1 #!/bin/sh 2 # 3 # /etc/rc.d/rc.filter 4 # 5 # Copyright 1997 Owl River Company 6 # info@owlriver.com 7 # All rights reserved 8 # 614 - 221 - 0695 9 # 10 # master on pokey 11 # 12 VERSION=1.02 13 # 14 ############################################################## 15 # 16 # set up the modules 17 # 18 /sbin/depmod -a 19 /sbin/modprobe ip_masq_ftp.o 20 /sbin/modprobe ip_masq_raudio.o 21 /sbin/modprobe ip_masq_irc.o 22 # set up the masq function 23 # 24 /sbin/ipfwadm -F -f 25 /sbin/ipfwadm -F -p deny 26 # 27 # 28 # prevent Netbios transfer 29 # 30 echo ipfwadm 1 - stop netbios leak 31 /sbin/ipfwadm -F -a deny -P udp -S 10.0.0.0/8 137 -D 0.0.0.0/0 32 /sbin/ipfwadm -F -a deny -P tcp -S 10.0.0.0/8 137 -D 0.0.0.0/0 33 /sbin/ipfwadm -F -a deny -P udp -S 10.0.0.0/8 138 -D 0.0.0.0/0 34 /sbin/ipfwadm -F -a deny -P tcp -S 10.0.0.0/8 138 -D 0.0.0.0/0 35 # no such thing as UDP/139 36 # /sbin/ipfwadm -F -a deny -P udp -S 10.0.0.0/8 139 -D 0.0.0.0/0 37 /sbin/ipfwadm -F -a deny -P tcp -S 10.0.0.0/8 139 -D 0.0.0.0/0 38 # 39 # and explicitly drop netbios from the outside, in 40 # added 980427 41 # 42 echo ipfwadm 2 - stop netbios attack 43 /sbin/ipfwadm -F -a deny -P udp -S 0.0.0.0/0 137 -D 10.0.0.0/8 44 /sbin/ipfwadm -F -a deny -P tcp -S 0.0.0.0/0 137 -D 10.0.0.0/8 45 /sbin/ipfwadm -F -a deny -P udp -S 0.0.0.0/0 138 -D 10.0.0.0/8 46 /sbin/ipfwadm -F -a deny -P tcp -S 0.0.0.0/0 138 -D 10.0.0.0/8 47 # no such thing as UDP/139 48 # /sbin/ipfwadm -F -a deny -P udp -S 0.0.0.0/0 139 -D 10.0.0.0/8 49 /sbin/ipfwadm -F -a deny -P tcp -S 0.0.0.0/0 139 -D 10.0.0.0/8 50 # 51 # and rule out the RPC/NFS exploit 52 # 53 echo ipfwadm 3 - rpc/nfs - allow leak - stop attack 54 ipfwadm -I -a accept -P TCP -S 10.0.0.0/8 \ 55 -D 0.0.0.0/0 111 56 ipfwadm -I -a accept -P TCP -S 10.0.0.0/8 \ 57 -D 0.0.0.0/0 635 58 ipfwadm -I -a deny -P TCP -S 0.0.0.0/0 -D 0.0.0.0/0 111 59 ipfwadm -I -a deny -P TCP -S 0.0.0.0/0 -D 0.0.0.0/0 635 60 # 61 # no outside communication by the NT 62 # 63 echo ipfwadm 10 - local option matters 64 # Nothing from the NT server leaks 65 /sbin/ipfwadm -F -a deny -P udp -S 10.0.0.99 -D 0.0.0.0/0 66 /sbin/ipfwadm -F -a deny -P tcp -S 10.0.0.99 -D 0.0.0.0/0 67 # 68 # extended 980427 69 # 70 # 71 echo ipfwadm 11 - local option - more 72 /sbin/ipfwadm -F -a deny -P udp -S 0.0.0.0/0 -D 10.0.0.99 73 /sbin/ipfwadm -F -a deny -P tcp -S 0.0.0.0/0 -D 10.0.0.99 74 # 75 # allow NTP -- 980504 76 # 77 #ntp 123/tcp # Network Time Protocol 78 #ntp 123/udp # Network Time Protocol 79 # 80 echo ipfwadm 15 81 /sbin/ipfwadm -F -a accept -m -P udp -S 10.0.0.0/8 123 -D 0.0.0.0/0 82 /sbin/ipfwadm -F -a accept -m -P tcp -S 10.0.0.0/8 123 -D 0.0.0.0/0 83 # 84 # outbound modem - special source IP 85 # 86 # 87 echo ipfwadm 17 88 /sbin/ipfwadm -F -a accept -m -S 172.16.34.52 -D 0.0.0.0/0 89 # 90 # 91 # Block probing sites 92 # 93 # hubbs.net 970623 -- fake DNS info 94 echo ipfwadm 20 - blocking 95 /sbin/ipfwadm -I -a deny -P all -S 207.78.57.0/24 -D 0.0.0.0/0 96 # 97 # alcor.nstar.net 970821 -- fake DNS info 98 /sbin/ipfwadm -I -a deny -P all -S 204.255.96.0/24 -D 0.0.0.0/0 99 # 100 # 101 # goes in /etc/rc.d, before rc.masq 102 #