bridged ipfw problem in FreeBSD 5.2beta

Ganbold ganbold at micom.mng.net
Fri Dec 5 04:38:24 PST 2003 

Hi,

I'm new to ipfw and I have configured ipfw in Pentium 4 2GHz, 18GB HDD, 
128MB RAM computer.
This computer will work as a bridge. It has 3 Intel Pro 100Mb cards, 2 for 
bridging and 1 for just connection to this computer
from remote machine.
Bridging work just fine, but after 4 hours it doesn't work. It happened 3 
times, all after 4 hours of operation.
Machine itself was working fine, only it seems it doesn't
forward packets from internal interface to external or internal interface 
didn't receive anything.

Can somebody tell me where I did wrong in config files? Is it problem with 
NIC or problem with bridge?
Or is it problem related to arp?

I'm asking a lot of questions in one time, but I really need to install and 
use bridging firewall and
I hope somebody in this list point me to the right direction.


thanks in advance,

Ganbold Ts.
Mongolia

------------------------------------------------------------------------------------------------------------------------------------------------

In kernel config I included:
---------------------------------------------------------------------------------------------------
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100

options         IPDIVERT
options         TCPDEBUG
options         IPSTEALTH
options         TCP_DROP_SYNFIN

options         DUMMYNET
options         HZ=1000
options         BRIDGE
---------------------------------------------------------------------------------------------------

In sysctl.conf I included:
---------------------------------------------------------------------------------------------------

net.link.ether.bridge_cfg=fxp0:0,fxp1:0
net.link.ether.bridge_ipfw=1
net.link.ether.bridge.enable=1

net.inet.ip.fw.one_pass=0
security.bsd.see_other_uids=0
net.link.ether.inet.max_age=1200
kern.ipc.somaxconn=1024
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768

net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

net.inet.ip.fw.dyn_ack_lifetime=3600
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_buckets=1024
---------------------------------------------------------------------------------------------------

Following is my rc.conf script:

---------------------------------------------------------------------------------------------------
network_interfaces="fxp0 fxp1 fxp2 lo0"

accounting_enable="YES"
hostname="fw.ub.mng.net"
defaultrouter="202.179.xxx.xxx"
ifconfig_fxp1="media 100baseTX mediaopt full-duplex"
ifconfig_fxp2="inet 202.179.xxx.xxx netmask 255.255.255.248 media 100baseTX 
mediaopt full-duplex"

inetd_enable="YES"
kern_securelevel_enable="NO"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="YES"

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="custom"
firewall_quiet="NO"

log_in_vain=1
icmp_drop_redirect="YES"
icmp_log_redirect=YES
tcp_drop_synfin="YES"
tcp_restrict_rst="YES"
---------------------------------------------------------------------------------------------------

Following is my rc.firewall part:
---------------------------------------------------------------------------------------------------
...
[Cc][Uu][Ss][Tt][Oo][Mm])

# 0 is external and 1 is internal nic
fwinterface0="fxp0"
fwinterface1="fxp1"

${fwcmd} -f flush

######################## CLASS A,B,C #########################
# Things that we have kept state on before get to go through in a hurry
${fwcmd} add 10 check-state

# Denying Class A IP spoofing.
# NOTE: REMARK these lines if you have intranet clients with Class A IP.
${fwcmd} add 20 deny all from any to 10.0.0.0/8 via fxp0
${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0

# Denying Class B IP spoofing.
# NOTE: REMARK these lines if you have intranet clients with Class B IP.
${fwcmd} add 22 deny all from any to 172.16.0.0/12 via fxp0
${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0

# Denying Class C IP spoofing.
# NOTE: REMARK these lines if you have intranet clients with Class C IP.
${fwcmd} add 24 deny all from any to 192.168.0.0/16 via fxp0
${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0

######################### CLASS D,E #########################

# Denying Class D, E IP spoofing.
# Refer to: draft-manning-dsua-03.txt for more information about Class D/E IP.
${fwcmd} add 26 deny all from any to 0.0.0.0/8 via fxp0
${fwcmd} add 27 deny all from 0.0.0.0/8 to any via fxp0

${fwcmd} add 28 deny all from any to 192.0.2.0/24 via fxp0
${fwcmd} add 29 deny all from 192.0.2.0/24 to any via fxp0

${fwcmd} add 30 deny all from any to 169.254.0.0/16 via fxp0
${fwcmd} add 31 deny all from 169.254.0.0/16 to any via fxp0

${fwcmd} add 32 deny all from any to 224.0.0.0/4 via fxp0
${fwcmd} add 33 deny all from 224.0.0.0/4 to any via fxp0

####################### DUMMYNET config #######################

# apply DUMMYNET bandwidth here

# micom
${fwcmd} pipe 41 config bw 0kbit/s
${fwcmd} pipe 42 config bw 0kbit/s

${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1
${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0

#glinkor
${fwcmd} pipe 43 config bw 128kbit/s
${fwcmd} pipe 44 config bw 128kbit/s

${fwcmd} add 62 pipe 43 all from 202.179.xxx.xxx/29 to any in via fxp1
${fwcmd} add 63 pipe 44 all from any to 202.179.xxx.xxx/29 in via fxp0

######################### STANDARDS #########################

# Allow TCP through if setup succeeded
${fwcmd} add 100 pass tcp from any to any established

# Allow the bridge machine to say anything it wants
# (if the machine is IP-less do not include these rows)
${fwcmd} add 200 pass tcp from 202.179.xxx.xxx to any setup keep-state
${fwcmd} add 210 pass udp from  202.179.xxx.xxx to any keep-state
${fwcmd} add 220 pass ip from  202.179.xxx.xxx  to any

# Allowing connections through localhost.
${fwcmd} add 300 pass all from any to any via lo0
# pass ARP
${fwcmd} add 301 pass udp from 0.0.0.0 2054 to 0.0.0.0

# Allow the inside hosts to say anything they want
${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state
${fwcmd} add pass udp from any to any in via fxp1 keep-state
${fwcmd} add pass ip from any to any in via fxp1

${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state
${fwcmd} add pass udp from any to any in via fxp2 keep-state
${fwcmd} add pass ip from any to any in via fxp2

######################### RESTRICTIONS #########################


# Allowing SSH,web connection and LOG all incoming connections.
${fwcmd} add pass log tcp from any to any 22 in via fxp0 setup keep-state
${fwcmd} add pass tcp from any to any 80,443 in via fxp0 setup keep-state

# Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, POP3, ident, 
imap conections.
${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 in via fxp0 
keep-state

# Pass the "quarantine" range
${fwcmd} add pass tcp from any to any 40000-65535 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 40000-65535 in via fxp0 keep-state

# MSN, Yahoo
${fwcmd} add pass tcp from any to any 1863,5050 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 1863,5050 in via fxp0 keep-state

# additional MSN ports
${fwcmd} add pass tcp from any to any 6891-6901,6801,2001-2120,7801-7825 in 
via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 6891-6901,6801,2001-2120,7801-7825 in 
via fxp0 keep-state

# additional h323,yahoo ports
${fwcmd} add pass tcp from any to any 
1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 
1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 keep-state

# allow radius
${fwcmd} add pass tcp from any to any 1645,1646,1812,1813 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from any to any 1645,1646,1812,1813 in via fxp0 
keep-state

# Allowing mysql,Jabber,IRC,chat,SOCKS,HTTP proxy.
${fwcmd} add pass tcp from any to any 
1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0  setup keep-state
${fwcmd} add pass udp from any to any 
1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 keep-state

# additional eMule ports
${fwcmd} add pass tcp from any to any 2323,4242,4243,4661-4672,7700-7800 in 
via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 2323,4242,4243,4661-4672,7700-7800 in 
via fxp0 keep-state

# Allowing DNS lookups.
${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state
${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state

#${fwcmd} add pass tcp from any to any 53 out via fxp0 setup keep-state
#${fwcmd} add pass udp from any to any 53 out via fxp0 keep-state

######################### ICMP #########################

# Allowing outgoing PINGs.
# Allowing "Destination Unreachable" "Source Quench" "Time Exceeded" and 
"Bad Header".
${fwcmd} add pass icmp from any to any icmptypes 0,3,4,8,11,12

# Allowing IP fragments to pass through.
${fwcmd} add 65000 pass all from any to any frag

# Everything else is suspect
${fwcmd} add drop log ip from any to any
         ;;

---------------------------------------------------------------------------------------------------

More information about the freebsd-ipfw mailing list