Re: HELP ! ipfw et natd

From: ferdydurke (ferdy_at_ferdy.com)
Date: 12/04/03 

Date: Thu, 04 Dec 2003 21:23:29 +0100

Hi again

> I don't think the nameserver's IP changed because of the firewall. I
> think you were sent the new IP by your ISP via DHCP.

ok
>> , and /etc/resolv.conf changed too. But why ?
>
> The DHCP client does that.

ok

 
> I think with this config your machine is pretty secure, and the ruleset
> is pretty efficient, too (suggestions to improve the efficiency follow).
> But mind you, I don't have a clue what that thing with UDP-ports 67, 68
> means. It seems a bit suspicious to me - you allow (by the rules 502,
> 503) _anybody_ to send UDP-packets from 67 to broadcast:68 and vice
> versa - well this means relying a lot on your neighbouring host (which
> may be your cablemodem or your ISP's router) not to forward broadcasts
> from strangers. Which they probably won't, but you know, a good firewall
> shouldn't rely on other hosts to secure you. So you'd better find a way
> to limit the range of hosts that are allowed to do this.

I am going to try your suggestions. Here is an extract of the excellent
articles from Dru Lavigne in the site I mentionned to you :

su
Password:
ipfw show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 check-state
00301 0 0 deny tcp from any to any in established
00302 0 0 allow tcp from any to any keep-state setup
00400 0 0 allow udp from 24.226.1.90 53 to any in recv ed0
00401 0 0 allow udp from 24.226.1.20 53 to any in recv ed0
00402 0 0 allow udp from 24.2.9.34 53 to any in recv ed0
00403 0 0 allow udp from any to any out
65535 0 0 deny ip from any to any

Because I need to allow UDP packets, I'll want to specify the DHCP port
numbers and the IP address of my DHCP server. As the superuser, I'll
consider adding the following lines to my /etc/ipfw.rules file:

#allow DHCP
add 00500 allow udp from any 68 to 24.226.1.41 67 out via ed0
add 00501 allow udp from 24.226.1.41 67 to any 68 in via ed0

These should be the bare minimum rules that will allow my DHCP client to
renew its lease with the DHCP server 24.226.1.41. Whether more rules will
be required will vary according to the dependability of that DHCP server.
If the DHCP server always responds to my renewal requests, I won't have to
resort to sending out UDP broadcasts, pinging my default gateway, or
receiving UDP broadcasts. If my DHCP server is not so dependable, I might
have to also add the following rules:

add 00502 allow udp from any 68 to 255.255.255.255 67 out via ed0
add 00503 allow udp from any 67 to 255.255.255.255 68 in via ed0

I won't immediately add rules 00502 and 00503, though, as up to this point,
my DHCP server has been quite dependable. I have made a mental note to
myself to remember to keep these rules in mind, just in case my provider
ever has problems with this DHCP server or actually changes the IP address
of my DHCP server.

Before I save my changes, I'll compare rules 00500 and 00501 to the rest of
my ruleset to ensure there aren't any conflicts or overlaps. I immediately
notice an overlap between rules 00403 and 00500:

add 00403 allow udp from any to any out
add 00500 allow udp from any 68 to 24.226.1.41 67 out via ed0

Since rule 00403 already allows "any" UDP packet to go out of my computer,
the more specific rule of only sending out UDP packets from port 68 will
never be read. At this point, I need to make a choice between creating a
minimum number of rules or using a maximum amount of paranoia and
responsibility.

I originally added rule 00403 when I created the rules to allow DNS
resolution. (See last week's article.) If I decide to remove rule 00403,
I'll have to replace it with three more rules that will allow UDP packets
to be sent out to the three DNS servers. Also, if I ever need to access any
other type of server that requires me to send it a UDP packet, I'll have to
create an extra rule to do so. This will result in adding extra rules, and
thus extra overhead, to my ipfw ruleset, instead of using one
all-encompassing rule.

This goes against the philosophy of using a minimum amount of rules, but I
also need to look at the implications of keeping that one all-encompassing
rule. There's no security risk to me if I send out UDP packets, as long as
I restrict whom I'm willing to accept UDP packets from. For example, rule
00403 allows me to send out any UDP packet, but rules 00400, 00401, 00402,
and 00501 ensure I'll only accept UDP packets from my provider's three DNS
servers and one DHCP server. This seems to be an acceptable policy for my
standalone FreeBSD computer.

>Not knowing anything about mldonkey - do you mean lower transfer speed?
> I think that if you follow the above advice to make the firewalling more
> efficient, the firewall shouldn't affect your transfer speed noticeably
> (unless your FreeBSD box is a _very_ slow machine).
>

mldonkey is my peer to peer client for FreeBSD

  
>> Last but not least, how can I thank you for the help ? It was really nice
>> to help me with such patience : thank you.
>
> I really enjoyed the adventure :-)
> And no need to thank me - one fine day when I finally decide to upgrade
> the FreeBSD box here to a version capable of the keep-state /
> check-state filtering, the experience with the "statefull ipfw / natd"
> combination is going to come very handy to me. So in fact, I thank you
> for testing it for me :-)
>

No problem for testing, if you want me to try something else, just ask, but
God ! what kind of slow machine do you have ???

 
PS : Are you from Czech Republic ?