Credits ---------- VERSION 1.0 CHAOTIC Marcin Mleczko mailto: mleczny@student.uci.agh.edu.pl or:grafzero@poczta.onet.pl
UIN:21494189
/* forgive me language mistakes */
/* NOT an abtitious text, but still usefull */ /* i think, i hope :) */
IMPORTANT: if i'm mistaken at any possible aspect, please do not hesitate to inform me "i want to understand..."
How Come -----------
I was wondering if there is any chance to make my firewall more secure. I mean FIREWALL itself.
And of course (as many times before) i've found that someone has already done it (my frustration is growing enormous... :)
i want to invent sth original, but it seems to be impissible LOL). Lately i've found that noone from defcon1 community
has described this problem. To be honest, i don't find FreeBSD handbook to be a good support too. So i decided to describe this problem, that it might be usefull for new admins....balh....blah....let's go ;)
Background (boring, skip if you want FAST SOLUTION) ------------- What doest it mean "transparent"? Simply, invisible for layer witch is being used.
Ha, you say, layers? ;) No problem. There is a model called ISO/OSI Layer Model, that makes talking/describing telecommunication services easier. So here it is:
TOP -> USER 7. Application
6. Presentation
5. Sesion
4. Transport - for example TPC & UDP
3. Network - for example IP
2. Data Link - for example ARP, but also X.25 or ATM or even SDH (i think so, but interactions between protocols within this layer are wired, SDH is transparent for most of them, ISDN is not...
i still cannot catch the point:)
1. Physical - all of electronic and electric equipment
BOTTOM -> E-M wave ;)
Ok, but i'm changing subject. As you can see TCP is over IP which is over ARP(ethernet). It works like this:
suppose you've got cable modem with ethernet and X.25 interface. When packets from your firewall hits modem,
layer 2 is "translated" from ARP to X.25 but the information remains untouched (TCP/IP). When packets pour in there is a translation from X.25 to ARP of course.
Enough of this, all interested in this matter should read sth [1]. ARP (layer 2) is transparent, invisible for IP (layer 3 and higher layers).
Now, as we know what does it mean transparent, i will explain what does bridging do. Bridge makes two separated LANs act like
one network. All hubs and switches are bridges and they operate on layer 2 (ARP). Identifier in ARP communication is a MAC address (6*2*'hex', see ifconfig). All requests are send through net by use of MACs.
Usefull: network can be hardened by making exact, "static" pointers on switches ports to a specific list of MACs. That will cause noone else (with different MAC) to use given port.
Very important thing is to update /etc/arp with actual segment pairs MAC, IP. It will make sniffing much more difficult. /* i see now that it is difficult for me to stick close to subject ;) */
And now, hit the road Jack...
Concept ----------
There is a concept of making firewall, that operates on layer 2 (only ARP requests) but is able to filter IP traffic.
I will be extremally useful because interfaces will have no IPs, firewall will be practically invisible. Of course
one can monitor arp traffic, and notice firewall activity but still he will not be able to perform straight attack.
Making Music ---------------
Kernel: a must compile in
options BRIDGE; Enables bridging on your system
also you should answer your self whether you want to use ipf as module or kompile it into kernel.
It is still giantic kernel so i prefer module, but if you want:
options IPFILTER; optionsIPFILTER_LOG;
You have to set two environmental variables to get this working:
sysctl net.link.ether.bridge=1 sysctl net.link.ether.bridge_ipf=1 (....ipfw=1 for ipfw ;)
you can also add it to /etc/sysctl.conf to make startup fully operational.
See [2]. See [3], a great pice of work, witch incudes this issue ;) but i think, my might be usefull to.
situation:
(INET (untrusted))<~~~~~~~~~~>[MODEM/ROUTER]<----/not filtered/----[FIREWALL, invisible]----/filtered/---->(LAN)
--- ethernet ~~~ whatever
What you have to do now is to leave interfaces without IPs and apply any ruleset you want. See [3], again this great HOWTO.
A god idea will be walking to consile ;) but if you are too lazy, or you cannot, you may insert another NIC and making seperate network
between your firewall and your desktop. It should be secure, but you must realize that if your desktop is connected to inet
any other way, there is alternative way to your firewall through workstation. Good idea will be seperated console.
End ------
All of mankind has still a lot to learn Me too... ;)
Resources ------------- [1] - http://floppsie.comp.glam.ac.uk/Glamorgan/gaius/cnn/slides/1osi.html [2] - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bridging.html
[3] - http://www.obfuscation.org/ipf/ipf-howto.txt
---------------------------------------------- In the case sth will not work, go to [4] http://people.freebsd.org/~cjc/
read it and apply patche on your BSDbox
Still don't work? Use ipfw as described in [2] Oh, Gods i said this ? ipf rocks! ----------------------------------------------
|