IP Filter Based Firewalls HOWTO（3）

　　 
　　IP Filter Based Firewalls HOWTO
    2.7 双向过滤，关键字“out”

到现在我们已经通过或者阻止进入防火墙的数据包，必须说明的是，进入的数据包到达的是防火墙的任意一个接口。相反，出去的数据包离开防火墙的任意一个接口(不管是本地产生的还是仅仅是通过防火墙的数据包)，这就是说我们可以过滤进入防火墙的数据包也可以过滤离开防火墙的数据包。
现在我们知道可以像过滤进入的数据包那样过滤离开的数据包，我们可以想到的一个用处就是可以阻止伪装的数据包离开我们自己的网络。如果外部有些机器想通过ipf路由一个目的地址是192.168.0.0/16的数据包，我们干嘛不抛弃它呢，最坏的情况只是浪费一些带宽：
block out quick on tun0 from any to 192.168.0.0/16
block out quick on tun0 from any to 172.16.0.0/12
block out quick on tun0 from any to 10.0.0.0/8
block out quick on tun0 from any to 0.0.0.0/8
block out quick on tun0 from any to 127.0.0.0/8
block out quick on tun0 from any to 169.254.0.0/16
block out quick on tun0 from any to 192.0.2.0/24
block out quick on tun0 from any to 204.152.64.0/23
block out quick on tun0 from any to 224.0.0.0/3
block out quick on tun0 from !20.20.20.0/24 to any

最勉强的观点是这样做并不会提高你的安全性，但是它可以提高其它人的安全性，而且最好是这样做。另外一个观点是因为从你的站点没有人可以发送伪装的数据包，你被crackers攻击的目标就小了。你将会发现很多阻止数据包离开防火墙的用处。有件事你必须记在心上，那就是不管是进来的还是出去的数据包都是相对于你的防火墙的，而不是其它机器。

2.8 记录，关机字"log"

到现在所有的数据包都是悄悄的通过或者被阻止，通常你想知道你是否被攻击，但是我并不想记录所有的数据包，而且我想知道被我阻止的来自于20.20.20.0/24数据包的情况。为了达到这个目的，我加入关键字log
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 20.20.20.0/24 to any
pass in all

现在，我们的防火墙能够很好的阻止来自不明地址的数据包，但是我们还有很多事情要做，我们要做的第一件事情是我们要抛弃来自20.20.20.0/32和20.20.20.255/32的数据包，防止smurf攻击(关于smurf攻击请看相关资料)：
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass in all

2.9 基于接口的双向过滤

如果你想建立一个防火墙规则组，你应该考虑到每个方向每个接口。ipfilter默认的状态是通过所有的数据包，我们不应该依赖于默认规则，应该考虑每一个细节，每一个接口，直到所有的情况都包括进去。
首先我们从lo0开始，这个接口是用于本系统中程序之间的通信，让它自由通过：
pass out quick on lo0
pass in quick on lo0

接着是xl0，在后面我们将对它进行严格的限制，在这里我们假设我们的本地网可以信任,像lo0一样处理：
pass out quick on xl0
pass in quick on xl0

最后是tun0，在上面我们已经对tun0进行限制，合并如下:
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass in all

这是一个很有效的过滤规则，防止20.20.20.0/24被伪装。下面的例子我们为了简便将只考虑一个方向，当你创建防火墙规则时应该考虑每个方向，每个接口。

2.10 控制协议；关键字"proto"

拒绝服务攻击跟缓冲溢出攻击一样猖獗，很多DOS攻击是利用了操作系统TCP/IP栈的失常，它通常是使用icmp包。我们为什么不阻止所有icmp的通过呢？
block in log quick on tun0 proto icmp from any to any
有多少icmp包从tun0进入将被记录并且抛弃。

2.11 用icmp-type关键字对icmp进行过滤

当然抛弃所有的icmp不是一个好主意，因为它在某些方面还是有用的。或许你想抛弃那些没用的icmp类型。如果你想要让ping和traceroute正常工作，你应该让icmp的types 0和11通过。严格来讲，这样做也不太好，权衡安全性和便利性，ipf可以这样做：
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11

记得规则的顺序是很重要的。如果我们加入关键字"quick"我们必须在block之前pass,我们需要这样安排规则的顺序
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
block in log quick on tun0 proto icmp from any to any

把这三条规则加入上面的防止欺骗的规则中需要一些机巧。如果我们将这三条规则放在最前面会有些问题
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
block in log quick on tun0 proto icmp from any to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass in all

这个问题是来自192.168.0.0/16的icmp type 0的数据包根据第一条规则将会通过，第四条规则将不会起作用。同样icmp也会通过并到达20.20.20.0/24，这样会向恶意的smurf攻击开了后门，而且最后两条规则也不起作用。为了避免这样的情况发生，我们将icmp规则放到防止欺骗的规则后面:
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 10.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 204.152.64.0/23 to any
block in quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0
pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11
block in log quick on tun0 proto icmp from any to any
pass in all

因为我们在icmp之前已经阻止了伪装的数据包，一个伪装的数据包将不会到达icmp规则。记住规则的顺序这一点很重要。

原文转自：http://www.ltesting.net