chatr

One of the trends that has been making itself much apparent as I do more audits is that people don't put firewalls up on their servers! This is a bad habit to get into. In order to take away some excuses i will post some basic firewall scripts for iptables (linux), and pf (openbsd). The following rulesets will firewall all ports but ssh on port 22, standard web, and SSL web.

Linux

*filter
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 
-A INPUT -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -j REJECT --reject-with icmp-port-unreachable 
-A OUTPUT -j ACCEPT 
COMMIT

Copy this script to /etc/iptables.rules and load the ruleset.

% sudo iptables-restore < /etc/iptables.rules

You can make sure your ruleset loaded properly by runnning:

% sudo iptables -L

If all is well then save your ruleset out like so.

% sudo iptables-save > /etc/iptables.rules

If you want the firewall to load when the interface comes up you need to add the following to your network configuration (Debian/Ubuntu based systems) in /etc/network/interfaces right before you define your interface.

pre-up iptables-restore < /etc/iptables.rules

OpenBSD

if="rl0"

set loginterface $if

tcp_services = "{ ssh, www, https }"

set block-policy return
scrub in all
antispoof for $if
block in all
pass out keep state
pass log proto tcp to any port $tcp_services

You can turn pf on my adding the follwing to /etc/rc.conf.local

pf="YES"

You can turn pf on from the command line by typing in the following

% pfctl -e