Let’s take a look at how to use a built-in FreeBSD firewall to protect an enterprise. First, let’s assume that a certain enterprise has the following servers and workstations:
1. Two WEB servers, one enterprise homepage, and one BBS. I hope the IP addresses are .001 and .002
2. One DNS server and also comes with enterprise E-mail service. The IP address is .003. Resolve to .001 and .002.
3. The internal local area network of the enterprise, N computer stations, and the IP addresses are 10.125.0.0 to 10.125.255.255
For such an enterprise, we must first design a good network architecture. While designing, we must consider where each server and internal network are placed in order to more effectively cooperate with the firewall so that the firewall can fully protect each part.
Let’s first analyze the means and ways of “hacker” intrusion. As an intruder, his first step is to find the location of the target enterprise in the network. Assuming that he already knows that the enterprise does not use hosting services, but is placed with the enterprise’s network, then he just needs to ping the enterprise’s homepage to understand that the enterprise’s IP addresses are .001 and .002, and there is also a DNS server. You can also use tools like nslookup to find that the target enterprise’s DNS server is address .003, and he will also plan. Assuming that he has entered one of the above three servers, he will immediately analyze the network structure and enter the intranet to obtain internal network employee information and a lot of important data. From the above, we need to do a lot of things to protect this network. First of all, we can find ways to isolate the servers and between the servers and the internal networks, but can also apply the functions they should have. Now we plan the network of this enterprise as follows:
First, make sure that the FreeBSD firewall is the only way for enterprises to connect to the Internet server, and then set up FreeBSD to enable its ipfirewall and NATD functions. The above figure tells us that we are now putting WWW, BBS, DNS and other servers internally for protection. Therefore, in the firewall, we must enable the reverse proxy function of NATD. First, we bind .001, .002, .003 to the FreeBSD external network card. Assuming the external network card number is fxp0, we need to set it as follows:
ifconfig_fxp0="inet .001 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet .002 netmask 255.255.255.0"
ifconfig_fxp0_alias1="inet .003 netmask 255.255.255.0"
After binding, we will start to analyze now. First, let’s take a look at the internal network. To access the Internet, you must have a gateway and let them use the network normally. Assuming that the FreeBSD internal network card number is fxp1, we need to add it to it:
ifconfig_fxp1="inet 10.125.0.1 netmask 255.255.0.0"
Then add:
divert 8668 ip from any to any via fxp0
This rule allows NATD services and only allows NATD services is not enough. You also need to set the internal network to connect to the Internet. We will add:
allow ip from any to 10.125.0.0/16
allow ip from 10.125.0.0/16 to any
Set Gateway to 10.125.0.1 for the internal network, so that the internal network of the enterprise can be connected to the Internet normally.
Then let's take a look at the WWW server. Generally speaking, only three ports are enough for this server to open. Needless to say, the first port is naturally an HTTP port. The second port is the ftp port and the ftp data port. Among them, the HTTP port is naturally a port that allows the Internet and internal enterprises to access. The FTP port is used to update the homepage or do other things, and it is enough for internal enterprises to access it. Of course, if necessary, you also need to open a telnet or ssh port. This is convenient for the remote management of the internal system administrator of the enterprise. Here I recommend using ssh, and in order to prevent the intruder from entering, he may have to attack other machines, I decided to separate the WWW server separately. Now assume that the internal network card number of FreeBSD is fxp1, we edit the file, and add:
ifconfig_fxp1_alias0 ="inet 10.80.0.1 netmask 255.255.255.0"
Then we set the WWW server to the network segment 10.80 and the gateway is 10.80.0.1, so the WWW server is separately classified into a special area. Suppose we set the WWW IP to 10.80.0.80, and now we set the firewall rules:
allow tcp from any to .001 80 in
allow tcp from .001 80 to any out // Allow 80 of the firewall to be accessible anywhere
allow tcp from 10.80.0.80 80 to any out
allow tcp from any to 10.80.0.80 80 in // Allow access to port 80 of the WWW server anywhere
allow tcp from 10.125.0.0/16 to 10.80.0.80 21 in
allow tcp from 10.125.0.0/16 to 10.80.0.80 20 in
allow tcp from 10.80.0.80 21 to 10.125.0.0/16 out
allow tcp from 10.80.0.80 20 to 10.125.0.0/16 out //Allow internal network to connect to WWW server using FTP server
If the firewall rules are not working, you still need to set NATD. We set NATD to:
redirect_port tcp 10.80.0.80:80 .001:80
After this setting, the WWW server can allow internal employees to smoothly update the homepage and browse the homepage, while the Internet can only browse the homepage on the WWW server. Even if the WWW server invades the machine using the HTTP server, various connections to the server are blocked by the firewall, and the internal network cannot be invaded and destroyed, achieving the purpose of fully protecting the WWW server and internal network.
Now let’s analyze the DNS server. Since the BBS server and the WWW server are essentially the same, we will not discuss it here. The DNS server naturally needs to provide a DNS server, that is, UDP53 port. Since it also has MAIL function, it also needs to open the SMTP port and POP3 port. The POP3 server also only allows internal enterprises to access, so we will add:
ifconfig_fxp1_alias0="inet 10.80.2.1 netmask 255.255.255.0"
Then set the IP to 10.80.2.53 for the DNS server and set the firewall rules to:
allow udp from any to .003 53 in
allow udp from .003 53 to any out // Allows access to the 53 port of the firewall anywhere
allow tcp from any to .003 25 in
allow tcp from .003 25 to any out // Allows access to the smtp port of the firewall anywhere
allow udp from 10.80.2.53 53 to any out
allow udp from any to 10.80.2.53 53 in // Allow access to port 53 of the DNS server anywhere
allow tcp from any to 10.80.2.53 25 in
allow tcp from 10.80.2.53 25 to any out // Allow access to DNS SMTP port anywhere
allow tcp from 10.125.0.0/16 to 10.80.2.53 110 in
allow tcp from 10.80.2.53 110 to 10.125.0.0/16 out // Allow internal enterprise access to the POP3 port of DNS
NATD is set to:
redirect_port udp 10.80.2.53:53 .003:53 //Turn 53 of 10.80.2.53 to 53 of .003 and use UDP.
redirect_port tcp 10.80.2.53:25 .003:25 //Turn 25 of 10.80.2.53 to 25 of .003 and use TCP.
After setting up the enterprise network according to the above rules, the enterprise network protection is more tight, and strict control is carried out between the server and the server and the internal network of the enterprise. Of course, internal intrusion and internal IP theft are not considered here, which is the limitation of the FreeBSD firewall. However, you can add a network card to isolate the network of internal employees with a network card to achieve a way to make up for it.
OK, the above is my personal practice of using FreeBSD firewall to protect corporate networks. I hope it can be helpful to some corporate network administrators. Article entry: csh Editor in charge: csh
1. Two WEB servers, one enterprise homepage, and one BBS. I hope the IP addresses are .001 and .002
2. One DNS server and also comes with enterprise E-mail service. The IP address is .003. Resolve to .001 and .002.
3. The internal local area network of the enterprise, N computer stations, and the IP addresses are 10.125.0.0 to 10.125.255.255
For such an enterprise, we must first design a good network architecture. While designing, we must consider where each server and internal network are placed in order to more effectively cooperate with the firewall so that the firewall can fully protect each part.
Let’s first analyze the means and ways of “hacker” intrusion. As an intruder, his first step is to find the location of the target enterprise in the network. Assuming that he already knows that the enterprise does not use hosting services, but is placed with the enterprise’s network, then he just needs to ping the enterprise’s homepage to understand that the enterprise’s IP addresses are .001 and .002, and there is also a DNS server. You can also use tools like nslookup to find that the target enterprise’s DNS server is address .003, and he will also plan. Assuming that he has entered one of the above three servers, he will immediately analyze the network structure and enter the intranet to obtain internal network employee information and a lot of important data. From the above, we need to do a lot of things to protect this network. First of all, we can find ways to isolate the servers and between the servers and the internal networks, but can also apply the functions they should have. Now we plan the network of this enterprise as follows:
First, make sure that the FreeBSD firewall is the only way for enterprises to connect to the Internet server, and then set up FreeBSD to enable its ipfirewall and NATD functions. The above figure tells us that we are now putting WWW, BBS, DNS and other servers internally for protection. Therefore, in the firewall, we must enable the reverse proxy function of NATD. First, we bind .001, .002, .003 to the FreeBSD external network card. Assuming the external network card number is fxp0, we need to set it as follows:
ifconfig_fxp0="inet .001 netmask 255.255.255.0"
ifconfig_fxp0_alias0="inet .002 netmask 255.255.255.0"
ifconfig_fxp0_alias1="inet .003 netmask 255.255.255.0"
After binding, we will start to analyze now. First, let’s take a look at the internal network. To access the Internet, you must have a gateway and let them use the network normally. Assuming that the FreeBSD internal network card number is fxp1, we need to add it to it:
ifconfig_fxp1="inet 10.125.0.1 netmask 255.255.0.0"
Then add:
divert 8668 ip from any to any via fxp0
This rule allows NATD services and only allows NATD services is not enough. You also need to set the internal network to connect to the Internet. We will add:
allow ip from any to 10.125.0.0/16
allow ip from 10.125.0.0/16 to any
Set Gateway to 10.125.0.1 for the internal network, so that the internal network of the enterprise can be connected to the Internet normally.
Then let's take a look at the WWW server. Generally speaking, only three ports are enough for this server to open. Needless to say, the first port is naturally an HTTP port. The second port is the ftp port and the ftp data port. Among them, the HTTP port is naturally a port that allows the Internet and internal enterprises to access. The FTP port is used to update the homepage or do other things, and it is enough for internal enterprises to access it. Of course, if necessary, you also need to open a telnet or ssh port. This is convenient for the remote management of the internal system administrator of the enterprise. Here I recommend using ssh, and in order to prevent the intruder from entering, he may have to attack other machines, I decided to separate the WWW server separately. Now assume that the internal network card number of FreeBSD is fxp1, we edit the file, and add:
ifconfig_fxp1_alias0 ="inet 10.80.0.1 netmask 255.255.255.0"
Then we set the WWW server to the network segment 10.80 and the gateway is 10.80.0.1, so the WWW server is separately classified into a special area. Suppose we set the WWW IP to 10.80.0.80, and now we set the firewall rules:
allow tcp from any to .001 80 in
allow tcp from .001 80 to any out // Allow 80 of the firewall to be accessible anywhere
allow tcp from 10.80.0.80 80 to any out
allow tcp from any to 10.80.0.80 80 in // Allow access to port 80 of the WWW server anywhere
allow tcp from 10.125.0.0/16 to 10.80.0.80 21 in
allow tcp from 10.125.0.0/16 to 10.80.0.80 20 in
allow tcp from 10.80.0.80 21 to 10.125.0.0/16 out
allow tcp from 10.80.0.80 20 to 10.125.0.0/16 out //Allow internal network to connect to WWW server using FTP server
If the firewall rules are not working, you still need to set NATD. We set NATD to:
redirect_port tcp 10.80.0.80:80 .001:80
After this setting, the WWW server can allow internal employees to smoothly update the homepage and browse the homepage, while the Internet can only browse the homepage on the WWW server. Even if the WWW server invades the machine using the HTTP server, various connections to the server are blocked by the firewall, and the internal network cannot be invaded and destroyed, achieving the purpose of fully protecting the WWW server and internal network.
Now let’s analyze the DNS server. Since the BBS server and the WWW server are essentially the same, we will not discuss it here. The DNS server naturally needs to provide a DNS server, that is, UDP53 port. Since it also has MAIL function, it also needs to open the SMTP port and POP3 port. The POP3 server also only allows internal enterprises to access, so we will add:
ifconfig_fxp1_alias0="inet 10.80.2.1 netmask 255.255.255.0"
Then set the IP to 10.80.2.53 for the DNS server and set the firewall rules to:
allow udp from any to .003 53 in
allow udp from .003 53 to any out // Allows access to the 53 port of the firewall anywhere
allow tcp from any to .003 25 in
allow tcp from .003 25 to any out // Allows access to the smtp port of the firewall anywhere
allow udp from 10.80.2.53 53 to any out
allow udp from any to 10.80.2.53 53 in // Allow access to port 53 of the DNS server anywhere
allow tcp from any to 10.80.2.53 25 in
allow tcp from 10.80.2.53 25 to any out // Allow access to DNS SMTP port anywhere
allow tcp from 10.125.0.0/16 to 10.80.2.53 110 in
allow tcp from 10.80.2.53 110 to 10.125.0.0/16 out // Allow internal enterprise access to the POP3 port of DNS
NATD is set to:
redirect_port udp 10.80.2.53:53 .003:53 //Turn 53 of 10.80.2.53 to 53 of .003 and use UDP.
redirect_port tcp 10.80.2.53:25 .003:25 //Turn 25 of 10.80.2.53 to 25 of .003 and use TCP.
After setting up the enterprise network according to the above rules, the enterprise network protection is more tight, and strict control is carried out between the server and the server and the internal network of the enterprise. Of course, internal intrusion and internal IP theft are not considered here, which is the limitation of the FreeBSD firewall. However, you can add a network card to isolate the network of internal employees with a network card to achieve a way to make up for it.
OK, the above is my personal practice of using FreeBSD firewall to protect corporate networks. I hope it can be helpful to some corporate network administrators. Article entry: csh Editor in charge: csh