IPFW Open ports 80/443 to any, but limit port 22 to specific IPs. Help needed.

[GavinW]

I'm new to FreeBSD.

I want to secure my simple web server, opening its HTTP and HTTPS ports to anywhere but limiting SSH access to specific addresses only.

What's the correct way to configure IPFW that way?

Thank you.

 

[SirDice]

Handbook: 31.4. IPFW

 

[amilis]

As SirDice metoion, there is a loot of goodies in the handbook.

Here is a basic setup. But you need more then this.
You have a firewall in front? Or is this a VDC in a cloud? Then change the ssh port in /etc/ssh/sshd_config, you also need to change port below.

ext_if     = ”YOUR_EXT_IF_ON_THE_SERVER”
allow_ip = "YOUR_SSH_ALLOW_IP"

block drop log all
pass  in    quick on $ext_if proto tcp  from $allow_ip  to $ext_if    port 22              flags S/UAPRSF modulate state
pass  in    quick on $ext_if proto tcp  from any           to $ext_if    port {80, 443}    flags S/UAPRSF modulate state

 

[astyle]

GavinW : I'd suggest that you follow some some Best Practices and turn port 80 off altogether. A good approach would be to do that on the server config, as opposed to firewall config. Firewalls are useful, but they cannot replace proper server config. I've seen lots of people get burned by bad firewall configs, and they spend a LOT of time trying to fine-tune firewall rules. A proper server config, done first, makes firewall config MUCH easier.

 

[GavinW]

This is a web server, so ports 80 and 443 are open.

I found the following lines in /etc/rc.conf mostly satisfy my needs:

firewall_enable="YES"
firewall_type="workstation"
firewall_logdeny="YES"
firewall_myservices="ssh"
firewall_allowservices="xx.xxx.xxx.xxx"


The above config limits SSH to specific IP(s). To open 80 to anywhere, I need this following line:

ipfw add 10 allow tcp from any to me 80

Is it a good practice to insert this line to the workstation section in /etc/rc.firewall?

 

[covacat]

do not modify system files
start with firewall_type="workstation"
then
ipfw list|sed 's/ / add /' >/etc/myhost.fw
and in rc.conf
firewall_type="/etc/myhost.fw"
then edit that file to your needs

 

[se@]

Small addition to covacat's reply:

ipfw list will show entries in the range 100 to 1000 that have been created by /etc/rc.firewall even when a custom firewall configuration file is specified:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136

Rules for this range should be deleted from the /etc/myhost.fw file derived from the "ipfw list" output, or else you'll get each of these rules twice, once from /etc/rc.firewall and once from processing your file. Duplicate rules would cause some processing overhead but no other damage.

These rules are minimally required to allow traffic to pass through the loopback interface, but prevent forging packets with a source address in the loopback network range from being accepted via any other interface. (Packets received over any other interface could else reach functions that consider them internally generated and therefore trusted.) And they allow the minimally required IPv6 signaling packages to pass.

 

[im]

I have a lot of hosts that should be allowed for ssh access for my servers,
so I prefer to use "ipfw table" for organize the list of permitted hosts.

/etc/rc.conf

firewall_enable="YES"
firewall_script="/root/scripts/rc.firewall"

/root/scripts/rc.firewall

ipfw='/sbin/ipfw -q'
${ipfw} table 22 flush

for ip in `cat /root/bin/mynetlist.db`; do
${ipfw} table 22 add $ip
done

#ssh
${ipfw} add allow tcp from 192.168.0.0/24,10.0.0.0/24 to me 22
${ipfw} add allow tcp from me 22 to 192.168.0.0/24,10.0.0.0/24
${ipfw} add allow tcp from FAILSAFE_HOST to me 22
${ipfw} add allow tcp from me 22 to FAILSAFE_HOST
${ipfw} add allow tcp from table\(22\) to me dst-port 22
${ipfw} add allow tcp from me 22 to table\(22\)
${ipfw} add deny log logamount 0 tcp from any to me 22

The plaintext file /root/bin/mynetlist.db contains a list of permitted networks one per line, like this

8.8.8.8/32
172.16.1.0/25

Also I have a master-copy of file mynetlist.db on some remote server, and update the local file from master.

Finally, for advanced security, I enable 'AllowUsers' option of /etc/ssh/sshd_config only for the specified low-privilege users