Re: HELP ! ipfw et natd

From: Ludek Frybort (frybort_at_amit.cz)
Date: 12/04/03 

Date: Thu, 04 Dec 2003 19:08:42 +0100

Hi,
 
ferdydurke wrote:
>
> Hi Ludek, good news today ! it is working !!!!!!
 
That's good news.
 
> ...
>
> So the problem for me was to remark that the DNS of my IPS (193.252.19.3 it
> is wanadoo, I am french) changed because of the firewall
 
I don't think the nameserver's IP changed because of the firewall. I
think you were sent the new IP by your ISP via DHCP.
 
> , and /etc/resolv.conf changed too. But why ?
 
The DHCP client does that. There is a way to prevent the necessity to
update your firewall configuration in case the address changes again in
future. See below.
Propagation of the change to your LAN hosts is another thing. I'd
suggest setting up a local DNS cache on the FreeBSD host (which may be a
bit hard for a beginner, but I think there are good HOWTOs for that, as
well) and pointing the LAN hosts to the FreeBSD box as their nameserver.
 
> I also give you my last ipfw show, for information, or for you to give me an
> advice about the security of my machine :
 
I think with this config your machine is pretty secure, and the ruleset
is pretty efficient, too (suggestions to improve the efficiency follow).
But mind you, I don't have a clue what that thing with UDP-ports 67, 68
means. It seems a bit suspicious to me - you allow (by the rules 502,
503) _anybody_ to send UDP-packets from 67 to broadcast:68 and vice
versa - well this means relying a lot on your neighbouring host (which
may be your cablemodem or your ISP's router) not to forward broadcasts
from strangers. Which they probably won't, but you know, a good firewall
shouldn't rely on other hosts to secure you. So you'd better find a way
to limit the range of hosts that are allowed to do this.
 
Some suggestions:
 
> 00050 205116 15082075 divert 8668 ip from any to any out xmit rl0
> 00060 127659 28538179 divert 8668 ip from any to any in recv rl0
 
You should try if it still works if you combine the two rules into one:
00050 divert 8668 ip from any to any via rl0
It should work and it would improve your firewall's efficiency a bit.
 
> 00070 0 0 check-state
> 00100 30708 1665652 allow ip from any to any via lo0

If you add:
00130 allow udp from any to any in keep-state recv rl1
(analogically to how the TCP-transfers are handled now) then (in accord
with another change below) you make the DNS lookups independent of the
specific IP-address of the nameserver (and also make the UDP more
efficient).
 
> 00140 1492 778513 allow tcp from any to any keep-state in recv rl1 setup
> 00150 144 13966 allow ip from any to any in recv rl1
> 00160 38 4881 allow ip from any to any out xmit rl1
> 00200 16 896 deny log logamount 10 ip from any to 127.0.0.0/8
> 00300 0 0 deny log logamount 10 ip from 127.0.0.0/8 to any
> 00302 3233 485377 deny tcp from any to any in established
> 00303 162027 29978828 allow tcp from any to any keep-state out setup
> 00400 7928 1346079 allow udp from 80.10.246.130 53 to any in recv rl0
> 00401 87926 5476311 allow udp from any to any out
 
If you replace the rules 400, 401 with just one rule:
00400 allow udp from any to any out keep-state
then it a) helps with the DNS-issue, b) makes your UDP-transmissions
more efficient (less rules for the packets to wander through - all but
the first packet will be acknowledged by the check-state rule above)
  
> 00501 0 0 allow udp from 81.249.237.84 67 to any 68 in recv rl0
> 00502 0 0 allow udp from any 68 to 255.255.255.255 67 out xmit
> rl0
> 00503 740 234541 allow udp from any 67 to 255.255.255.255 68 in recv
> rl0
> 00600 23552 1374240 allow icmp from any to any icmptype 3
> 00601 0 0 allow icmp from any to any icmptype 4
> 00602 0 0 allow icmp from any to any out icmptype 8
> 00603 0 0 allow icmp from any to any in icmptype 0
> 00604 445 28270 allow icmp from any to any in icmptype 11
> 65535 46470 4350584 deny ip from any to any
>
> About security, when I run "nmap localhost" I only have one port open,
> number 631, which is used by cups I guess.
> When I run "sockstat -4" I have much more ports open : natd, dhcp client,
> and a lot more when I run mldonkey.
 
Looks good to me.
 
> About mldonkey, do you think that with my new firewall I will have less
> transferts ? it seems to me that I can't download the same as a few days
> ago...
 
Not knowing anything about mldonkey - do you mean lower transfer speed?
I think that if you follow the above advice to make the firewalling more
efficient, the firewall shouldn't affect your transfer speed noticeably
(unless your FreeBSD box is a _very_ slow machine).
 
> Last but not least, how can I thank you for the help ? It was really nice to
> help me with such patience : thank you.
 
I really enjoyed the adventure :-)
And no need to thank me - one fine day when I finally decide to upgrade
the FreeBSD box here to a version capable of the keep-state /
check-state filtering, the experience with the "statefull ipfw / natd"
combination is going to come very handy to me. So in fact, I thank you
for testing it for me :-)
 
> PS : is computing your job ?
 
Well, yes it is, but not FreeBSD or UN*X computing (well, that would be
a job I'd really enjoy). My job is basically programming of
microcontrollers, and some networking comes with that, too. An enjoyable
job, as well, I'm not complaining.
 
Ludek

Quantcast