBIOS Packets
NetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] #
NetBIOS
# Permit All Outbound Packets That Are Not Explicitly Denied, and Add to Session
State Table for Medium Inbound Firewall Rules
Permitted
#pass all # For Use With Inbound Low Firewall Rules Only
pass all >> state # For Use With Inbound Low or Medium Firewall Rules
end
Outbound Firewall Rules - Medium
Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled
title [ Security Level Custom (Medium) OUT rules ]
begin
# Protocol Match conditions
# World Wide Web
WWW
pass protocol tcp, to port 80 >> state, done # HTTP
pass protocol tcp, from port 80 >> state, done # HTTP
pass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL)
# Domain Name System - Name/Address Resolution
DNS
pass protocol udp, to port 53 >> state, done # DNS
# Telecommunication Network (Telnet)
Telnet
pass protocol tcp, to port 23 >> state, done # Telnet
# Internet Protocol Security (IPsec)
Ipsec
#pass protocol udp, to port 500 >> state, done # IPSEC IKE
#pass protocol 50 >> state, done # IPSEC ESP
# eMail & News Groups
# Post Office Protocol (POP) / Simple Mail Transfer Protocol (SMTP) / Network News
Transfer Protocol (NNTP)
eMail
pass protocol tcp, to port 110 >> state, done # POP
pass protocol tcp, to port 25 >> state, done # SMTP
pass protocol tcp, to port 119 >> state, done # NNTP
# Secure Socket Layer POP / SMTP / NNTP
eMailSSL
pass protocol tcp, to port 995 >> state, done # POP SSL
pass protocol tcp, to port 465 >> state, done # SMTP SSL
pass protocol tcp, to port 563 >> state, done # NNTP SSL
# File Transfer Protocol (FTP) - "Active" and "Passive" Modes
FTP
pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control
Channel Port
pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive
Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties
Skype - Assigned Port of Each Skype Installation - Tools -> Options... -> Connection
Skype
#pass protocol udp, from port XXXXX >> state, done # Skype
# Network Time Protocol (NTP) (Windows Time Sync)
NTP
pass protocol udp, to port 123 >> state, done # NTP (Windows Time Sync)
# Internet Control Message Protocol
# Pass Specific ICMP Types, Drop and Log all other ICMP Types
ICMP
pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping)
requests)
drop protocol icmp, icmp-type reply >> done, alert 2 [ICMP - Echo Reply - Drop] #
Type: 0 (block echo (ping) reply)
drop protocol icmp, icmp-type exceeded >> done, alert 2 [ICMP - TTL Exceeded - Drop]
# Type: 11 (block TTL exceeded reply (trace route))
drop protocol icmp, icmp-type unreachable >> done, alert 2 [ICMP - Dst Unreachable
- Drop] # Type: 3 (block unreachable reply)
drop protocol icmp, icmp-type request >> done, alert 1 [ICMP - Echo Request - Drop]
# Type: 8 (block echo (ping) requests)
drop protocol icmp >> done, alert 2 [ICMP - Prohibited Type - Drop] # Type: (block
all others)
# Failed Protocol Match Conditions
# Network Basic Input/Output System (NetBIOS)
# Drop NetBIOS Packets
NetBIOS
drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] #
NetBIOS
# Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is
Enabled
NotPermitted
drop all >> alert 1 [Packet to be dropped unless Service enabled]
end
Thank you for your insight and suggestions on the subject matter. Respectfully………BigMouthBarker
|
Responses to this message:
|
|
