|
Bulldog is a powerful but lightweight firewall for heavy use
systems. With many features, this firewall can be used by anyone who wants to
protect his/her systems.
This system allow dynamic and static rules sets for maximum protection and
has several advance features.
This firewall will work for the hobbyist or a military base. Generation
7 is a complete rewrite and redesign from scratch and still evolving.
Be prepared to spend some time setting this up. If you are looking for a
"quick fix", then you are on the wrong site. BullDog is NOT a quick
fix, but rather one step in a complete security policy.
Its is covered by the GPL and is FREE and always will be.
I encourage and welcome anyone who wants to port and/or provide ideas/code to
better this software.
I would like to see this software developed into a new breed of firewall that
provides the best of security with ease of use.
This software was developed on Linux v2.2.16-17 and v2.4 with 64 megs to 1 Gig
of RAM and supports iptables via the ip_queue kernel module. Bulldog
will NOT run on Windows systems.
Please be sure to read this page carefully. There are many aspects to Bulldog
that can be confusing. Below are details instructions. If you have any questions
or comments, please feel free to e-mail me by clicking here.
|
Important Changes:
IMPORTANT: MAJOR UPGRADE! BullDog's collector has undergone
a major upgrade. Please read the updated information carefully and BACKUP
ALL PREVIOUS copies of BullDog (source and the /sbin/bulldog directory)
before attempting to work with this version. Copy your
bulldog.conf to your root directory or some other safe and secure area.
Erase ALL files in /sbin/bulldog and /sbin/bulldog/Work after shutting
dowm BullDog but before you install the new version.
This web page IS the documentation. Be
sure to print this web page. I decided to go this way for speed
of production. I audited my server logs and found that 1000's of people
rely on this software as part of their security policy. As such, timeliness
is critical.
Be sure you inspect the define statements in the bulldog.h
file. Many of these settings can and need be tweaked for your system,
especially the DYNAMIC if you have a dynamic ip based system such as
dial-up or DHCP. Feed back is appreciated on these routine as it is
difficult for me to test these functions.
The pcap library is no longer used by BullDog. BullDig
now requires the libipq library from the iptables (netfilter) package.
As always, iptables (and now libipq) must be installed and your kernel
(the ip_queue module must be available or compiled into the kernel)
setup properly. Consult the NetFilter
Site for further information and instructions.
Promiscuous operations have been removed as the libipq
method provides this without the associated risks and concerns concern
with having a NIC in promiscuous mode.
Dynamic addresses are now supported. This is a compile
time feature and must be enabled by uncommenting the #define DYNAMIC
line in the bulldog.h file. A recompile is neccessary to use the new
functions.
With the new collector/processor method, dynamic IP
address systems should perform as well as static IP address systems.
A new module has been added to validdate IP addresses
in the DNS database. The validator handles active traffic only. This
is based on the BIND 9 Administrator's manual, max_cache_ttl. Bind defaults
to 7 days a a cache ttl, BullDog uses 3 days as a ttl to maintain absolute
up-to-date information on active IP traffic.
The DNS Database now has two modes: Research and Non-Research
or Active. This is controlled by the usage of the DNS Spider module.
See below for the DNSSPIDER define statement.
BullDog now has a scan only define (in bulldog.h) that
will allow all aspects of BullDog to run without actually blocking IP
addresses. This enhancement increases testing and diagnostics productivity
in a safe environment. It is also very important to use the SCANONLY
mode to build your initial DNS Database if you plan on using domain
name based rules to prevent false blocks.
|
Downloads:
BullDog.tar.bz2
(REQUIRED), updated:
Tuesday, October 18, 2005 at 11:17:50 PM
DNS Database,
392,893,544
entries, updated:
Thursday, October 18, 2007 at 03:58:45 AM
WGET or LFTP are the ONLY agents can be used to fetch the raw
DNS database (Research). It has grown well beyond feasible limits to try to
compress. Using this method means the DNS database is updated in real time.
|
The DNS Database is NOT REQUIRED.
If you do NOT install the DNS-Database, BullDog
will build a new one based upon the traffic to your system and its
internal domain spider. The internal domain spider now defaults to
off. Using the domain spider tells BullDog to build a research database
as well as the active database.
|
Installation:
| Step-by-step description. These descriptions
are here for the new or novice users of BullDog. Experts already know what
to do. |
Linux commands (press enter after each command) |
| 1. Download the above listed files to a safe
area like /usr/src |
|
| 2. Make a directory under /sbin called bulldog.
Make sure ONLY root can read this directory. |
mkdir /sbin/bulldog
chown root:root /sbin/bulldog
chmod 700 /sbin/bulldog
|
| 3.Change to the bulldog directory. |
cd /sbin/bulldog |
| 4. Copy the BullDog.tar.bz2 file to the current
directory. |
cp /usr/src/BullDog.tar.bz2 /sbin/bulldog |
| 5. Unpack the BullDog.tar.bz2 file. |
bzip2 -d BullDog.tar.bz2
tar -xf BullDog.tar
|
| 6. Pick a drive large that can hold at LEAST
5 gigs of data. Note that the current DNS database is 20 GIGS. You should
always double your estimated value at the very minimum. This is for
a symbolic link to the DNS database. I'll use /home as an example. This
areas can be user readable based upon Administrator preference. |
mkdir /home/dns
ln -sf /home/dns /sbin/bulldog/dns
|
|
7. Inspect the bulldog.h defines. Be sure they are as you want them
(see below for an indepth description). Compile the source in debug mode
to be sure it compiles clean on your system. Debug mode will report unused
variables, ignore these. They will go away shorly as I continue to clean
up the code.
7a. Only AFTER you have checked that it compiles AND
you have made your initial configuration, use COMPILE instead of DEBUG.
Before making any changes to the code, always make a backup copy
of the original. Things can always go wrong, including simple typing
errors.
|
./DEBUG
or
./COMPILE
|
Now comes the hard part. BullDog needs to be configured to
run properly.
Configuration is perhaps the most difficult part and will
most likely require the most time.
This is the most important tip: KNOW YOUR SYSTEM.
System Requirements: LINUX (NOT WINDOWS), 64 megs of ram
(Recommended at least 256 megs of ram), at least 5 megs disk space (This size
is a rough estimate of an IP traffic based DNS Database), IPTABLES and LIBIPQ.
These numbers are for BullDog without the current DNS Database. The DNS
Database on my system is a RESEARCH database. A non-research database will NOT
be this large. If you want the current DNS Database, then the minimum is 256
megs of ram and AT LEAST 20 GIGS of disk space.
Operator requirements: PATIENCE, a good amount of time to
study your system, pen and paper for notes. PRINT this web page for quick
and easy reference.
IMPORTANT: BullDog does NOT come with
a configuration, YOU must provide a configuration for YOUR machine...
A sample file however is provided. The InitFW script MUST be modified
for YOUR system.
Below is a complete list of defines that can and should be
adjusted/inspected from the bulldog.h file (not neccessarily in the same order)
and a detailed description of them:
|
DEBUG
Debugging enabled:
#define DEBUG
Debugging Disabled (default):
//#define DEBUG
|
This option puts BullDog in diagnostics mode. It effects all modules
and causes BullDog to display lots of information to the screen.
|
|
DYNAMIC
Use dynamic IP addresses:
#define DYNAMIC
Use static IP addresses (default):
//#define DYNAMIC
|
This option tells BullDog that it will run on a dialup
or DHCP system where the user does not know what IP address will be issued.
This causes BullDog to determin what the IP address(es) are and use extra
code to keep track on them. |
|
SCANONLY
Passive Operations:
#define SCANONLY
Active (IP blocking enabled, default):
//#define SCANONLY
|
This option tells BullDog to do all normal operations,
including loogging, but NOT actually block an IP address. This is very
useful is testing the configuration or testing BullDog itsself with no
negitive effects to your system. This option is also useful for first
time users to build the initial DNS database. |
|
DNSSPIDER
Build research DNS Database:
#define DNSSPIDER
Do NOT build the research
database (default):
//#define DNSSPIDER
|
This option controls BullDog's DNS Database and how it will be managed.
If the dns spider is enabled, BullDog builds a research version. The
research version can grow quite large, and currently requires 20 GIGS
of disk space.
If the dns spider is NOT enabled, BuildDog builds a DNS Database
using IP traffic only. The resulting database is significantly smaller.
Testing has suggested around 5 MEGS. Milage WILL vary though as it is
based on YOUR actual traffic.
|
|
DShield
Send last hour's logs:
#define DShield
No communications to DShield (default):
//#define DShield
|
This option tells BullDog that once an hour it will send attack
data to the DShield.org website. This sys is a member of DShield and
supports law enforcement ridding the internet of crimal hackers (crackers).
This option is disabled on dynamic IP systems.
For this to work, you must have a DShield user ID. See DSUSER.
|
|
DSUSER
If you have a DShield ID:
#define DSUSER "<id number>"
If you do not have a number (default):
//#define DSUSER ""
|
This is for DShield usage only. The user ID is sent via email when
you sign up to DShield.
I openly recommend and encourage participating in the DShield community. |
|
MAXTHREADS
Default settings:
#ifdef DYNAMIC
#define MAXTHREADS 16
#define MAXRESOLVERS 3
#define MAXDNSQ 3
#define MAXVAL 3
#else
#define MAXTHREADS 40
#define MAXRESOLVERS 12
#define MAXDNSQ 12
#define MAXVAL 12
#endif
|
This is the number of packet processors, too many can cause a dead
lock, too few can cause packet overload and dropped packets. Research
indicates 40 seems to be a good value for a heavily loaded 1Mbps pipe.
NOTE: This number will be different for static and dynamic systems.
The way I have found that seems to work is using the top command and
watching the %CPU item. Milage will vary. If your system is sluggish,
this value may be too high. You should see no difference in system operations.
|
| MAXRESOLVERS |
This is the number of resolvers spawned for the DNS database refresh
engine. 12 is a confortable number for 1Mbps pipe.
See note for MAXTHREADS. This value should not be as high as MAXTHREADS.
|
| MAXDNSQ |
This is the number of DNS Queue resolvers for the packet processors.
I find a log value of 12 or better to be good for 1Mbps pipe.
See note for MAXTHREADS. This value should not be as high as MAXTHREADS.
|
| MAXVAL |
This is the number of DNS Validators for the packet processors.
I find a log value of 12 or better to be good for 1Mbps pipe. Typically
this value may be equal to or larger then MAXDNSQ.
See note for MAXTHREADS. This value should not be as high as MAXTHREADS.
|
Example Configuration File: /sbin/bulldog/bulldog.conf (Heavily
Commented)
| # BullDog Configuration
# Blank lines are ignored
# This is a comment. Use them generously.
# A new feature to BullDog is Lists. Lists allow you to define groups
# that can replace several rules with one rule. Lists can only be used
in rules.
L kernel 20-21 any
L mmedia 2828 6170-7171 1755 8000-9000 1075 3155 9010 16792
# Internal or local addresses. These addresses are your IP assignments.
# BullDog will IGNORE these addresses when traffic is to AND from
them.
# ie: traffic from 11.22.33.44 to/from 127.0.0.1 will NOT be scanned.
USE WITH CARE.
# Local Host. This is a HEAVILY RECOMMEND line.
# It must be the ONLY internal address if DYNAMIC is defined in bulldog.h
I 127.0.0.1
# Be sure to put YOUR'S here,. STATIC IP SYSTEMS ONLY.
I 11.22.33.44
# Rules - all 5 parts are required.
# These are the rules for what is ALLOWED.
# If its not here, its NOT allowed into the system.
# The entry is as follows:
# R - Rule
# 11.22.33.44 -- Source Address
# 80 - Source Port, in this case, the WWW
# any - Destination address, allow to any destination
# 1024-65535 - Destination Port - only allow this range, the word ANY
equals this range
# t - Only allow TCP, u for UDP, I for ICMP, may br combined, ie tu
# If an ! is at the end of the line, then the rule is ONE WAY from source
to dest.
# This first rule allows all traffic to/from the web server
R 11.22.33.44 80 any 1025-65535 t
# This rule allows all traffic destines to/from an inside
system to an outside web server
R 11.22.33.44 any any 80 t
# Use the above model for any port/IP combination you want allowed
# For DNS Services. Remember, ANY in the port means 1024-65535.
R 11.22.33.44 53 any any tu
R 11.22.33.44 any any 53 tu
# The below is required if you have MicroSoft Windows on your LAN
# and its an excellent example of domain usage in the rules
R 11.22.33.44 123 time.windows.com any tu
# These lines are required for basic operations. This prevents internal
problems.
# For the LocalHost. Not neccessary if you use the I command.
# This is ONE WAY because both source and destination are the same
R 127.0.0.1 0-65535 127.0.0.1 0-65535 tui!
# My external IP address(s)
R 11.22.33.44 any 11.22.33.44 any tui!
# Using the above L command in a rule.
# Lists need to be used with care as they can open holes that you
do NOT want.
# Lists are a powerful feature. On my system, I reduced my rules from
294 to 17 with Lists.
R 11.22.33.44 any 204.152.189.116 $kernel tu
# Another example of using lists
# Common multimedia/misc ports
R 63.230.33.209 $mmedia any any tu
R 63.230.33.209 any any $mmedia tu
# Banned list, This can be an IP address or partial domain name
# The below bans every site that has the word click in it.
B click
|
After you have examined your system and configured the bulldog.conf
file, Be sure to adjust the /sbin/bulldog/InitFW script to your system.
Be sure to add these command to your start up scripts only AFTER extensive testing.
|
DNS Database count by zone, updated
Thursday, October 18, 2007 at 03:58:45 AM.
| Zone | Count |
| 3 | 77,672 |
| 4 | 10,503,450 |
| 6 | 9 |
| 8 | 10,162 |
| 12 | 2,882,549 |
| 13 | 4,687 |
| 15 | 416,328 |
| 16 | 207,722 |
| 17 | 103,097 |
| 18 | 103,815 |
| 19 | 155 |
| 20 | 46,097 |
| 24 | 11,944,656 |
| 25 | 3 |
| 32 | 245,604 |
| 33 | 5 |
| 34 | 8 |
| 35 | 39,850 |
| 38 | 127,113 |
| 40 | 60,280 |
| 41 | 50,985 |
| 43 | 1,368,555 |
| 44 | 13,335 |
| 45 | 1,730 |
| 47 | 2,619,729 |
| 52 | 86 |
| 53 | 34 |
| 55 | 11,486 |
| 56 | 2,169 |
| 57 | 10,082 |
| 58 | 1,099,724 |
| 59 | 1,623,505 |
| 60 | 7,904,303 |
| 61 | 4,961,043 |
| 62 | 6,186,155 |
| 63 | 5,258,135 |
| 64 | 6,352,401 |
| 65 | 6,967,728 |
| 66 | 8,967,037 |
| 67 | 8,913,382 |
| 68 | 12,369,841 |
| 69 | 7,545,054 |
| 70 | 6,136,399 |
| 71 | 1,969,060 |
| 72 | 778,427 |
| 73 | 323 |
| 74 | 529,420 |
| 75 | 547,146 |
| 76 | 393,948 |
| 77 | 299,622 |
| 78 | 139,916 |
| 79 | 252,118 |
| 80 | 9,033,804 |
| 81 | 9,745,828 |
| 82 | 8,621,417 |
| 83 | 6,945,032 |
| 84 | 5,085,485 |
| 85 | 1,250,250 |
| 86 | 747,964 |
| 87 | 976,308 |
| 88 | 806,176 |
| 89 | 687,692 |
| 90 | 369,065 |
| 91 | 357,484 |
| 92 | 1,024 |
| 96 | 30,896 |
| 97 | 27,315 |
| 98 | 51,388 |
| 99 | 13,171 |
| 116 | 11,781 |
| 117 | 1,065 |
| 118 | 5,728 |
| 121 | 86,339 |
| 122 | 181,837 |
| 123 | 37,012 |
| 124 | 203,707 |
| 125 | 1,327,255 |
| 126 | 16,776,664 |
| 127 | 1 |
| 128 | 2,304,487 |
| 129 | 1,897,608 |
| 130 | 1,941,476 |
| 131 | 1,286,936 |
| 132 | 828,149 |
| 133 | 477,637 |
| 134 | 1,378,844 |
| 135 | 3,610,109 |
| 136 | 458,481 |
| 137 | 1,006,257 |
| 138 | 756,240 |
| 139 | 782,121 |
| 140 | 771,179 |
| 141 | 1,308,191 |
| 142 | 848,230 |
| 143 | 704,965 |
| 144 | 1,749,537 |
| 145 | 7,284,532 |
| 146 | 1,136,691 |
| 147 | 667,286 |
| 148 | 1,938,652 |
| 149 | 687,997 |
| 150 | 869,999 |
| 151 | 2,705,322 |
| 152 | 938,259 |
| 153 | 132,901 |
| 154 | 167,115 |
| 155 | 875,747 |
| 156 | 291,482 |
| 157 | 392,776 |
| 158 | 898,136 |
| 159 | 764,173 |
| 160 | 646,196 |
| 161 | 1,510,450 |
| 162 | 313,055 |
| 163 | 984,207 |
| 164 | 621,745 |
| 165 | 868,789 |
| 166 | 2,802,311 |
| 167 | 426,358 |
| 168 | 759,373 |
| 169 | 249,737 |
| 170 | 349,280 |
| 171 | 209,901 |
| 172 | 5,574,182 |
| 188 | 1,001 |
| 189 | 1,243,183 |
| 190 | 435,057 |
| 192 | 885,988 |
| 193 | 1,741,151 |
| 194 | 2,208,453 |
| 195 | 2,766,049 |
| 196 | 328,005 |
| 198 | 1,026,283 |
| 199 | 1,080,539 |
| 200 | 5,825,419 |
| 201 | 2,993,442 |
| 202 | 2,722,240 |
| 203 | 3,420,587 |
| 204 | 1,404,773 |
| 205 | 1,043,207 |
| 206 | 1,831,990 |
| 207 | 3,162,084 |
| 208 | 2,205,484 |
| 209 | 4,391,647 |
| 210 | 3,623,775 |
| 211 | 1,797,948 |
| 212 | 4,546,530 |
| 213 | 5,342,392 |
| 214 | 19,632 |
| 215 | 514 |
| 216 | 5,907,858 |
| 217 | 6,310,846 |
| 218 | 5,909,548 |
| 219 | 10,361,413 |
| 220 | 7,976,130 |
| 221 | 8,160,442 |
| 222 | 2,264,169 |
| 224 | 174 |
| 228 | 16,110,688 |
| 230 | 16,726,802 |
| 231 | 16,512,657 |
| 233 | 516 |
| 255 | 1 |
| Total | 392,893,544 |
|
Its
RANT time again! I think it is pretty pathetic the Microsoft requires national
news coverage from CNN or FOX News to remind their customers of the "Infamous
Black Tuesday time-to-patch day." Are M$ admins and users that damned
stupid that they have to be TOLD to update their systems???? What has the
computer age come to when a product vender makes national news each and
every month to have people using their software update the damned thing????
