Welcome to Cyborg`s Firewalling Section


Release 0.2

First some important facts

A firewall does not protect your host from being hacked!

Forget that your host is save

A host is save if the lan connection is off
and the cable is thrown into the next river

You have to be really paranoid to be a good firewaller

you won`t find informations here which enable you to directly hack an amiga

Firewalling on the Amiga is yet a simple thing , because you don`t have the tools a make a real good firewall. Miami(dx) offers options to filter packets. That`s the mosted used form of a firewall. This means that the stack i.e Miami checks each arriving packet for it`s destination ip and it`s destination port (if the protocol has a port) by matching this info against it`s firewall rules. If the rule says drop a packet to host X on port Y and this matches the incoming packet it`s dropped without further investigation.

That`s ok at this point. But if you have the rule to accept every packet for port 21 ( FTP ) all packets will pass the firewall and go to your ftpd ( if enabled ) without further investigation too.Not good!

The point is, that an exploit for your ftp server would pass through the firewall, because it matches the given rules, even if you don`t want to get exploited.

The only way to be save against exploits is to check the service for an possible vulnerability and don`t use it if it has one.

Now, don`t panic. You have an Amiga. The chances to be exploited are very low, because you would need an 68k expoilt , which normally can`t not be found on the net. Mostly you will find exploits for windows or Linux.

It`s not impossible to be exploited. Black Irc has such a vulnerability ( or hidden feature of false mui use within birc ) , which can be workarounded with the commodity at the ASP.

What should we do against this?

First you can change the normal ports for your services i.e. change port ftp to port 33214 . None will expect it there and they have to scan your host first before you can be exploited. And this portscan can be detected and the scanning host can be locked out before they reach your ftp port.

Second you could run a packetmonitor to check each arriving packet for an possible exploit in it before it`s being processed by the stack ( and the demon ). But the Amiga does not have such a tool YET. I will work on that problem in the future.

How to build a basic Firewall

First make yourself a plan what you wanne let be accessible from outside and what not. Not every nice demon must be accessible from outside. and not everyone one has to access your ftpd, and not everyone has to ping you to check if you are online.

I will give the miami ip filter arguments without names and the empty fields are ignored, you have to see for yourself to fit the right into the gadgets.

1. step 

add the line * * *.*.*.* n y
this will drop all new incomming UPD/TCP packets. That means for normal ( regular ) attempts your host is save.

2. step

Now you have to give safe services free , one by one. 

FTP:

insert the line : tcp 20 192.168.*.* 255.255.0.0 y n
and    the line : tcp 21 192.168.*.* 255.255.0.0 y n

before first line to let normal ftp accessible from within your private LAN . If you don`t have a private LAN on 192.168.x.x change the 192.168 to the ips used by your network.
Do this only if you want FTP to work from the local network, if not, don`t do it.
To do the above mentioned add these lines instead 

 tcp 20 192.168.*.* 255.255.0.0 y n
 tcp 33214 192.168.*.* 255.255.0.0 y n

then add an new service 

ftp2 33214 tcp hiddenftp

and change the inetd .conf to this 

ftp2 stream tcp nowait root ftpd in.ftpd -x -G -b30
                       ^^^^

just an example, you can run the ftpd from any other user.

You should check MuFS from Aminet if you want real multiusersupport.

MAIL : SMTP

You don`t need a running smtpd if you have a dynamic ip ( who should use it? ) so normally you should not run one and use yam ( best via an encrypted ssh tunnel ) to read your mails ( or use any other mailreader ) from an external mailserver.

FINGER: (port 79)

Nice feature for others, but we don`t need that for surfing, so don`t enable it.

HTTP:

I will ask the amiga apache coders for advice , check the results here later. And i did, nothing kown to them in special for Amiga, so read the BugTrack for relatet informations.

In general, a webserver, if misconfigured, can be a securityhole. An attacker could request i.e. a cgi-script which shows file/dir content without letting you know. Would be hard to find out for the unskilled admin.

POP2/3: see SMTP

NNTP: There is an nntpd out for the amiga but i don`t know if it`s vulnerable.

I wouldn`t enable it if I where you.

AUTH: port 113 

AUTH is used to determain which user was responsable for the connection to 
     a forein host. This is no securityrisk. I won`t tell you to stop the service
     that`s your own decision  and i wouldn`t log it, just turn the service off)

3.Stage

Ok, we now get mass firewalloutput in the logfile ( if enabled ) , but how should you know whats ok and whats not?

We can solve this by inserting some ACCESS=N lines to the IP-Filter. 

i.e.

 tcp 111   *.*.*.*  n y 
 udp 111   *.*.*.*  n y 
 tcp 137   *.*.*.*  n y 
 tcp 138   *.*.*.*  n y 
 tcp 139   *.*.*.*  n y 
 tcp 6699  *.*.*.*  n y 
 tcp 12345 *.*.*.*  n y 
 tcp 27374 *.*.*.*  n y 
 tcp 31337 *.*.*.*  n y

all this ports are kown the be used by Trojans like SubSeven aso or to be exploitable under Linux/Unix/Windows and if someone tries this ports one by one its suspicious. They are no harm to the amiga until someone codes a version for amiga, but we will get now some different loglines. This is important for Firelogger to reduce the alarm level to normal instead of "beweak".

as mentioned above we add 

 tcp 21   *.*.*.*  n y 
 tcp 25   *.*.*.*  n y 
 tcp 109  *.*.*.*  n y 
 tcp 110  *.*.*.*  n y 
 tcp 119  *.*.*.*  n y

4. Stage - How to fix Firewallproblems.

One nice methode to break a firewall is to send a faked packet, which has the own hosts ID as SourceIP, this means someone send packets which look like as they were from your host. We call this IP-Spoofing. If you have a static ip insert this line as FIRST line ( and keep it there ) 

 * * y.o.u.rip 255.255.255.255 n y

This could block yourself too to connect to your own Apache! Don`t wonder when it happens.

The main problem with firewallrules is that most beginners enter firewall lines that deadlock others which are mass important ( mostly :-) ). Ok, with the ip-Filter functions you can`t do great harm, but when we will use MiamiDX and make REAL Firewallingrules then it`s important that you understand how it works.

An example:

if you have these two lines: 

1:  tcp *       x.x.x.x                   y n
2:  tcp 111     x.x.x.x                   n y

then you have disabled the second line, because the rules will be check from first to last, not "each one and if it says ok, the packet is passed" , that`s nonsense.

the packet comes from 212.13.56.2 port 1045 to y.our.i.p port 25 with these filterlines: 

1:  *   *       y.our.i.p 255.255.255.255 n y
2:  tcp 111     *.*.*.*                   n y 
3:  udp 111     *.*.*.*                   n y 
4:  tcp 137/139 *.*.*.*                   n y
5:  tcp 6699    *.*.*.*                   n y 
6:  tcp 12345   *.*.*.*                   n y 
7:  tcp 27374   *.*.*.*                   n y 
8:  tcp 31337   *.*.*.*                   n y
9:  tcp 138     *.*.*.*                   y n
10: *   *       *.*.*.*                   n y

and will be drop by line 10. if it wants to port 138 it`s dropped in line 4.

Even if you don`t have sepcified a rule for port 25, it matchs the last one. This policy if called "DROP ALL, ACCEPT FEW" . The opposite is "DROP SPECIAL, ACCEPT REST) and is a high safty risk !. The philosopy was to drop known exploitable services and let the rest do want they wanted to be avoid often firewallcorrections.

I`ve meet admins with the last policy and they wondered how they`ve been hacked :-)

"No work, no safty!" You have to adjust your firewall as soon as possible if you hear a rumor about an possible exploit.

Firewalling with IPFW

What we will now discuss is mostly used with 2 or more interfaces in a host. It does not make real sense with only one physical interface, but if you i.e. use DSL connections with PPPoE you have two interfaces to use. Why? The DSL modem has a SLB , a self lerning bridge, this nice device learns which macaddresses talk to the modem, and which not, to keep your LAN isolated and to reduce traffic. Knowing this, you understand that nobody else can make connections to the internet and viceversa except your host amiga with it`s firewall, as long as the SLB works corrrectly.

Normal routers would not accept packets which come in over the same interface as they would send out, it`s not necessry. With an amiga dsl router it would work, because we have two interfaces ppp0 and eth0 which share the same hardware device.

This enables us to build a real Firewall with rules for incoming and outgoing traffic. To Build our rules we use the miamidx`s commandline based ipfw ( ip-firewall / also called ipfwadm ip-firewall-administration tool).
Lets start with something common, you don`t want to be ping from the net, but want to ping others. 

 ipfw add 1 allow icmp from 192.168.0.0/16 to any
 ipfw add 2 deny icmp from any to any icmptypes 8
 ipfw add 3 allow icmp from any to any

What does this mean?

It means that rule 1 allows/accepts icmp packets from our LAN to any other ip. In rule 2 we deny incoming icmp ECHO-REQUEST packets, the 8 is the icmp packettype for echo-request , the answere is echo-reply which is type 0. Rule 3 allows all other icmp packets.
"Hmm, why did you allow the LAN itself if it`s convered by rule 3?" "Because we want ping`s from our LAN to see if the router died or if just the internet lags again."

Always remember, unless a SKIPTO like in "ipfw add skipto 40000 ip from any to any out" is set , the rules are checked line by line. That`s important!

"And have always to use the rule numbers in the add command?" "No, not always."

If you don`t use them ipfw will set own rule numbers, but i don`t suggest that. If you let space for Fireloggers own deny commands you have to use it anyway. You can use rulenumbers as often as you like: 

 ipfw add 10 allow icmp from 192.168.0.0/16 to any
 ipfw add 10 deny icmp from any to any icmptypes 8
 ipfw add 10 allow icmp from any to any

This would indicate a block of lines which should not sperated. If you want to remove a rule by hand , you just need a "ipfw del rulenumber" , this works great for the first example, but you have to add additional informations if you use the block methode i.e. like "ipfw del 10 deny icmp from any to any icmptype 8".

the next part will be released soon : Seperation by IN OUT

Ok, let`s stop here for the moment. Next Step is to add a firewall for incoming and outgoing traffic and IP-NAT. This document will be expanded in the future so check it from time to time.

If you wanne know more more about building firewall rules take a look into the News-Section and have a bit fun.

Send Mail to Cyborg