This document contains a collection of sample profiles and filters that allow specific types of network traffic to pass through the GTSecure firewall. It includes the following sections:
Considering Classes of Traffic
Creating Profiles
Creating Sample Filters
Displaying All Examples
Considering Classes of Traffic
There are several types of traffic to consider when planning
a firewall. There are clients and servers inside the firewall, and there are public
clients and clients who authenticate outside the firewall. There are the basic
services of the Internet that you must allow, such as Domain Name Service (DNS)
and electronic mail transfer. Table 1 describes
these classes of traffic.
| Class of traffic . . . | May require filters that allow the following types of traffic . . . |
|---|---|
| Clients inside the firewall | Telnet, FTP, HTTP, DNS, Ping, Gopher, Finger, Archie, Talk, Traceroute, RealAudio, PointCast, Whois |
| Servers inside the firewall | DNS (UDP), DNS (TCP) for zone transfer partners, Ping, Traceroute |
| Public clients outside the firewall | Telnet, Anonymous FTP, HTTP, Gopher, Finger, DNS |
| Authenticated clients outside the firewall | Telnet, FTP, HTTP, Ping, Gopher, Finger, NFS (TCP recommended) |
| Internet Connectivity and ISP Management |
RIP, Telnet, SNMP, SMTP, Syslog, Time, Antispoofing You may also need to allow your Internet Service Provider (ISP) to access your router. |
Creating Profiles
The examples in this chapter use several profiles. Each profile holds filters for a different class of traffic. If you use these examples, you need to create the following profiles.
IP Filters Config>add profile client
IP Filters Config>add profile server
IP Filters Config>add profile trustee idle=3600
IP Filters Config>add profile internet
| This profile . . . | Holds filters that allow . . . |
|---|---|
| client | Clients inside the firewall to access external services. |
| server | Public clients (unauthenticated) outside the firewall to access internal services. These are services that you publish to anyone outside the firewall. |
| trustee | Authenticated clients outside the firewall to access services on servers inside the firewall. These are services that you do not usually publish to unauthenticated users outside the firewall. This profile has an idle timeout of one hour. You can use any value you find reasonable, but remember to put idle and/or expiration timeouts on dynamic profiles. |
| internet | Connectivity with the Internet and possibly allow your ISP to monitor or maintain the router. |
You should statically attach all but the trustee profile to the WAN interface, which is interface 1. To do so, enter the following command:
Note that the client profile is last. This is because the client profile contains filters that install dynamic openings in the firewall. Because client filters may recognize packets coming from servers, you should set up the profiles so that the client filters are consulted only after the packet is not identified as coming from a server or an Internet routing function.IP Filters Config>set interface 1 profiles=internet,server, client
Creating Sample Filters
Creating Filters for Clients Inside the Firewall
For clients on the inside of a firewall, the following filters allow most applications to function.
These examples assume that you first perform the scope command so that all commands apply to the client profile.
IP Filters Config>scope client
IP Filters Config client>
IP Filters Config client>add filter udp dir=out protocol=udp sport=transient
IP Filters Config client>add filter udp.reply da=sa sa=da dp=sp sp=dp idle=30
Child filters, by default, have a direction opposite that of their immediate parents. When a parent filter recognizes a packet, it installs a separate instance of the child filter for each new combination of addresses and ports it sees in an outbound packet. Copies of child filters that the parent filter installs are called dynamic filters.
When a client sends a UPD packet request, the udp filter recognizes the packet and installs a copy of the udp.reply filter. When the udp filter installs the udp.reply filter, it fills in the source and destination addresses, and source and destination port numbers from the outbound packet.
Note that the child filter has an idle timeout that causes dynamic filters that the child filter installs to be deleted when no longer in use. If a client sends additional packets to the same destination within 30 seconds, the existing dynamic filter's idle timer is reset, rather than installing a new copy. Packets coming in through the dynamic filter also refresh the idle timer.
This filter pair works for services such as HTTP and Telnet. These services use a single well-known port number at the server end, and the client assigns a transient port number at its end. This filter pair also works for FTP clients running sessions in PASV mode. This mode uses only one TCP connection. It is more secure to use Web browsers and FTP client programs that run in PASV mode because they do not require additional openings in the firewall.IP Filters Config client>add filter tcp dir=out prot=tcp sp=transient
Filters Config client>add filter tcp.reply da=sa sa=da dp=sp sp=dp idle=120
Some TCP applications may keep a session open and yet not send traffic for longer than the timeout period. This could result in sessions being interrupted. For example, you could have the following situation:
One or more internal clients that access an external host via Telnet.
On the external host, the client runs a program that takes a long time to run and does not produce any output until the program finishes.
Neither station produces TCP keepalive packets. If the stations did, then the keepalive packets would exercise the tcp filter pair defined above and your profile would not need further refinements.
If you encounter other "slow hosts," simply add their addresses to the slowhost filter. For example, to add two more hosts, do the following:IP Filters Config client>add filter slowhost before=tcp dir=out da=10.50.1.1 dp=telnet sp=transient
IP Filters Config client>add filter slowhost.response sa=da sp=dp da=sa dp=sp idle=600
Alternatively, if a user at address 10.1.1.2 inside the firewall always wants 30 minute timeouts when running Telnet to any host, add the following filters:IP Filters Config client>set filter slowhost da += 10.50.1.5, 10.55.70.6
IP Filters Config client>add filter tnfrom2 before=slowhost dir=out sa=10.1.1.2 dp=telnet sp=transient
IP Filters Config client>add filter tnfrom2.response sa=da sp=dp da=sa dp=sp idle=1800
IP Filters Config client>add filter ICMP dir=both protocol=ICMP
This filter allows any type of ICMP packet including Echo Request to pass in either direction.
IP Filters Config client>add filter Don'tPingMe before=ICMP dir=in protocol=ICMP ptype=Echo Request action=block
Handling DNS Clients
You will probably want to access Domain Name Servers (DNS) outside the firewall. The filter client.udp already supports DNS clients. However, that filter leaves a hole open longer than needed for DNS because, as soon as a response comes back, no more DNS messages are expected. To tighten the hole for DNS queries, add the following:
This opens a 15 second hole for the response. As soon as GTSecure receives the response, it closes the hole.IP Filters Config client>add filter DNS before=udp dir=out protocol=UDP dp=DNS
IP Filters Config client>add filter DNS.response da=sa sa=da dp=sp sp=dp idle=15 delete=on
Handling FTP Traffic
The generic TCP filters defined previously work for FTP utilities that run in PASV mode. Before adding this filter group, test your favorite FTP client utilities to see if they function correctly with the generic client filters. If they do, you don't need this example.
Otherwise, you need to support incoming connections from FTP servers whenever an FTP client is active. Add the following filters:
IP Filters Config client>add filter ftp before=* dir=out dp=FTP_CONTROL sp=transient
IP Filters Config client>add filter ftp.response da=sa sa=da dp=sp sp=dp idle=300
IP Filters Config client>add filter ftp.data da=sa sa=da dp=transient sp=FTP_DATA ptype=SYN idle=30 delete=on
IP Filters Config client>add filter ftp.data.narrow dir=both da=da sa=sa dp=dp sp=sp idle=300
If the FTP clients that cannot perform in PASV mode are only on certain hosts, you can limit this filter to just those clients and reduce the number of holes in your firewall. This is always good to do. If you can narrow the set of hosts needing this support down to a reasonable number (like under 20), put the addresses of these hosts into the source address field of the ftp filter. Only the listed hosts open the holes for incoming data channel connections. All others fall through to the simple tcp filter. For example, if the only hosts that cannot do PASV FTP are on 10.1.1.8 and 10.1.1.72, then enter:
As with the Telnet examples, you may encounter hosts which, for one reason or another, are very slow to respond. There are two solutions to this problem:IP Filters Config client>set filter ftp sa=10.1.1.8,10.1.1.72
You can increase the idle times to higher values, but this causes all FTP sessions to leave openings in the firewall for a longer time.
You can install a second copy of the ftp filter group before this group, with specific hosts identified in the destination address field of the first filter and longer timeouts throughout. For example, to access two FTP servers (10.60.2.1 and 10.80.5.5) that are slow to respond, add the following filters:
IP Filters Config client>add filter slowftp before=ftp dir=out da=10.60.2.1,10.80.5.5 dp=FTP_CONTROL sp=transient
IP Filters Config client>add filter slowftp.response da=sa sa=da dp=sp sp=dp idle=600
IP Filters Config client>add filter slowftp.data da=sa sa=da dp=transient sp=FTP_DATA ptype=SYN idle=30 delete=on
IP Filters Config client>add filter slowftp.data.narrow dir=both da=da sa=sa dp=dp sp=sp idle=300
Add these filters to the server profile.
Allowing Access to TCP-based Services Inside the Firewall
You can easily address most TCP-based services, such as Telnet and Web (HTTP), with simple bidirectional filters.
For example, to publish access to a Web server at 10.1.1.1, add the following:
If your Web server is also an FTP and Telnet server to the outside world, enter all the services in the same filter:IP Filters Config>add filter server.public dir=both da=10.1.1.1 dp=http
In the event that you are publishing services from more than one host, there are two ways to organize the information. Suppose you have the following servers:IP Filters Config>add filter server.public dir=both da=10.1.1.1 dp=http,ftp,telnet
Server 10.1.1.1 publishes HTTP
Server 10.1.1.2 publishes HTTP, FTP, and Telnet
Server 10.1.1.3 publishes FTP
Or, you could organize filters by service:IP Filters Config>add filter server.1 dir=both da=10.1.1.1 dp=http
IP Filters Config>add filter server.2 dir=both da=10.1.1.2 dp=http,ftp,telnet
IP Filters Config>add filter server.3 dir=both da=10.1.1.3 dp=ftp
You may want the world to be able to run Ping to your servers to check if they are up. Ping uses a different protocol, so you cannot include it in the filters above that are for TCP packets. Add the following:IP Filters Config>add filter server.web dir=both da=10.1.1.1,10.1.1.2 dp=http
IP Filters Config>add filter server.ftp dir=both da=10.1.1.2,10.1.1.3 dp=ftp
IP Filters Config>add filter server.telnet dir=both da=10.1.1.2 dp=telnet
IP Filters Config>add filter server.pings dir=both da=10.1.1.1-10.1.1.3 protocol=ICMP ptype=Echo Request
DNS transfers data in a few different modes. The client.udp or client.DNS filters described above already let clients inside the firewall access DNS servers outside the firewall.
If you are running your own DNS server inside the firewall, that server may also make requests of other DNS servers outside the firewall. The client filters above also already support these exchanges.
To make your DNS server accessible to the outside world (because you have your own domain), you need to add the following filter (supply your own DNS server address, of course):
If your DNS server must interact with a secondary domain server that is outside the firewall, you need to add another filter to allow zone transfers. If the secondary server is on 10.50.50.50, add the following:IP Filters Config>add filter server.DNS dir=both da=10.1.1.10 protocol=udp dp=dns
IP Filters Config>add filter server.DNSZone dir=both da=10.1.1.10 sa=10.50.50.50 protocol=tcp dp=dns
IP Filters Config>add filter trustee.tcp dir=both sa=authenticator da=10.1.1.17 dp=smtp,ftp,http,telnet
Preventing IP Address Spoofing
To prevent users outside the firewall from spoofing internal client addresses, add a filter that blocks any packets coming from the Internet that claim to have a source address that matches any network on the inside of the firewall.
Assuming the internal network number is 10.1.1.0, add the following filter:
IP Filter Config>add filter internet.nospoof dir=in action=block source=10.1.1.0&255.255.255.0
IP Filters Config>add filter internet.RIP dir=both sp=RIP dp=RIP
If your router sends SNMP traps out to the ISP's SNMP management station, add the following:IP Filters Config>add filter internet.SNMP dir=both da=10.1.1.2 sa=10.50.50.10 dp=SNMP
If your ISP needs to run Telnet to the router, add the following:IP Filters Config>add filter internet.SNMPTrap dir=out da=10.50.50.10 sp=SNMPTrap
IP Filters Config>add filter internet.TelnetToRouter dir=both da=10.1.1.2 sa=10.50.50.10 dp=telnet
IP Filters Config>add filter internet.TelnetToRouter dir=both da=10.1.1.2 dp=telnet
Typically, the default value for the DF bit is zero, allowing fragmentation. Some situations where an application sets the DF bit, can result in unrecoverable errors. The filters in this sections address two situations in which overriding the DF bit would prevent errors.
Firewall That Prohibits ICMP "Unreachable" Packets
If a packet with the DF bit set passes through a firewall and reaches an interface that wants to fragment it, the resulting ICMP "Unreachable" message is blocked at the firewall. The long packet has been dropped and the originating application will not learn why. The application will enter error recovery mode and probably stay there forever, as the too-long packets continue to be dropped without explanation.
To get through a problematic firewall, we can use the firewall's network address to identify the packet and turn off its DF bit:
Since the default action for IP filters is to discard packets not explicitly passed, remember to pass the altered packet in a subsequent rule. The following rule will pass all traffic that reaches it:IP Filters Config>add filter firewall.firewallDF da=192.168.1.00&255.255.255.0 DFbit=off action=ignore
IP Filters Config>add filter firewall.passall action=pass
Some web browsers set the DF bit by default. If you are directing a browser to access a web server on the far side of an IPSec tunnel, packets may be lost due to the DF bit problem at the ingress to the IPSec tunnel.
To create a filter that recognizes web traffic by its destination port number, 80, and forces its DF bit to off, add the following:
To cover traffic returning from the web server to the browser, add the following:IP Filters Config>add filter internet.webOutDFfilter dport=80 DFbit=off action=ignore
IP Filters Config>add filter internet.webInDFfilter sport=80 DFbit=off action=ignore
IP Filters Config>list interface 1
Interface Attached Profiles
--------------------------------
1 internet
server
client
Listing Filters Attached to Interface 1
Name Dir Address Port Protocol Idle
Action
--------------------------------------------------------------------------------
internet.nospoof In sa=10.1.1.0&255.255.255.0 Any Block Off
internet.RIP Both isp=RIP(520) UDP Pass Off
idp=RIP(520)
internet.SNMP Both isa=10.50.50.10 idp=SNMP(161) UDP Pass Off
ida=10.1.1.2
internet.SNMPTrap Out da=10.50.50.10 sp=SNMPTrap(162) Pass Off
UDP
internet.TelnetToRouter Both ida=10.1.1.2 idp=TELNET(23)TCP Pass Off
server.web Both ida=10.1.1.1 idp=HTTP(80) TCP Pass Off
ida=10.1.1.2
server.ftp Both ida=10.1.1.2 idp=FTP(20-21) Pass Off
ida=10.1.1.3 TCP
server.telnet Both ida=10.1.1.2 idp=TELNET(23) Pass Off
TCP
server.pings Both ida=10.1.1.1-10.1.1.3 ICMP Pass Off
Echo Request
server.DNS Both ida=10.1.1.10 idp=DNS(53) UDP Pass Off
server.DNSZone Both isa=10.50.50.50 idp=DNS(53) TCP Pass Off
ida=10.1.1.10
client.slowftp Out da=10.60.2.1 sp=transient TCP Pass Off
da=10.80.5.5 dp=FTP_CONTROL(21)
client.slowftp.response In sa=destination sp=dport TCP Pass 600
da=source dp=sport
client.slowftp.data In sa=destination sp=FTP_DATA(20) Pass 60
da=source dp=transient TCP Delete
SYN
client.slowftp.data.narrow isa=source isp=sport TCP Pass 600
Both ida=destination idp=dport
client.ftp Out sa=10.1.1.8 sp=transient TCP Pass Off
sa=10.1.1.72 dp=FTP_CONTROL(21)
client.ftp.response In sa=destination sp=dport TCP Pass 300
da=source dp=sport
client.ftp.data In sa=destination sp=FTP_DATA(20) Pass 30
da=source dp=transient TCP Delete
SYN
client.ftp.data.narrow Both isa=source isp=sport TCP Pass 300
ida=destination idp=dport
client.DNS Out dp=DNS(53) UDP Pass Off
client.DNS.response In sa=destination sp=dport UDP Pass 15
da=source dp=sport Delete
client.udp Out sp=transient UDP Pass Off
client.udp.reply In sa=destination sp=dport UDP Pass 30
da=source dp=sport
client.tnfrom2 Out sa=10.1.1.2 sp=transient TCP Pass Off
dp=TELNET(23)
client.tnfrom2.response In sa=destination sp=dport TCP Pass 1800
da=source dp=sport
client.slowhost Out da=10.50.1.1 sp=transient TCP Pass Off
da=10.50.1.5 dp=TELNET(23)
da=10.55.70.6
client.slowhost.response In sa=destination sp=dport TCP Pass 600
da=source dp=sport
client.tcp Out sp=transient TCP Pass Off
client.tcp.reply In sa=destination sp=dport TCP Pass 120
da=source dp=sport
client.Don'tPingMe In ICMP Block Off
Echo Request
client.ICMP Both ICMP Pass Off