4.4 FreeBSD NAT Firewall

Other pages:

How to build a NAT firewall

First

OK, first you need to install the box. Just choose a default installation, choose kernel-developer (Full sources but no X-windows), answer no when prompted to install the "Ports Collection".

I rely on the fact that you are no newbie, that is - you can install the box and configure networking support, so both network interfaces have proper connectivity.

Optimize kernel configuration file

After installation go to the /usr/src/sys/i386/conf directory and copy the GENERIC kernel configuration file to a file with another name, mostly to avoid changing the default kernel configuration file.

Let's just take it that the name (hostname) of the firewall are "gw", so copy the GENERIC file to GW (cp GENERIC GW).

Now, edit the GW file to remove devices you don't need in the firewall. This is a highly individual process, as some might need support for RAID controllers and others may want to have PCMCIA support.

If you are not sure of this, then just leave the default devices in there, as this process is mainly for optimizing speed and reducing memory usage..

Changes to the default kernel configuration

In order for the kernel to have firewall support, which are not in the default kernel, add this:

options IPFIREWALL
options 
                  IPFIREWALL_VERBOSE
options 
                  IPFIREWALL_VERBOSE_LIMIT=0

RANDOM IP ID causes the ID field in IP packets to be randomized instead of incremented by 1 with each packet generated. This option closes a minor information leak which allows remote observers to determine the rate of packet generation on the machine by watching the counter.

So add:

options 
                  RANDOM_IP_ID

To have NAT support, add this to the kernel configuration:

options IPDIVERT

The IPFireWall software have another feature, that feature are bandwith throttle - or bandwith control. This way, the amount of bandwidth used to/from specific sites or networks can be limited, so the entire internet connection doesn't go to netradio or movie downloads.
Add to the kernel configuration file:

options DUMMYNET

Recompile the kernel

This is no different than the usual compile-dance, go to (or stay in) the /usr/src/sys/i386/conf directory.

Type "/usr/sbin/config GW"

Go to ../../compile/GW

Type "make depend"

After finished making all dependencies, type "make" to make it start compiling.

Now it's time to go for a cup of coffee, as recompilation of the kernel are something that usually takes quite some time, a fast processor and addequate amounts of RAM usually speeds tings up - but even on a very fast machine it still takes some time..

After finished compiling, type "make install" to install the new kernel. If this step fails, please change the kernel_securelevel_enable="YES" in /etc/rc.conf to kernel_securelevel_enable="NO" and reboot the machine and try "make install" again..

Disable services

Disabling services not needed on the firewall will contribute in minimizing the risk of intrusion and remote exploits.

The portmapper should be desabled as per default in FreeBSD 4.4, but...

In 
                  /etc/rc.conf:

inetd_enable="NO"
portmap_enable="NO"
sendmail_enable="NO"
inetd_enable="NO"

Gateway

In order for the machine to act as a network gateway, the gateway option must be enabled - this is pretty important, unless you plan on making it a proxy-firewall, using Squid or Apache.

In 
                  /etc/rc.conf:

gateway_enable="YES"

Enable Firewall and NAT
The firewall must be enabled, this is also done in /etc/rc.conf.

Add this:

firewall_enable="YES"
firewall_type="simple"

To enable the NAT feature, add this to /etc/rc.conf:

natd_enable="YES"
natd_interface="fxp0"
natd_flags=""

The fxp0 in natd_interface must be changed to match the NIC on the outside, so if you have a 3Com 509B network card and it is found as the first 509B card, the line would be natd_interface="ep0".

Kernel securelevel

This part is pretty damn important, so read carefully:

The kernel runs with four different levels of security. Any super-user process can raise the security level, but no process can lower it.

The security levels are:

-1
Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.
0
Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1
Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted filesystems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules may not be loaded or unloaded.
2
Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount) whether mounted or not.
This level precludes tampering with filesystems by unmounting them, but also inhibits running newfs while the system is multi-user mode.

In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this will log the message "Time adjustment clamped to +1 second".
3
Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw and ipfirewall) cannot be changed and dummynet configuration cannot be adjusted.

My recommendation are setting securelevel to 2 or 3, where I myself would set it to securelevel 3 - but be aware that this will mean rebooting the firewall every time you made changes to ipfw filter rules.

Hardening features

The following should be added to /etc/sysctl.conf:

To defending against sequence number attacks based on rfc1948 by randomize initial sequence number, add:

net.inet.tcp.strict_rfc1948=1

To verify that an incoming packet arrives on an interface that has an address matching the packet's destination address, add:

net.inet.ip.check_interface=1

To drop SYN packets destine to non-listening tcp/udp port.
This will create a blackhole and protect somewhat against stealth port scans:

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

And finally, to log all those packets desited for non-listening ports:

net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1

Configuration of the firewall

The firewall configuration are located in the /etc/rc.firewall file.

Since we told the firewall software that we are using it as a "simple" firewall, the active configuration are the one in the "simple" section. Usually the default configuration are enough, especially since we just buld a NAT firewall.

For a comprehensive description on the fetaures of IPFW, please consult the man pages (man ipfw).

Port redirection

Normally, a firewall setup would include a DMZ, a third network interface, where publicly accesible servers should be located. One of these servers could be a mail-relay server, to handle and sort incoming mail before it reaches the central mail system - such as MS Exchange (known for it's non-existing features for relay control).

Many corporate installations would include something for scanning, filtering and validating the inbound and outbound mail, like MailSweeper.

This server would live on the DMZ..

There are two different approaches into solving this, one is port redirection - the other are address redirection.

So, how is this done..?

Peace of cake - really..

Let's just for arguments sake assume that the DMZ network have the address-space of 10.0.0.0 with a C-Class network (netmask 255.255.255.0), the DMZ interface is 10.0.0.1 and the MailSweeper machine are 10.0.0.2.

The easiest are port-redirection, change in /etc/rc.conf:

natd_flags=""

Should 
                  be changed to:

natd_flags="-redirect_port tcp 
                  10.0.0.2:25 25"

This would redirect port 25 from the natd_interface to port 25 on 10.0.0.2.

Similar, for redirecting all traffic to an outside IP address (also known as "static NAT"):

natd_flags=""

Should be changed 
                  to;

natd_flags="-redirect_address 10.0.0.2 80.80.80.80"

Where the 80.80.80.80 address are really the address on the natd_interface or any public address available on the natd_interface (the "outside" interface).

More advanced stuff and facilites are available through the man pages.

Bandwidth limiting

FreeBSD comes with a bandwidth management in dummynet.
dummynet can be extremely useful to slow down a potential fast link DoS another slower link.

Lets assume that a lot of bandwith goes to downloading movies from servers at the 1.1.1.1 network.

Add to your configuration in /etc/rc.firewall:

First construct the 
                  pipe:
add pipe 1 ip from any to 1.1.1.0/24

Then 
                  configure the pipe:
pipe 1 config bw 256Kbit/s

This limits bandwith for the 1.1.1.0/24 network to 256 Kbit/s.

More realisticly, the bandwith used for mail transactions can be limited, so large mails doesn't chew up the entire internet connetion:

First construct 
                  the pipe:
add pipe 1 ip from any to 10.0.0.2

Then 
                  configure the pipe:
pipe 1 config bw 256Kbit/s

This limits mail transactions to 256 Kbit/s.

More information regarding other features, such as packet delay, forced random packetloss etc. can be found in the man pages ("man ipfw" or "man dummynet").

References

FreeBSD homepage: http://www.freebsd.org/

FreeBSD Manual: http://www.freebsd.org/handbook/

Address Allocation for Private Internets: http://www.muine.org/rfc/rfc1918.txt

The IP Network Address Translator (NAT): http://www.muine.org/rfc/rfc1631.txt

Traditional IP Network Address Translator (Traditional NAT): http://www.muine.org/rfc/rfc3022.txt

Bandwidth management: http://www.iet.unipi.it/~luigi/ip_dummynet/

The Twenty Most Critical Internet Security Vulnerabilities (Updated): http://66.129.1.101/top20.htm

Credits

This content are in part inspired from Hoang Q. Tran's "FreeBSD firewall using IP filter".