Changes between Version 5 and Version 6 of doc/TorBrowser/SmartOS_Sandboxing


Ignore:
Timestamp:
Mar 4, 2016, 4:22:23 PM (20 months ago)
Author:
dawuud
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBrowser/SmartOS_Sandboxing

    v5 v6  
    2626== global zone configuration ==
    2727
    28 I recommend that the global zone have several changes such as disabling ssh password login and using strict firewall rules.
     28I recommend that the global zone have several changes such as disabling ssh password login, changing the ssh listening port and using strict firewall rules.
    2929
    3030my '''/usbkey/config''' looks like this:
     
    4040etherstub="switch0"
    4141}}}
     42
     43firewall rules in '''/etc/ipf/ipf.conf'''; you'll have to change the rule for your DNS resolver IPv4 address and I also recommend that you not use ssh port 22 but instead pick a high port number:
     44{{{
     45#
     46# ipf.conf
     47#
     48# IP Filter rules to be loaded during startup
     49#
     50# See ipf(4) manpage for more information on
     51# IP Filter rules syntax.
     52
     53#
     54# this ipf ruleset is intended to be used with SmartOS
     55
     56# OUTBOUND rules
     57
     58# allow dns out to DDD.DDD.DDD.DDD
     59pass out quick on vioif0 proto tcp from any to DDD.DDD.DDD.DDD port = 53 flags S keep state
     60pass out quick on vioif0 proto udp from any to DDD.DDD.DDD.DDD port = 53 keep state
     61
     62# DHCP
     63# Allow access to ISP's specified DHCP server for cable or DSL networks.
     64# Use the first rule, then check log for the IP address of DHCP server.
     65# Then, uncomment the second rule, replace z.z.z.z with the IP address,
     66# and comment out the first rule
     67pass out log quick on vioif0 proto udp from any to any port = 67 keep state
     68#pass out quick on vioif0 proto udp from any to z.z.z.z port = 67 keep state
     69
     70# Allow HTTP and HTTPS
     71pass out quick on vioif0 proto tcp from any to any port = 80 flags S keep state
     72pass out quick on vioif0 proto tcp from any to any port = 443 flags S keep state
     73
     74# Allow ssh
     75pass out quick on vioif0 proto tcp from any to any port = 46341 flags S keep state
     76
     77# Allow NTP
     78pass out quick on vioif0 proto tcp from any to any port = 37 flags S keep state
     79
     80# Allow ping
     81pass out quick on vioif0 proto icmp from any to any icmp-type 8 keep state
     82
     83# Block and log everything else
     84block out log first quick on vioif0 all
     85
     86# INCOMING rules
     87
     88# BLOCKING rules
     89
     90# Block all inbound traffic from non-routable or reserved address spaces
     91block in quick on vioif0 from 192.168.0.0/16 to any    #RFC 1918 private IP
     92block in quick on vioif0 from 172.16.0.0/12 to any     #RFC 1918 private IP
     93#block in quick on vioif0 from 10.0.0.0/8 to any        #RFC 1918 private IP
     94block in quick on vioif0 from 127.0.0.0/8 to any       #loopback
     95block in quick on vioif0 from 0.0.0.0/8 to any         #loopback
     96block in quick on vioif0 from 169.254.0.0/16 to any    #DHCP auto-config
     97block in quick on vioif0 from 192.0.2.0/24 to any      #reserved for docs
     98block in quick on vioif0 from 204.152.64.0/23 to any   #Sun cluster interconnect
     99block in quick on vioif0 from 224.0.0.0/3 to any       #Class D & E multicast
     100
     101# Block fragments and too short tcp packets
     102block in quick on vioif0 all with frags
     103block in quick on vioif0 proto tcp all with short
     104
     105# block source routed packets
     106block in quick on vioif0 all with opt lsrr
     107block in quick on vioif0 all with opt ssrr
     108
     109# Block OS fingerprint attempts and log first occurrence
     110block in log first quick on vioif0 proto tcp from any to any flags FUP
     111
     112# Block anything with special options
     113block in quick on vioif0 all with ipopts
     114
     115# Block public pings and ident
     116block in quick on vioif0 proto icmp all icmp-type 8
     117block in quick on vioif0 proto tcp from any to any port = 113
     118
     119# Block incoming Netbios services
     120block in log first quick on vioif0 proto tcp/udp from any to any port = 137
     121block in log first quick on vioif0 proto tcp/udp from any to any port = 138
     122block in log first quick on vioif0 proto tcp/udp from any to any port = 139
     123block in log first quick on vioif0 proto tcp/udp from any to any port = 81
     124
     125# ALLOW rules
     126
     127## Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
     128## the same IP address used in the outbound section.
     129#pass in quick on vioif0 proto udp from z.z.z.z to any port = 68 keep state
     130pass in quick on vioif0 proto udp from any to any port = 68 keep state
     131
     132# Allow SSH
     133pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags
     134
     135# Block and log only first occurrence of all remaining traffic.
     136block in log first quick on vioif0 all
     137
     138}}}
     139
     140
    42141
    43142== creation of zones ==