Re: ipfw/nated stateful rules example

From: Thomas T. Veldhouse (veldy_at_veldy.net)
Date: 01/19/04

  • Next message: Veronica Brainfluff: "Kernel Make troubleshooting" 
    To: <fbsd_user@a1poweruser.com>, "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Date: Mon, 19 Jan 2004 16:25:56 -0600

    fbsd_user wrote:
    > I disagree with you that the /etc/rc.firewall is the best example.
    > It's really a good example of stateless rules, & how to use
    > scripting Symbolic substitution.
    >
    > I have working keep-state rule set using user-ppp -nat, but as soon
    > as I add that darn legacy divert rule and drop user-ppp -nat it will
    > not work. Dynamic stateful rules table always ends up with an
    > mis-match between public and private ip address. Moving the divert
    > rule around only changes which ip address gets posted to the
    > stateful table(ie: the private or public one).
    >
    > Test results look like that legacy divert subroutine call to NATD is
    > the problem. See same mis-match ip address problem when stateless
    > rules are used, but since there is no stateful table involved it
    > just slips by un-noticed.
    >
    > Was hoping that the ipfw2 rewrite would have fixed this problem.
    >
    >
    >
    >
    >
    >
    > -----Original Message-----
    > From: owner-freebsd-questions@freebsd.org
    > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Thomas T.
    > Veldhouse
    > Sent: Monday, January 19, 2004 1:41 PM
    > To: fbsd_user@a1poweruser.com; freebsd-questions@FreeBSD. ORG
    > Subject: Re: ipfw/nated stateful rules example
    >
    > fbsd_user wrote:
    >> Friends
    >> In both 4.9 and 5.2 I can not get an rules set to function that only
    >> uses keep-state' rules for outbound and inbound selection control
    >> and the divert rule.
    >>
    >> Does anybody have an rules set they can share with me as an sample
    >> for me to see.
    >>
    >> Thanks
    >>
    >
    > The best sample is /etc/rc.firewall [and look in
    > /usr/share/examples/ipfw
    > for a potentially useful script to use while testing]. I have moved
    > over to
    > IPFILTER due to the fact that natd is userland based and is more
    > problematic
    > [than ipnat] because of it.
    >
    > Tom Veldhouse

    Here are the contents of one that I used to use when I used IPFW ... it was
    originally and loosely based off of /etc/rc.firewall.

    #
    # Setup system for firewall service.
    #
    # Suck in the configuration variables.
    if [ -z "${source_rc_confs_defined}" ]; then
    if [ -r /etc/defaults/rc.conf ]; then
    . /etc/defaults/rc.conf
    source_rc_confs
    elif [ -r /etc/rc.conf ]; then
    . /etc/rc.conf
    fi
    fi
    ############
    # Set quiet mode if requested
    #
    case ${firewall_quiet} in
    [Yy][Ee][Ss])
    fwcmd="/sbin/ipfw -q"
    ;;
    *)
    fwcmd="/sbin/ipfw"
    ;;
    esac
    ############
    # Flush out the list before we begin.
    #
    ${fwcmd} -f flush

    # set these to your outside interface network and netmask and ip
    oif="dc0"
    onet="x.y.z.32"
    omask="255.255.255.240"
    oip="x.y.z.33"
    # set these to your inside interface network and netmask and ip
    iif="fxp0"
    inet="192.168.1.0"
    imask="255.255.255.0"
    iip="192.168.1.3"
    # outlaw addresses, never allow traffic from these
    outlaws="24.93.67.0/24"

    ############
    # Only in rare cases do you want to change these rules
    #
    ${fwcmd} add 100 pass all from any to any via lo0
    ${fwcmd} add 105 deny all from any to 127.0.0.0/8
    ${fwcmd} add 110 deny ip from 127.0.0.0/8 to any
    # ip-options (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)
    ${fwcmd} add deny log ip from any to any ipoptions ssrr,lsrr,ts,rr via
    ${oif}
    # allow certain ICMP through (allows ping, traceroute, plus
    # the required source quence and similar)
    ${fwcmd} add pass icmp and to any icmptypes 0,3,4,8,11,12 via ${oif}
    ${fwcmd} add deny icmp from any to any icmptypes 9 via ${oif} # silent block
    on router advertisements
    ${fwcmd} add pass icmp from any to any via ${iif} # allow all internally
    ${fwcmd} add deny icmp from any to any
    # Stop spoofing
    ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
    ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
    # Stop RFC1918 nets on the outside interface
    ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
    ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
    ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
    # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
    # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
    # on the outside interface
    ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
    ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
    ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
    ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
    ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
    # Network Address Translation. This rule is placed here deliberately
    # so that it does not interfere with the surrounding address-checking
    # rules.
    case ${natd_enable} in
    [Yy][Ee][Ss])
    if [ -n "${natd_interface}" ]; then
    ${fwcmd} add divert natd all from any to any via ${natd_interface}
    fi
    ;;
    esac
    # Stop RFC1918 nets on the outside interface
    ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
    ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
    ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
    # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
    # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
    # on the outside interface
    ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
    ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
    ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
    ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
    ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
    # block all outlaw address
    for outlaw in ${outlaws}; do
    ${fwcmd} add deny all from ${outlaw} to any
    done
    # Allow stateful connections
    ${fwcmd} add check-state
    # Allow TCP through if setup succeeded
    ${fwcmd} add pass tcp from any to me established
    # Allow IP fragments to pass through
    ${fwcmd} add pass all from any to any frag
    # Allow access to services
    #${fwcmd} add pass tcp from any to me 20 # ftp
    #${fwcmd} add pass tcp from any to me 21 # ftp
    ${fwcmd} add pass tcp from any to me 22 setup # ssh
    ${fwcmd} add pass tcp from any to me 25 setup # smtp
    ${fwcmd} add pass tcp from any to me 53 setup # dns
    ${fwcmd} add pass udp from any to me 53 # dns
    ${fwcmd} add pass udp from me 53 to any # dns
    ${fwcmd} add pass tcp from any to me 80 setup # http
    ${fwcmd} add pass tcp from any to me 443 setup # https
    ${fwcmd} add pass tcp from any to me 993 setup # imap-ssl
    ${fwcmd} add pass tcp from any to me 995 setup # pop3-ssl
    # Allow access to internal services
    ${fwcmd} add pass tcp from ${inet}:${imask} to me 110 # pop3
    ${fwcmd} add pass tcp from ${inet}:${imask} to me 143 # imap
    ${fwcmd} add pass tcp from ${inet}:${imask} to me 3128 # squid
    ${fwcmd} add pass tcp from ${inet}:${imask} to me 3306 # mysql
    ${fwcmd} add pass tcp from ${inet}:${imask} to me 8080 # tomcat
    # Reject&Log all setup of incoming connections from the outside
    ${fwcmd} add deny log tcp from any to me setup
    # block all other udp traffic
    ${fwcmd} add deny udp from any to me
    # Allow all outgoing traffic from the lan
    ${fwcmd} add pass tcp from ${inet}:${imask} to any keep-state
    ${fwcmd} add pass udp from ${inet}:${imask} to any keep-state
    # Allow setup of any other TCP and all UDP connections
    ${fwcmd} add pass tcp from me to any setup keep-state
    ${fwcmd} add pass udp from me to any keep-state
    # Everything else is denied by default, unless the
    # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
    # config file.

    Tom Veldhouse

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Veronica Brainfluff: "Kernel Make troubleshooting"

    Relevant Pages

    • Re: Problem with firewall
      ... redirect_port tcp 192.168.0.3:2090 2090 ... ${fwcmd} add 100 pass all from any to any via lo0 ... # the "dynamic" rules table by an allow keep-state statement. ... $add pass tcp from any to any 1-65535 out via ${oif} setup ...
      (freebsd-net)
    • Re: natd port redirect
      ... ${fwcmd} add 100 pass all from any to any via lo0 ... $add divert natd all from any to any via ${oif} ... $add divert natd tcp from any to me 23 in via $ ... $add pass tcp from any to any 80 out via $setup keep-state ...
      (comp.unix.bsd.freebsd.misc)
    • Re: IPFW via command problem
      ... >> where xl1 is my external interface ... >> via ${oif} then it does allow them. ... ${fwcmd} add pass icmp from any to any via $ ... $add 200 deny all from any to 127.0.0.0/8 ...
      (freebsd-questions)
    • Re: Re[2]: Connection attempts
      ... firewall china at least. ... $fwcmd add deny ip from 61.128.0.0/16 to any in via $oif ...
      (FreeBSD-Security)
    • IPFW Rules and Games
      ... anything on any protocol from the internal network should be able to establish and setup connections out AND be allowed to receive data back from whomever they connected out to; but "random" hosts trying to connect in should be blocked. ... ${fwcmd} add allow all from any to any out via setup ... $add deny all from $:$to any in via $ ... $add pass tcp from any to any established ...
      (freebsd-questions)