BigMouthBarker Posted June 16, 2010 Report Share Posted June 16, 2010 Advanced Security: Custom Firewall Rule SetsGreetings!!! This will be my first time visiting your forum board. The subject that I would like to discuss with the board members today is the current custom rule sets that I have in place on my Nat Router to date. Router in question: Westell 327W VersaLink. Platform: Windows XP Home 2000 SP3, IE8, Toshiba Satellite 1135/S155. Laptop (Stand Alone). 1 GB Ram 2 GB Virtual 60 GB HDD. Connection: ATT/DSL. Downstream Rate: 8124 (Kbits/Sec) Upstream Rate: 511 (Kbits/Sec).If the moderator of this board will allow me to post the following rule sets, I would like additional insight from the members in how I can harden the current rule sets even further from a security point of view if any one is familiar with the router model. To understand the logic behind the TTL and Bits Logic perspective that has been implemented within the rule sets presented, please visit the following web site: http://www.dslreports.com/forum/remark,16694222To further compliment the rule sets and to strengthen security, I have taken the following step(s):1) Local DNS Servers: I was tired of trusting the security of my local service provider DNS Servers so I moved upstream to www.OpenDNS.com and began using their servers. This move has made a tremendous difference in performance and security.2) PCTools Firewall Plus (Stand Alone Free Edition) on the “Local Machine”. To assist in tightening the router firewall down even further, I disengaged the Windows Firewall and installed this firewall behind the Nat Router. Custom Rules are in place to makeup for any short falls that the router firewall may be lacking in. I like the flexibility of this firewall for I am able to direct a lot of my App’s and Process’s including the Browser to the OpenDNS Servers with ease for additional security.3) To lock down my platform even further I went to the following website: http://www.pctools.com/guides/registry and done an extensive hack on my registry. Your time is valuable, so please allow me to present my current Inbound/Outbound rule sets for review. The current rule sets in use was taken from: http://www.dslreports.com/forum/remark,16694222 Inbound Rulestitle [ Security Level 1 IN rules ]beginpass from port >= 135, from port <= 139 >> donedrop icmp-type request, to addr %WANADDR%:32 >> doneRulesDropFrom192drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]RulesPasspass allRulesDropAddressdrop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]RulesPassUDPpass protocol udp, to port 53 >> donepass protocol udp, from port 53 >> doneRulesDropICMPdrop protocol icmp >> alert 4 [iCMP Message To WAN IP]RulesDropWANUDPdrop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [uDP WAN Traffic to WAN IP]RulesDropWANTCPdrop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]RulesPassGoodICMPpass protocol icmp, to addr %WANADDR%:32 >> done, alert 0 [Responding to WAN Ping]RulesPassGoodICMPpass protocol icmp, to addr %LANADDR%:%LANMASK% >> done, alert 0 [Nat'ed LOCAL PING]EndInbound Firewall Rules - LowPermit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.title [ Security Level Custom (Low) IN rules ]begin# Drop and Log Packets with Time to Live (TTL) of 0 or 1TTL#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]# Drop and Log Packets of Prohibited Source AddressAddressdrop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]# Internet Control Message Protocol (ICMP)# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMPICMPpass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))drop protocol icmp, icmp-type reply >> done, alert 3 [iCMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)drop protocol icmp, icmp-type reply >> done, alert 3 [iCMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)drop protocol icmp, icmp-type exceeded >> done, alert 3 [iCMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))drop protocol icmp, icmp-type unreachable >> done, alert 3 [iCMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)drop protocol icmp, icmp-type request >> done, alert 3 [iCMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)drop protocol icmp >> done, alert 3 [iCMP Message To WAN IP - Dropped] # Type: (block all others)# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.Permittedpass allendInbound Firewall Rules - MediumDeny All Inbound Packets That Are Not Explicitly Permitted or Do Not Have a Matching Session State Table Entry (Unsolicited)title [ Security Level Custom (Medium) IN rules ]begin# Drop and Log Packets with Time to Live (TTL) of 0 or 1TTL#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]# Drop and Log Packets of Prohibited Source AddressAddressdrop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]# Internet Control Message Protocol (ICMP)# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMPICMPpass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))drop protocol icmp, icmp-type reply >> done, alert 3 [iCMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)drop protocol icmp, icmp-type exceeded >> done, alert 3 [iCMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))drop protocol icmp, icmp-type unreachable >> done, alert 3 [iCMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)drop protocol icmp, icmp-type request >> done, alert 3 [iCMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)drop protocol icmp >> done, alert 3 [iCMP Message To WAN IP - Dropped] # Type: (block all others)# Deny All Inbound Packets That Do Not Have a Matching Session State Table Entry (Unsolicited)Unsoliciteddrop all >> alert 3 [unsolicited Inbound - Drop]endOutbound Rules NOTE: I have disengaged the FTP box with the custom settings in the router and have Strict UDP Control engaged. For FTP Control I am using Passive FTP (for firewall and DSL compatibility & Enable FTP folder view (outside of Internet Explorer) engaged within Internet Properties.title [ Security Level Custom (Medium) OUT rules ]begin# Protocol Match conditionsRulesPass#pass to port 80 >> state, done # HTTP#pass from port 80 >> state, done # HTTP#pass protocol udp, to port 53 >> state, done # DNS#pass to port 20 >> state, done # FTP#pass from port 20 >> state, done # FTP#pass to port 21 >> state, done # FTP#pass to port 23 >> state, done # Telnet#pass to port 110 >> state, done # POP#pass to port 119 >> state, done # NNTP##pass to port 143 >> state, done ## USENET News Service##pass to port 220 >> state, done ## IMAP v.3#pass to port 25 >> state, done # SMTP#pass to port 443 >> state, done # HTTPS##pass to port 500 >> state, done ## IPSEC ALG##pass protocol 50 >> state, done ## IPSEC ESP#pass to port >= 1024, to port <= 5000 >> state, done # WE/IE Passive FTP P #Uncheck "Use Passive FTP" in IE Advanced Options and enable the FTP firewall service or enable above statement# Failed to matchRulesDropNETBIOSdrop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]# Pass and Log ICMP Echo RequestRulesPassICMPpass icmp-type request >> done, state, alert 0 [iCMP - Echo Request - Pass] # Type: 8 (allow ping requests)# Drop and Log all ICMP Except Echo RequestRulesDropICMPdrop icmp-type reply >> done, alert 3 [iCMP - Echo Reply - Drop] # Type: 0 (block ping reply)drop icmp-type exceeded >> done, alert 3 [iCMP - TTL Exceeded - Drop] # Type: 11 (block tracert reply)drop icmp-type unreachable >> done, alert 3 [iCMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)#drop icmp-type request >> done, alert 0 [iCMP - Echo Request - Drop] # Type: 8 (block ping requests)drop protocol icmp >> done, alert 3 [iCMP - Unknown Reply - Drop] # Type: (block all others replies)# Save Session State for Enabled ServicesRulesSaveStatepass all >> state# Drop All Unless Service is EnabledRulesDropdrop all >> alert 1 [Packet to be dropped unless Service enabled]endFinal Output Of Outebound Rulestitle [ Security Level 1 OUT rules ]beginpass protocol udp, to port 53 >> donepass to port 194 >> donepass to port 6667 >> doneRulesDropNETBIOSdrop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]RulesPasspass allendOutbound Firewall Rules - LowPermit All Outbound Packets That Are Not Explicitly Deniedtitle [ Security Level Custom (Low) OUT rules ]begin# Protocol Match conditions# Internet Control Message Protocol# Pass Specific ICMP Types, Drop and Log all other ICMP TypesICMPpass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)drop protocol icmp, icmp-type reply >> done, alert 2 [iCMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)drop protocol icmp, icmp-type exceeded >> done, alert 2 [iCMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))drop protocol icmp, icmp-type unreachable >> done, alert 2 [iCMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)drop protocol icmp, icmp-type request >> done, alert 1 [iCMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)drop protocol icmp >> done, alert 2 [iCMP - Prohibited Type - Drop] # Type: (block all others)# Failed Protocol Match Conditions# Network Basic Input/Output System (NetBIOS)# Drop NetBIOS PacketsNetBIOSdrop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS# Permit All Outbound Packets That Are Not Explicitly Denied, and Add to Session State Table for Medium Inbound Firewall RulesPermitted#pass all # For Use With Inbound Low Firewall Rules Onlypass all >> state # For Use With Inbound Low or Medium Firewall RulesendOutbound Firewall Rules - MediumDeny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabledtitle [ Security Level Custom (Medium) OUT rules ]begin# Protocol Match conditions# World Wide WebWWWpass protocol tcp, to port 80 >> state, done # HTTPpass protocol tcp, from port 80 >> state, done # HTTPpass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL)# Domain Name System - Name/Address ResolutionDNSpass protocol udp, to port 53 >> state, done # DNS# Telecommunication Network (Telnet)Telnetpass protocol tcp, to port 23 >> state, done # Telnet# Internet Protocol Security (IPsec)Ipsec#pass protocol udp, to port 500 >> state, done # IPSEC IKE#pass protocol 50 >> state, done # IPSEC ESP# eMail & News Groups# Post Office Protocol (POP) / Simple Mail Transfer Protocol (SMTP) / Network News Transfer Protocol (NNTP)eMailpass protocol tcp, to port 110 >> state, done # POPpass protocol tcp, to port 25 >> state, done # SMTPpass protocol tcp, to port 119 >> state, done # NNTP# Secure Socket Layer POP / SMTP / NNTPeMailSSLpass protocol tcp, to port 995 >> state, done # POP SSLpass protocol tcp, to port 465 >> state, done # SMTP SSLpass protocol tcp, to port 563 >> state, done # NNTP SSL# File Transfer Protocol (FTP) - "Active" and "Passive" ModesFTPpass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Portpass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Portpass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Portpass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced PropertiesSkype - Assigned Port of Each Skype Installation - Tools -> Options... -> ConnectionSkype#pass protocol udp, from port XXXXX >> state, done # Skype# Network Time Protocol (NTP) (Windows Time Sync)NTPpass protocol udp, to port 123 >> state, done # NTP (Windows Time Sync)# Internet Control Message Protocol# Pass Specific ICMP Types, Drop and Log all other ICMP TypesICMPpass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)drop protocol icmp, icmp-type reply >> done, alert 2 [iCMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)drop protocol icmp, icmp-type exceeded >> done, alert 2 [iCMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))drop protocol icmp, icmp-type unreachable >> done, alert 2 [iCMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)drop protocol icmp, icmp-type request >> done, alert 1 [iCMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)drop protocol icmp >> done, alert 2 [iCMP - Prohibited Type - Drop] # Type: (block all others)# Failed Protocol Match Conditions# Network Basic Input/Output System (NetBIOS)# Drop NetBIOS PacketsNetBIOSdrop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS# Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is EnabledNotPermitteddrop all >> alert 1 [Packet to be dropped unless Service enabled]endThank you for your insight and suggestions on the subject matter. Respectfully………BigMouthBarker Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.