Blocked outbound traffic - what is it?
Robert Downes
nullentropy at lineone.net
Fri Jun 18 20:52:12 GMT 2004
Martin wrote:
>- Is rl0 your outside interface ?
>
>
Yes.
>- Do you have Natd on the outside interface or reversed on the inside interface ?
>
>
natd on rl0.
>- Do you have multiple outside interfaces ?
>
>
No, only rl0 talks to the ADSL 'modem' (which has my FreeBSD router in
the DMZ to avoid double-NAT translation).
>- 192.168.1.102 is this system on your internal network ?
>
>
Yes, a Windows machine.
>- Do you have a local DNS (or hosts file) running where you mapped away spying hosts ?
>
>
I have BIND running, but I'm not sure what you mean by 'mapped away
sping hosts'.
>- "out" means outgoing, but "via rl0" does not mean "out thru rl0". It could means
> more or less "a packet having to do something with rl0, either in or out".
>
>
The rules in my set actually all say 'in recv' and 'out xmit' but for
some reason the security log file converts all of those to 'via'. I
can't explain why.
>- Do you have rules in your FW, causing to bypass natd ?
>
>
I don't think so (except localhost). See my ruleset below (posted due to
great demand).
>- Do you have static natd routing ?
>
>
Uhmmm... not sure. I'm using IPFW and natd and using the 'divert natd'
lines in the ruleset.
>- Do you do IP/port forwarding on specific ports ?
>
>
Do you mean am I using keep-state rules to allow packets to certain
ports [yes], or do you mean am I using the divert action to certain
ports [no]?
>Please post your rules.
>
>
Here they are. They are almost exactly the same as the ruleset posted by
someone to this list a few days ago, just with some lines commented out,
all 'via' replaced with 'recv' or 'xmit', and a few additional deny
rules to stop Microsoft-vulnerability probing on ports 135 and 445
(which I was getting a huge number of).
################ Start of IPFW rules file
###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0" # public interface name of Nic card
# facing the public internet
#################################################################
# No restrictions on Inside Lan Interface for private network
# Not needed unless you have Lan.
# Change xl0 to your Lan Nic card interface name
#################################################################
$cmd 005 allow all from any to any via vr0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
$cmd 014 divert natd ip from any to any in recv $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to xxx.xxx.xxx.xxx 53 out xmit $pif setup
keep-state
$cmd 021 $skip udp from any to xxx.xxx.xxx.xxx 53 out xmit $pif keep-state
$cmd 022 $skip tcp from any to xxx.xxx.xxx.xxx 53 out xmit $pif setup
keep-state
$cmd 023 $skip udp from any to xxx.xxx.xxx.xxx 53 out xmit $pif keep-state
# Bob: allow outbound requests to nameservers, and replies
$cmd 025 $skip udp from 192.168.0.100 to any 53 out xmit $pif keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
#$cmd 030 $skip udp from any to xx.70.207.54 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out xmit $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out xmit $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out xmit $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out xmit $pif setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out xmit $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out xmit $pif
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out xmit $pif setup keep-state
# Allow out nntp news (IE: news groups)
$cmd 100 $skip tcp from any to any 119 out xmit $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out xmit $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out xmit $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out xmit $pif keep-state
#################################################################
# Interface facing Public internet (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in recv $pif #RFC 1918
private IP
$cmd 301 deny all from 172.16.0.0/12 to any in recv $pif #RFC 1918
private IP
$cmd 302 deny all from 10.0.0.0/8 to any in recv $pif #RFC 1918
private IP
$cmd 303 deny all from 127.0.0.0/8 to any in recv $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in recv $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in recv $pif #DHCP
auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in recv $pif #reserved
for doc's
$cmd 307 deny all from 204.152.64.0/23 to any in recv $pif #Sun cluster
interconnect
$cmd 308 deny all from 224.0.0.0/3 to any in recv $pif #Class D & E
multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in recv $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny all from any to any 137 in recv $pif
$cmd 321 deny tcp from any to any 138 in recv $pif
$cmd 322 deny tcp from any to any 139 in recv $pif
$cmd 323 deny tcp from any to any 81 in recv $pif
# Bob: also block 135 and 445 because of similar MS-vulnerability attacks
$cmd 324 deny tcp from any to any 135 in recv $pif
$cmd 325 deny tcp from any to any 445 in recv $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in recv $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in recv $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 360 allow udp from xx.70.207.54 to any 68 in via $pif keep-state
# Allow in standard www function because I have apache server
#$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
#$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
#$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in icmp responces
$cmd 390 allow icmp from any to any icmptypes 0,3,11,12 in recv $pif
# Reject & Log all unauthorized incoming connections from the public
internet
$cmd 400 deny log all from any to any in recv $pif
# Reject & Log all unauthorized out going connections to the public internet
$cmd 450 deny log all from any to any out xmit $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out xmit $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file
###############################
--
Bob
More information about the freebsd-ipfw
mailing list