Introduction

This lab will cover:

Create a local kernel based firewall
Allowing and disallowing specific traffic
Stateful Packet Inspection (SPI)
Monitoring the firewall with ipmon
Setup a firewall on the row server

Steps

Do a regular NetBSD Install
Set a strong root password
Enable IPFilter
enable NAT and IP forwarding
enable ipmon with logging to /var/log/ipmon (see man ipmon and /etc/defaults/rc.conf for the default syntax)
Set firewall to default block
install the minimum rules to allow your clients to use:
- DNS from 142.222.125.20 and 21
- FTP on 10.100.1.150
- SSH on csunix
- HTTP/HTTPS to the internet
- SSH in from 10.100.1.* only
reboot
confirm that your firewall works properly
Work with the other people in your row to setup a similar firewall, but with NAT on your row server
Recompile the kernel on the row server to use a default deny, rather than default allow policy
Setup your windows workstations with static ips in the 10.100.ROW#.0/24 subnet, and route via your back row server
Show me that you can HTTP to anywhere, but cannot FTP to anywhere other than 10.100.1.150

Commands:

        Example Firewall Rule:
    pass in log quick on wm0 proto tcp from 10.200.1.0/24 to 10.200.1.253 port = 22 keep state keep frags
    
        what this rule does:
            allow traffic that matches to pass through the firewall
            only matches inbound traffic
            traffic is logged
            if this rule is matched, further rules are not checked
            only matches packets that are:
                on the wm0 interface
                protocol TCP
                to 10.200.1.253 (our machine in this example)
                from 10.200.1.0/24 (our local subnet)
                on port 22
            the firewall remembers 'state', this means that the firewall tracks this
                connection, and as long as it is open, packets that are a reply to
                traffic allow by this rule, are also allowed (dynamically)
            keep frags (don't reassemble packets, keep them in their original form)

Questions:

What flags for ipmon did you use to make it log to a file rather than via syslog:

What was your firewall rule to allow access to any http/https sites?:

What is ment by SPI?:

What would happen if we had a default deny firewall, and didn't use SPI?:

Last updated: 2008-03-16
Updated by: Allan Jude

Written by: Allan Jude (2008)