Re: keep-state and divert

---

• From: Michael Powell <nightrecon@xxxxxxxxxxx>
• Date: Thu, 02 Apr 2009 03:50:31 -0400

---

Victor Sudakov wrote:

Colleagues,

I have read some recommendations on combining a stateful firewall with
divert, e.g.
http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
and http://nuclight.livejournal.com/124348.html (the latter is in
Russian).

Do I understand correctly that it is (mathematically?) impossible to
use the two together without also using "skipto"?

If we consider a simple example below, how would you replace the 600th
rule for a stateful one?

00100 divert 8668 ip from any to table(1) out via rl0
00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0

00500 divert 8668 ip from table(1) to any in via rl0
00600 allow ip from table(1) to any in via rl0
00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0

65535 allow ip from any to any

Thank you in advance for any input.

I haven't used ipfw for a very long time, and haven't kept current with any
changes. Below is an example (using kernel pppd) that I used to use a long
time ago. For example purposes only, extract what you need for your specific
configuration needs.

# Firewall rules

fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add allow all from any to any via lo0
$fwcmd add allow all from any to any via xl0
$fwcmd add deny log all from any to 127.0.0.0/8

# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0
$fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0
$fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0
$fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0
$fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0
$fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0

# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via ppp0
$fwcmd add deny all from 169.254.0.0/16 to any in via ppp0
$fwcmd add deny all from 192.0.2.0/24 to any in via ppp0
$fwcmd add deny all from 224.0.0.0/4 to any in via ppp0
$fwcmd add deny all from 240.0.0.0/4 to any in via ppp0
$fwcmd add deny all from any to 0.0.0.0/8 in via ppp0
$fwcmd add deny all from any to 169.254.0.0/16 in via ppp0
$fwcmd add deny all from any to 192.0.2.0/24 in via ppp0
$fwcmd add deny all from any to 224.0.0.0/4 in via ppp0
$fwcmd add deny all from any to 240.0.0.0/4 in via ppp0

#$fwcmd add divert natd all from any to any via ppp0
$fwcmd add divert natd ip from any to me in via ppp0
$fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0
$fwcmd add check-state

$fwcmd add allow log tcp from 209.67.60.33 to any 113 via ppp0


$fwcmd add deny log udp from any to me in recv ppp0
$fwcmd add allow udp from any to any via ppp0 keep-state
$fwcmd add allow log icmp from any to any icmptypes 3,4

$fwcmd add allow tcp from any to me 80 via ppp0 keep-state

$fwcmd add deny log tcp from any to any in recv ppp0 setup
$fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state
$fwcmd add allow tcp from any to any via ppp0 established keep-state

$fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0
$fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0
$fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0

$fwcmd add 65432 deny log tcp from any to any
$fwcmd add 65433 deny log udp from any to any
$fwcmd add 65434 deny log icmp from any to any
$fwcmd add 65435 deny log ip from any to any

----------------------------------------------------------------

This was used in conjunction with the natd.conf here:

interface ppp0
use_sockets yes
same_ports yes
dynamic yes

For example purposes only - this is a very very old config.

-Mike



_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: keep-state and divert
    • From: Victor Sudakov

• References:
  • keep-state and divert
    • From: Victor Sudakov

• Prev by Date: Re: going from cvs to svnq
• Next by Date: Re: keep-state and divert
• Previous by thread: Re: keep-state and divert
• Next by thread: Re: keep-state and divert
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: firewall rules do not get read ... In rc.firewall the first line is add divert ... $fwcmd add allow all from any to any via lo0 ... $fwcmd add deny log ip from $inwr to any in via $oif ... $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif ... (freebsd-questions) Re: ipfw subnetting ... utilize both setting directionality of flow per specific interface. ... $fwcmd add allow all from any to any via lo0 ... $fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0 ... (freebsd-questions) Re: stateful ipfw ... I heard that ipfw in older version of freebsd is not stateful. ... $fwcmd add allow all from any to any via lo0 ... $fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0 ... (comp.unix.bsd.freebsd.misc) Re: keep-state and divert ... I have looked at your ruleset. ... $fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0 ... $fwcmd add allow udp from any to any via ppp0 keep-state ... (freebsd-questions) IPFW help (dialup) ... I recently switched from an older firewall formula to the one ... $fwcmd add check-state ... $fwcmd add deny tcp from any to any established ... 208.31.95.75:1774 in via ppp0 ... (comp.unix.bsd.freebsd.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > questions  > 2009-04