Defcon1-Header
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

Transparent Firewall How-To

Credits
----------
VERSION 1.0 CHAOTIC
Marcin Mleczko
UIN:21494189

/* forgive me language mistakes */

/* NOT an abtitious text, but still usefull */
/* i think, i hope :) */

IMPORTANT: if i'm mistaken at any possible aspect, please do not hesitate to inform me
"i want to understand..."

  How Come
-----------
I was wondering if there is any chance to make my firewall more secure. I mean FIREWALL itself.
And of course (as many times before) i've found that someone has already done it (my frustration is growing enormous... :)
i want to invent sth original, but it seems to be impissible LOL). Lately i've found that noone from defcon1 community
has described this problem. To be honest, i don't find FreeBSD handbook to be a good support too. So i decided to describe
this problem, that it might be usefull for new admins....balh....blah....let's go ;)


  Background (boring, skip if you want FAST SOLUTION)
-------------
What doest it mean "transparent"? Simply, invisible for layer witch is being used.
Ha, you say, layers? ;) No problem.
There is a model called ISO/OSI Layer Model, that makes talking/describing telecommunication services easier.
So here it is:

TOP -> USER
 
7. Application

6. Presentation

5. Sesion

4. Transport - for example TPC & UDP

3. Network - for example IP

2. Data Link - for example ARP, but also X.25 or ATM or even SDH (i think so, but interactions between protocols
within this layer are wired, SDH is transparent for most of them, ISDN is not...
i still cannot catch the point:)

1. Physical - all of electronic and electric equipment

BOTTOM -> E-M wave ;)

Ok, but i'm changing subject. As you can see TCP is over IP which is over ARP(ethernet). It works like this:
suppose you've got cable modem with ethernet and X.25 interface. When packets from your firewall hits modem,
layer 2 is "translated" from ARP to X.25 but the information remains untouched (TCP/IP). When packets pour in there is
a translation from X.25 to ARP of course.
Enough of this, all interested in this matter should read sth [1].
ARP (layer 2) is transparent, invisible for IP (layer 3 and higher layers).

Now, as we know what does it mean transparent, i will explain what does bridging do. Bridge makes two separated LANs act like
one network. All hubs and switches are bridges and they operate on layer 2 (ARP). Identifier in ARP communication is a MAC
address (6*2*'hex', see ifconfig). All requests are send through net by use of MACs.

Usefull: network can be hardened by making exact, "static" pointers on switches ports to a specific list of MACs.
That will cause noone else (with different MAC) to use given port.
Very important thing is to update /etc/arp with actual segment pairs MAC, IP. It will make sniffing much more difficult.
/* i see now that it is difficult for me to stick close to subject ;) */

And now, hit the road Jack...


  Concept
----------

There is a concept of making firewall, that operates on layer 2 (only ARP requests) but is able to filter IP traffic.
I will be extremally useful because interfaces will have no IPs, firewall will be practically invisible. Of course
one can monitor arp traffic, and notice firewall activity but still he will not be able to perform straight attack.


  Making Music
---------------

Kernel: a must compile in

options BRIDGE; Enables bridging on your system

also you should answer your self whether you want to use ipf as module or kompile it into kernel.
It is still giantic kernel so i prefer module, but if you want:

options IPFILTER;
optionsIPFILTER_LOG;

You have to set two environmental variables to get this working:
sysctl net.link.ether.bridge=1
sysctl net.link.ether.bridge_ipf=1
(....ipfw=1 for ipfw ;)

you can also add it to /etc/sysctl.conf to make startup fully operational.
See [2]. See [3], a great pice of work, witch incudes this issue ;) but i think, my might be usefull to.

situation:

(INET (untrusted))<~~~~~~~~~~>[MODEM/ROUTER]<----/not filtered/----[FIREWALL, invisible]----/filtered/---->(LAN)

--- ethernet
~~~ whatever

What you have to do now is to leave interfaces without IPs and apply any ruleset you want. See [3], again this great HOWTO.
A god idea will be walking to consile ;) but if you are too lazy, or you cannot, you may insert another NIC and making seperate network
between your firewall and your desktop. It should be secure, but you must realize that if your desktop is connected to inet
any other way, there is alternative way to your firewall through workstation. Good idea will be seperated console.


  End
------

All of mankind has still a lot to learn
Me too... ;)


  Resources
-------------
[1] - http://floppsie.comp.glam.ac.uk/Glamorgan/gaius/cnn/slides/1osi.html
[2] - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/bridging.html
[3] - http://www.obfuscation.org/ipf/ipf-howto.txt

----------------------------------------------
In the case sth will not work, go to
[4] http://people.freebsd.org/~cjc/
read it and apply patche on your BSDbox

© 1997 - 20013 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.

Defcon1-Header2
Tool-Bar-2Defcon1  Webmail