martes, 11 de septiembre de 2007

Firewall IPFilter



Desde el punto de vista de la Seguridad, una de las nuevas funcionalidades (a parte de JASS, TCP_WRAPPER, RBAC y SMF) de Solaris 10 y OpenSolaris es la incorporación de IPFilter como herramienta de filtrado (tcp/udp) y NAT con el Soporte de Sun Microsystems.

En versiones anteriores de Solaris (a partir de la 8 y todavia compatible en 9), se incorporó de forma gratuita el producto SunScreen en su version Lite hasta la v3.1.

En este articulo vamos a configurar de forma sencilla la proteccion de nuestro sistema con unas simples reglas y entender su funcionamiento.

Inicializamos los modulos del Kernel.

# ipf -E

Y ya podemos activar el uso de este software, gestionandolo a través de SMF.

# svcadm enable ipfilter

# svcs | grep ipfilter
online 11:17:24 svc:/network/ipfilter:default

# tail -f /var/svc/log/network-ipfilter\:default.log
[ abr 25 18:14:26 Disabled. ]
[ abr 25 18:14:26 Rereading configuration. ]
[ abr 25 18:30:41 Disabled. ]
[ sep 11 11:17:11 Enabled. ]
[ sep 11 11:17:14 Executing start method ("/lib/svc/method/ipfilter start") ]
[ sep 11 11:17:24 Method "start" exited with status 0 ]

Luego ya podemos testear su estado, asi:

# ipfstat -iol
empty list for ipfilter(out)
empty list for ipfilter(in)

Esto es debido a que todavia no esta configurado. Tenemos que crear un fichero /etc/ipf/pfil.ap en el cual indicamos la interfaz sobre la que va a actuar este software, y el fichero /etc/ipf/ipf.conf en el cual implementamos nuestra politica de reglas de filtrado o NAT.

# ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
pcn0: flags=201000843 mtu 1500 index 2
inet 10.73.130.251 netmask ffffff00 broadcast 10.73.130.255
ether 0:c:29:ef:ed:da

# vi /etc/ipf/pfil.ap
P Filter pfil autopush setup
#
# See the autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules
#iprb -1 0 pfil
#elxl -1 0 pfil
pcn0 -1 0 pfil
#e1000g -1 0 pfil
#bge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dnet -1 0 pfil
#pcelx -1 0 pfil
#spwr -1 0 pfil

# vi /etc/ipf/ipf.conf
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.

# Block any packets which are too short to be real
block in quick all with short
#
# drop and log any IP packets with options set in them.
block in all with ipopts
#
# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Public Network. Block everything not explicity allowed.
#block in log on pcn0 all
block in log on pcn0 from any to any port = 22
block out on pcn0 all
#
# Allow pings out.
pass out quick on pcn0 proto icmp all keep state
#
# for testing, allow pings from ben and jerry
pass in quick on pcn0 proto icmp from 10.73.130.122/32 to 10.73.130.251/32
#
# Allow outbound state related packets.
pass out quick on pcn0 proto tcp/uDp from any to any keep state
#
# allow ssh from 172.16.0.0/16 only.
# pass in log quick on pcn0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in quick on pcn0 proto tcp from 10.73.130.122/32 to 10.73.130.251/32 port = 22

En esta sencilla configuración hemos bloqueado todo el trafico y unicamente permitimos desde la ip 10.73.130.122 acceder por ssh a la ip 10.73.130.251, ademas del trafico icmp.

Volvemos a reiniciar el servicio y listamos las reglas de nuevo.

# svcadm disable ipfilter
# svcadm enable ipfilter
# ipftsat -iol
pass out quick on lo0 all
block out on pcn0 all
pass out quick on pcn0 proto icmp from any to any keep state
pass out quick on pcn0 proto tcp/udp from any to any keep state
block in quick from any to any with short
block in from any to any with ipopts
pass in quick on lo0 all
block in log on pcn0 from any to any port = 22
pass in quick on pcn0 proto icmp from 10.73.130.122/32 to 10.73.130.251/32
pass in quick on pcn0 proto tcp from 10.73.130.122/32 to 10.73.130.251/32 port = ssh

Luego si lanzamos una conexión con un cliente ssh, desde la ip 10.73.130.68 con destino la ip 10.73.130.122, vemos facilmente como es rechazada:

# tail -f /var/adm/ipfilter.log
11/09/2007 19:11:41.430677 pcn0 @0:4 b 10.73.130.68,50315 -> 10.73.130.251,22 PR tcp len 20 44 -S IN

Y además las estadisticas desde que se inicio el servicio.

# ipfstat -hio
0 pass out quick on lo0 all
3 block out on pcn0 all
0 pass out quick on pcn0 proto icmp from any to any keep state
2 pass out quick on pcn0 proto tcp/udp from any to any keep state
0 block in quick from any to any with short
0 block in from any to any with ipopts
0 pass in quick on lo0 all
7 block in log on pcn0 from any to any port = 22
0 pass in quick on pcn0 proto icmp from 10.73.130.122/32 to 10.73.130.251/32
2 pass in quick on pcn0 proto tcp from 10.73.130.122/32 to 10.73.130.251/32 port = ssh

Pero si uno no esta demasiado familiarizado con este tipo de Firewalls a nivel de comandos, siempre podemos recurrir a la ultilización de alguna GUI. Para este particular FwBuilder es una de las mejores soluciones de código abierto compatible 100% con IpFilter y Solaris 10.