IP Filter Based Firewalls HOWTO
9.3 Drop-Safe Logging With dup-to and to.
前面我们介绍的是如何阻止数据包,现在我们要做的不是阻止数据包,而是将数据包转发到另外一个系统,这个系统在log这个数据包之前对这个数据包进行处理。我们的防火墙系统无论是作为网桥还是路由器都可以有很多个网卡,因此我们可以创建一个drop-safe系统,一个典型的例子是建立一个入侵检测系统。首先我们要隐藏入侵检测系统,使它不被检测到。
在开始之前,我们需要注意一些操作特点,如果我们仅仅是处理被阻止的数据包,我们可以使用关键字to或者fastroute.(我们将解释它们之间的差别)如果我们想要通过一个数据包,我们必须复制这个数据包。
9.3.1 The dup-to Method
假如我们要发送每个数据包的拷贝离开xl3接口前往ed0上的drop-safe网络我们可以使用这条规则:
pass out on xl3 dup-to ed0 from any to any
你也可以直接指明发送到drop-safe网络的一个地址,而不是仅仅发送一个拷贝到那个网络。稍微改变一下规则:
pass out on xl3 dup-to ed0:192.168.254.2 from any to any
值得注意的是,这个方法改变了副本的目的地址,日志也跟着改变。由于这个原因,我们建议使用我们熟悉的地址作为日志的地址,根据这个地址对应不同的日志(例如你不应该只使用192.168.254.2来记录web服务器和mail服务器的日志),即使你的系统中没有这个地址。通常ipfilter会用arp来查找新的目的地址,但是我们可以在ipfilter系统上创建静态的arp记录来避免这个问题。
9.3.2 The to Method
dup-to有一个明显的缺点,因为它为每个数据包创建一个副本,并随意的改变目的地址,这需要一些时间来做这个工作,然后才能处理另外一个数据包。 如果我们不关心通过的数据包,只是阻止数据包的通过,我们可以使用关键字to,让数据包通过路由表,然后送到一个不同的接口。
block in quick on xl0 to ed0 proto tcp from any to any port < 1024
就像fastroute一样,如果将block换成pass,系统很可能发生混乱。
10.防止伪装的最终规则
由于各种原因,IANA保留了一些地址空间,到这片文档定稿之时这些地址还没有被使用。因为这些地址空间还没有分配出去,如果这些地址出现在源地址或者目的地址是不合法的。
因此,不用再考虑了,这是完整的伪造地址表:
#
# s/OUTSIDE/outside-interface (eg: fxp0)
# s/MYNET.network-cidr-address (eg: 1.2.3.0/24)
#
block in on OUTSIDE all
block in quick on OUTSIDE from 0.0.0.0/7 to any
block in quick on OUTSIDE from 2.0.0.0/8 to any
block in quick on OUTSIDE from 5.0.0.0/8 to any
block in quick on OUTSIDE from 10.0.0.0/8 to any
block in quick on OUTSIDE from 23.0.0.0/8 to any
block in quick on OUTSIDE from 27.0.0.0/8 to any
block in quick on OUTSIDE from 31.0.0.0/8 to any
block in quick on OUTSIDE from 67.0.0.0/8 to any
block in quick on OUTSIDE from 68.0.0.0/6 to any
block in quick on OUTSIDE from 72.0.0.0/5 to any
block in quick on OUTSIDE from 80.0.0.0/4 to any
block in quick on OUTSIDE from 96.0.0.0/3 to any
block in quick on OUTSIDE from 127.0.0.0/8 to any
block in quick on OUTSIDE from 128.0.0.0/16 to any
block in quick on OUTSIDE from 128.66.0.0/16 to any
block in quick on OUTSIDE from 169.254.0.0/16 to any
block in quick on OUTSIDE from 172.16.0.0/12 to any
block in quick on OUTSIDE from 191.255.0.0/16 to any
block in quick on OUTSIDE from 192.0.0.0/16 to any
block in quick on OUTSIDE from 192.168.0.0/16 to any
block in quick on OUTSIDE from 197.0.0.0/8 to any
block in quick on OUTSIDE from 201.0.0.0/8 to any
block in quick on OUTSIDE from 204.152.64.0/23 to any
block in quick on OUTSIDE from 224.0.0.0/3 to any
block in quick on OUTSIDE from MYNET to any
# Your pass rules come here...
block out on OUTSIDE all
block out quick on OUTSIDE from !MYNET to any
block out quick on OUTSIDE from MYNET to 0.0.0.0/7
block out quick on OUTSIDE from MYNET to 2.0.0.0/8
block out quick on OUTSIDE from MYNET to 5.0.0.0/8
block out quick on OUTSIDE from MYNET to 10.0.0.0/8
block out quick on OUTSIDE from MYNET to 23.0.0.0/8
block out quick on OUTSIDE from MYNET to 27.0.0.0/8
block out quick on OUTSIDE from MYNET to 31.0.0.0/8
block out quick on OUTSIDE from MYNET to 67.0.0.0/8
block out quick on OUTSIDE from MYNET to 68.0.0.0/6
block out quick on OUTSIDE from MYNET to 72.0.0.0/5
block out quick on OUTSIDE from MYNET to 80.0.0.0/4
block out quick on OUTSIDE from MYNET to 96.0.0.0/3
block out quick on OUTSIDE from MYNET to 127.0.0.0/8
block out quick on OUTSIDE from MYNET to 128.0.0.0/16
block out quick on OUTSIDE from MYNET to 128.66.0.0/16
block out quick on OUTSIDE from MYNET to 169.254.0.0/16
block out quick on OUTSIDE from MYNET to 172.16.0.0/12
block out quick on OUTSIDE from MYNET to 191.255.0.0/16
block out quick on OUTSIDE from MYNET to 192.0.0.0/16
block out quick on OUTSIDE from MYNET to 192.168.0.0/16
block out quick on OUTSIDE from MYNET to 197.0.0.0/8
block out quick on OUTSIDE from MYNET to 201.0.0.0/8
block out quick on OUTSIDE from MYNET to 204.152.64.0/23
block out quick on OUTSIDE from MYNET to 224.0.0.0/3
# Your pass rules come here...
如果你想要使用这些规则,我们建议你先查看一下whois.arin.net,因为IANA有可能将其中的一些地址分配出去。
感谢Frank DiGennaro提供了这个规则表。 注 :任何转载或摘抄请保留作者信息和注明文章出处(中文FreeBSD用户组 http://www.cnfug.org) (完)