The myprint service handles wireless printing for the MLIB PC labs. FreeBSD is the operating system that was chosen for this service primarily for its security features.
Details on the current configuration of myprint.scl.utah.edu can be found below. 07/12/2013
This first section details the various configuration options applied to the kernel, NAT & traffic passing to jailed (non routable net) env, usage of IPFW service to filter incoming & outgoing traffic to specific subnets & or targets, OS, Jail & TCP stack hardening options using /etc/sysctl.conf etc.
Most options & device drivers are disabled by default to provide optimal security through a minimalist approach to options available to an attacker in the event of a compromise
Details of the kernel configuration
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: release/9.0.0/sys/i386/conf/GENERIC 227305 2011-11-07 13:40:54Z marius $
cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
ident GENERIC
#makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
#options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
#options NFSCL # New Network Filesystem Client
#options NFSD # New Network Filesystem Server
#options NFSLOCKD # Network Lock Manager
#options NFS_ROOT # NFS usable as /, requires NFSCL
#options MSDOSFS # MSDOS Filesystem
#options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
#options COMPAT_FREEBSD4 # Compatible with FreeBSD4
#options COMPAT_FREEBSD5 # Compatible with FreeBSD5
#options COMPAT_FREEBSD6 # Compatible with FreeBSD6
#options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
#options KTRACE # ktrace(1) support
#options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options MAC # TrustedBSD MAC Framework
#options KDTRACE_HOOKS # Kernel DTrace hooks
#options INCLUDE_CONFIG_FILE # Include this file in kernel
#options KDB # Kernel debugger related code
#options KDB_TRACE # Print a stack trace for a panic
# To make an SMP kernel, the next two lines are needed
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
# CPU frequency control
device cpufreq
# Bus support.
device acpi
device eisa
device pci
# Floppy drives
#device fdc
# ATA controllers
device ahci # AHCI-compatible SATA controllers
device ata # Legacy ATA/SATA controllers
options ATA_CAM # Handle legacy controllers with CAM
options ATA_STATIC_ID # Static device numbering
device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA
# SCSI Controllers
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
device ahd # AHA39320/29320 and onboard AIC79xx devices
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
device esp # AMD Am53C974 (Tekram DC-390(T))
device hptiop # Highpoint RocketRaid 3xxx series
device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
device adv # Advansys SCSI adapters
device adw # Advansys wide SCSI adapters
device aha # Adaptec 154x SCSI adapters
device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device bt # Buslogic/Mylex MultiMaster SCSI adapters
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
# ATA/SCSI peripherals
device scbus # SCSI bus (required for ATA/SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct ATA/SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
device amr # AMI MegaRAID
device arcmsr # Areca SATA II RAID
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device ciss # Compaq Smart RAID 5*
device dpt # DPT Smartcache III, IV - See NOTES for options
device hptmv # Highpoint RocketRAID 182x
device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
device iir # Intel Integrated RAID
device ips # IBM (Adaptec) ServeRAID
device mly # Mylex AcceleRAID/eXtremeRAID
device twa # 3ware 9000 series PATA/SATA RAID
device tws # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
# RAID controllers
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device ida # Compaq Smart RAID
device mfi # LSI MegaRAID SAS
device mlx # Mylex DAC960 family
device pst # Promise Supertrak SX6000
device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
options SC_PIXEL_MODE # add support for the raster text mode
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
#device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
device puc # Multi I/O cards and multi-channel UARTs
# PCI Ethernet NICs.
device bxe # Broadcom BCM57710/BCM57711/BCM57711E 10Gb Ethernet
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 Gigabit Ethernet Family
device igb # Intel PRO/1000 PCIE Server Gigabit Family
device ixgb # Intel PRO/10GbE Ethernet Card
device le # AMD Am7900 LANCE and Am79C9xx PCnet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device ae # Attansic/Atheros L2 FastEthernet
device age # Attansic/Atheros L1 Gigabit Ethernet
device alc # Atheros AR8131/AR8132 Ethernet
device ale # Atheros AR8121/AR8113/AR8114 Ethernet
device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device et # Agere ET1310 10/100/Gigabit Ethernet
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
device lge # Level 1 LXT1001 gigabit Ethernet
device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet
device nfe # nVidia nForce MCP on-board Ethernet
device nge # NatSemi DP83820 gigabit Ethernet
#device nve # nVidia nForce MCP on-board Ethernet Networking
device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le')
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (``Starfire'')
device sge # Silicon Integrated Systems SiS190/191
device sis # Silicon Integrated Systems SiS 900/SiS 7016
device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device stge # Sundance/Tamarack TC9021 gigabit Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 ``EPIC'')
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device vte # DM&P Vortex86 RDC R6040 Fast Ethernet
device wb # Winbond W89C840F
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# Wireless NIC cards
#device wlan # 802.11 support
#options IEEE80211_DEBUG # enable debug msgs
#options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
#options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
#device wlan_wep # 802.11 WEP support
#device wlan_ccmp # 802.11 CCMP support
#device wlan_tkip # 802.11 TKIP support
#device wlan_amrr # AMRR transmit rate control algorithm
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros NIC's
#device ath_pci # Atheros pci/cardbus glue
#device ath_hal # pci/cardbus chip support
#options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
#device ath_rate_sample # SampleRate tx rate control for ath
#device bwi # Broadcom BCM430x/BCM431x wireless NICs.
#device bwn # Broadcom BCM43xx wireless NICs.
#device ipw # Intel 2100 wireless NICs.
#device iwi # Intel 2200BG/2225BG/2915ABG wireless NICs.
#device iwn # Intel 4965/1000/5000/6000 wireless NICs.
#device malo # Marvell Libertas wireless NICs.
#device mwl # Marvell 88W8363 802.11n wireless NICs.
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
#device wpi # Intel 3945ABG wireless NICs.
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device pty # BSD-style compatibility pseudo ttys
device md # Memory "disks"
#device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
options USB_DEBUG # enable debug msgs
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device xhci # XHCI PCI->USB interface (USB 3.0)
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices (needs netgraph)
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
#device urio # Diamond Rio 500 MP3 player
# USB Serial devices
#device u3g # USB-based 3G modems (Option, Huawei, Sierra)
#device uark # Technologies ARK3116 based serial adapters
#device ubsa # Belkin F5U103 and compatible serial adapters
#device uftdi # For FTDI usb serial adapters
#device uipaq # Some WinCE based devices
#device uplcom # Prolific PL-2303 serial adapters
#device uslcom # SI Labs CP2101/CP2102 serial adapters
#device uvisor # Visor and Palm devices
#device uvscom # USB serial support for DDI pocket's PHS
# USB Ethernet, requires miibus
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cdce # Generic USB over Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
#device udav # Davicom DM9601E USB
# USB Wireless
#device rum # Ralink Technology RT2501USB wireless NICs
#device run # Ralink Technology RT2700/RT2800/RT3000 NICs.
#device uath # Atheros AR5523 wireless NICs
#device upgt # Conexant/Intersil PrismGT wireless NICs.
#device ural # Ralink Technology RT2500USB wireless NICs
#device urtw # Realtek RTL8187B/L wireless NICs
#device zyd # ZyDAS zd1211/zd1211b wireless NICs
# FireWire support
#device firewire # FireWire bus code
# sbp(4) works for some systems but causes boot failure on others
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
#device fwip # IP over FireWire (RFC 2734,3146)
#device dcons # Dumb console driver
#device dcons_crom # Configuration ROM for dcons
# Sound support
#device sound # Generic sound driver (required)
#device snd_es137x # Ensoniq AudioPCI ES137x
#device snd_hda # Intel High Definition Audio
#device snd_ich # Intel, NVidia and other ICH AC'97 Audio
#device snd_uaudio # USB Audio
#device snd_via8233 # VIA VT8233x Audio
Details for the hard disk configuration are as follows:
/dev/ada1
is the unmounted source of the /usr/ports
folder for use in package & OS upgrades
=> 34 16777149 ada0 GPT (8.0G)
34 128 1 freebsd-boot (64k)
162 14336000 2 freebsd-ufs (6.9G)
14336162 1599360 4 freebsd-ufs (781M)
15935522 837632 3 freebsd-swap (409M)
16773154 4029 - free - (2M)
=> 34 8388541 ada1 GPT (4.0G)
34 128 1 freebsd-boot (64k)
162 7761920 2 freebsd-ufs (3.7G)
7762082 204672 4 freebsd-ufs (100M)
7966754 417792 3 freebsd-swap (204M)
8384546 4029 - free - (2M)</pre>
The /tmp folder is mounted with limited options in the event of a jail break due to vulnerabilities within the httpd service, the PHP interpreter or the cupsd service.
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0p3 none swap sw 0 0
/dev/ada0p2 / ufs rw 1 1
/dev/ada0p4 /tmp ufs rw,nosuid,noexec 2 2
Several configuration options making use of various security features have been implemented. Below is a detailed list of the files & options selected.
Isolation of the CUPSD & HTTPD services through the use of a BSD Jail was implemented & hardening of the TCP stack against can be seen below
# Kernel sysctl configuration file
=======
# $FreeBSD: release/9.1.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# NAT forwarding for jail
net.inet.ip.forwarding=1
# Additional params for jail
security.jail.param.cpuset.id=0
security.jail.param.host.hostid=0
security.jail.param.host.hostuuid=64
security.jail.param.host.domainname=256
security.jail.param.host.hostname=256
security.jail.param.children.max=0
security.jail.param.children.cur=0
security.jail.param.enforce_statfs=0
security.jail.param.securelevel=3
security.jail.param.path=1024
security.jail.param.name=256
security.jail.param.parent=0
security.jail.param.jid=0
security.jail.enforce_statfs=2
security.jail.mount_allowed=1
security.jail.chflags_allowed=0
security.jail.allow_raw_sockets=0
security.jail.socket_unixiproute_only=1
security.jail.set_hostname_allowed=0
security.jail.jailed=0
# Various network tuning params
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.random_id=1
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
net.inet.tcp.always_keepalive=1
kern.ipc.maxsockets=163840
kern.ipc.maxsockbuf=2097152
# Tune IPFW
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
# For suricata
net.bpf.zerocopy_enable=1</pre>
In order to forward traffic to the jail listening
on a NAT address block /etc/pf.conf
configuration
was necessary
ext_if = "em0"
ext_ip = "xxx.xxx.xxx.xxx"
int_ip = "192.168.1.10"
tcp_sv = "{ 80, 443 }"
nat pass on $ext_if from $int_ip to any -> $ext_ip
rdr pass on $ext_if proto tcp from any to $ext_ip port $tcp_sv -> $int_ip
#block all
Protection against unwanted network traffic was also implemented to provide both incoming and outgoing security (outgoing is filtered in the event of of a compromise the attacker would be limited)
#!/bin/sh
# Default options
ipfw="/sbin/ipfw "
adp="em0"
# Current IPv4
me="xxx.xxx.xxx.xxx"
# IPv4 of jail
jail="192.168.1.10"
# Allowed DNS servers
dns1="xxx.xxx.xxx.xxx"
dns2="xxx.xxx.xxx.xxx"
# Allowed ICMP in
icmp_in1="xxx.xxx.xxx.xxx"
# Allowed SSH CIDR
ssh1="xxx.xxx.xxx.xxx/24"
ssh2="xxx.xxx.xxx.xxx"
# Allowed outgoing print servers
print_srv1="dc1-mmc.scl.utah.edu"
print_srv2="dc5-staff.scl.utah.edu"
# Allowed FTP mirrors
update_mirror0="ftp.FreeBSD.org"
update_mirror1="ftp1.us.FreeBSD.org"
update_mirror2="ftp2.us.FreeBSD.org"
# Flush current rules
$ipfw -f flush
# Bypass if previous state ok
$ipfw add 00010 check-state
#### ALL OUTBOUND RULES ####
# DNS allowed rules
$ipfw add 00500 allow tcp from $me to $dns1 53 out via $adp setup keep-state
$ipfw add 00510 allow udp from $me to $dns1 53 out via $adp keep-state
#$ipfw add 00520 allow tcp from $me to $dns2 53 out via $adp setup keep-state
#$ipfw add 00530 allow udp from $me to $dns2 53 out via $adp keep-state
# Allow ping out
$ipfw add 00600 allow icmp from $me to any out via $adp keep-state
# Allow whois out
$ipfw add 00610 allow tcp from $me to any 43 out via $adp setup keep-state
# Allow smtp out
#$ipfw add 00620 allow tcp from $me to $mailout out via $adp setup keep-state
# Allow sshd out
$ipfw add 00700 allow tcp from $me to any 22 out via $adp setup keep-state
# Allow http/https out
$ipfw add 00701 allow tcp from $me to any 80,443 out via $adp setup keep-state
# Allow LPR printing to specified print servers
$ipfw add 00710 allow tcp from $me to $print_srv1 out via $adp setup keep-state
$ipfw add 00720 allow tcp from $me to $print_srv2 out via $adp setup keep-state
# Allow FTP out to FreeBSD servers
$ipfw add 00730 allow tcp from $me to $update_mirror0 out via $adp setup keep-state
$ipfw add 00740 allow tcp from $me to $update_mirror1 out via $adp setup keep-state
$ipfw add 00750 allow tcp from $me to $update_mirror2 out via $adp setup keep-state
# Log all other attempts out
$ipfw add 00800 deny log all from any to any out via $adp
#### ALL INBOUND RULES ####
# Deny all inbound from non-routeable address blocks
$ipfw add 00900 deny from 192.169.0.0/16 to any in via $adp
$ipfw add 00910 deny from 172.16.0.0/12 to any in via $adp
$ipfw add 00920 deny from 10.0.0.0/8 to any in via $adp
$ipfw add 00930 deny from 127.0.0.0/8 to any in via $adp
$ipfw add 00940 deny from 0.0.0.0/8 to any in via $adp
$ipfw add 00950 deny from 169.254.0.0/16 to any in via $adp
$ipfw add 00960 deny from 192.0.2.0/24 to any in via $adp
$ipfw add 00970 deny from 204.152.64.0/23 to any in via $adp
$ipfw add 00980 deny from 224.0.0.0/3 to any in via $adp
# Allow pings from specified hosts/cidr's
$ipfw add 00990 allow icmp from $icmp_in1 to $me in via $adp
# Deny public pings
$ipfw add 01000 deny icmp from any to $me in via $adp
# Deny ident(s)
$ipfw add 01100 deny tcp from any to $me 113 in via $adp
# Drop netbios packets
$ipfw add 01200 deny tcp from any to $me 137 in via $adp
$ipfw add 01210 deny tcp from any to $me 138 in via $adp
$ipfw add 01220 deny tcp from any to $me 139 in via $adp
$ipfw add 01230 deny tcp from any to $me 81 in via $adp
# Drop late arrivals
$ipfw add 01300 deny from any to $me frag in via $adp
# Deny ACK packets no matching the dynamic rule table
$ipfw add 01400 deny tcp from any to $me established in via $adp
# Allow configured host(s) to use SSH
$ipfw add 01500 allow tcp from $ssh1 to $me 22 in via $adp keep-state
$ipfw add 01520 allow tcp from $ssh2 to $me 22 in via $adp keep-state
# Allow http/https from any
$ipfw add 01510 allow tcp from any to $me 80,443 in via $adp keep-state
# Reject & log all others
$ipfw add 01600 deny from any to any in via $adp
$ipfw add 01700 deny from any to any
Making use of the /etc/hosts.allow also affords some protection in the event the IPFW service is bypassed.
#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: release/9.1.0/etc/hosts.allow 161710 2006-08-29 09:20:48Z ru $
#
# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
#ALL : ALL : allow
sshd : xxx.xxx.xxx.xxx/255.255.255.0
# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny
# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
#ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap without IPv6 support.
#ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow
# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow
# Sendmail can help protect you against spammers and relay-rapers
#sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
#sendmail : ALL : allow
# Exim is an alternative to sendmail, available in the ports tree
#exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
#exim : ALL : allow
# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
#rpcbind : ALL : deny
# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
#ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
#ypserv : ALL : deny
# Provide a small amount of protection for ftpd
#ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
#ftpd : ALL : allow
# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
#fingerd : ALL \
# : spawn (echo Finger. | \
# /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
# : deny
# The rest of the daemons are protected.
ALL: ALL : severity auth.info : twist /bin/echo RECVLOG: `/bin/date` [%a](%c): %d => %p Trace started... : deny
ALL: ALL : severity auth.info : spawn /bin/echo `/bin/date` [%a](%c): %d => %p >>/var/log/access.log : deny
Here is the primary configuration for the remainder of the OS. This includes network configuration options, jail configuration options, OS security options & network service params
hostname="example"
ifconfig_em0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0 broadcast xxx.xxx.xxx.xxx"
defaultrouter="xxx.xxx.xxx.xxx"
# Enabled services
sshd_enable="YES"
syslogd_flags="-ss"
#jail_mount_enable="YES"
# NAT routing for jail & alias interface
ifconfig_em0_alias0="inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.68.1.255"
static_routes="internal"
route_internal="-net 192.168.1.0/24 xxx.xxx.xxx.xxx"
# Enable PF for NAT forwards
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pf/pf.log"
# Disabled services
sendmail_enable="NONE"
portmap_enable="NO"
inetd_enable="NO"
# Disable ipv6
ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"
ipv6_network_interfaces="NONE"
ipv6_activate_all_interfaces="NO"
# Security level
kern_securelevel_enable="YES"
kern_securelevel=3
# Clear /tmp on boot
clear_tmp_enable="YES"
# Network hardening
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
log_in_vain="YES"
tcp_drop_synfin="YES"
# Firewall settings
firewall_enable="YES"
firewall_script="/etc/ipfw.conf"
firewall_type="client"
firewall_quiet="NO"
firewall_logging="YES"
# Jail settings
jail_enable="YES"
jail_list="myprint"
jail_myprint_rootdir="/opt/jail/myprint"
jail_myprint_hostname="printing.dev"
jail_myprint_ip="192.168.1.10"
jail_myprint_devfs_enable="YES"
#jail_myprint_mount_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
Because the myprint service utilizes file uploads & current web browsers lie about the actual MIME type of files being sent several precautions were taken not only in the host configuration, but also of the jail configuration options severely crippling any attacker that bypasses the programming logic designed to filter both heuristically as well as signature based attacks from exploiting the PHP interpreter's file handling.
The jail resides in the /opt/jail/myprint
folder
The jail implemented handles two services; the cupsd & httpd services for printing & web access. Below are the current configurations for both services:
Currently the myprint service handles wireless printing for students in the Marriott Library knowledge commons (2nd floor), public areas (on first & second floors), the digital arts & scholarly labs, the Union lab, the benchmark lab as well as the sage point labs.
# Printer configuration file for CUPS v1.5.4
# Written by cupsd on 2012-12-12 03:13
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
<Printer ben-1>
UUID urn:uuid:80952f06-ce59-3f2c-6fb5-9c04f6ed39b5
Info Bench bw
Location Benchmark
MakeModel HP LaserJet 9000 Series Postscript (recommended)
DeviceURI lpd://example.com/ben-1
State Idle
StateTime 1335375685
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer bencolor>
UUID urn:uuid:760568ce-0be5-36b2-6af8-0457f5282dfd
Info Benchmark Color
Location Benchmark
MakeModel HP Color LaserJet 4700 Postscript (recommended)
DeviceURI lpd://example.com/bencolor
State Idle
StateTime 1328584369
Type 8425692
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer fa-1>
UUID urn:uuid:4befc80e-6c06-37cc-4abf-b91adea05822
Info Fine Arts
Location Fine Arts Library
MakeModel HP Color LaserJet 4600 v3010.107 Postscript (recommended)
DeviceURI lpd://example.com/Fa-1
State Idle
StateTime 1329424038
Type 8425676
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer gr-1>
UUID urn:uuid:fbaae222-0eba-37a9-411f-185ddaaec592
Info General reference printer
Location Level 2 public
MakeModel HP LaserJet 9000 Series Postscript (recommended)
DeviceURI lpd://example.com/gr-1
State Idle
StateTime 1329099047
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer kc-1>
UUID urn:uuid:cd485ec4-4bc6-3ea9-47ff-a78373f7f8ab
Info Knowledge commons black & white
MakeModel HP LaserJet 9000 Series Postscript (recommended)
DeviceURI lpd://example.com/kc-1
State Idle
StateTime 1351025856
Type 8433876
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer Kc-color>
UUID urn:uuid:7800e1ec-6683-3495-63ce-e438496c146c
Info KC Color Printer
Location Knowledge Commons
MakeModel HP Color LaserJet 4730mfp Postscript (recommended)
DeviceURI lpd://example.com/kc-color
State Idle
StateTime 1338401866
Type 8425692
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer PCGroup>
UUID urn:uuid:4a9d5409-ba72-3e52-4578-21515a38432c
Info PCGroup printer
Location PCGroup
MakeModel HP LaserJet 8150 Series Postscript (recommended)
DeviceURI lpd://example.com/CMS-5
State Idle
StateTime 1314385627
Type 8433860
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer pub-1>
UUID urn:uuid:e330781b-88d8-312d-5366-fd7373a23536
Info Level 1 public printer
Location Level 1 public
MakeModel HP LaserJet 8150 Series Postscript (recommended)
DeviceURI lpd://example.com/pub-1
State Idle
StateTime 1335204039
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer pub-2>
UUID urn:uuid:c1b17dbd-65d7-3637-7d8f-81df10adc13c
Info Level 2 public printer
Location Level 2 public
MakeModel HP LaserJet 9050 Postscript (recommended)
DeviceURI lpd://example.com/pub-2
State Idle
StateTime 1335370443
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer sage-1>
UUID urn:uuid:41e6c0d9-21e5-3526-642f-1fdbad070d5a
Info Sage BW Printer
Location Sage Point Lab
MakeModel HP LaserJet 9000 Series Postscript (recommended)
DeviceURI lpd://example.com/sage-1
State Idle
StateTime 1335225820
Type 8433860
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer sr-1>
UUID urn:uuid:9ae9c091-d887-3fba-7ba9-8538cccc2dcc
Info SR-1
Location 1st Floor Reference
MakeModel HP LaserJet 9000 Series Postscript (recommended)
DeviceURI lpd://example.com/sr-1
State Idle
StateTime 1329084679
Type 8433860
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer st-1>
UUID urn:uuid:c63a0094-acc0-37e0-51a6-b2162e103f03
Info Studio BW Printer
Location Digital Scholarship Lab
MakeModel HP LaserJet 9000 Series Postscript (recommended)
DeviceURI lpd://example.com/st-1
State Idle
StateTime 1328133904
Type 8433860
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer un-1>
UUID urn:uuid:35881893-fa63-344e-523a-e1ca5b891324
Info Union Black & White
Location Union
MakeModel HP LaserJet 9000 MFP Postscript (recommended)
DeviceURI lpd://example.com/un-1
State Idle
StateTime 1335376330
Type 8433876
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
<Printer un-color>
UUID urn:uuid:f109f5ec-9df4-37be-6e67-f421cd91e432
Info Union color
MakeModel HP Color LaserJet 4730mfp Postscript (recommended)
DeviceURI lpd://example.com/un-color
State Idle
StateTime 1335383752
Type 8425692
Accepting Yes
Shared No
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy abort-job
</Printer>
isnt it bad practise to mix pf and ipfw?