IPFW ip masking and stateful connections

Oliver Fromme olli at lurza.secnetix.de
Fri Aug 5 07:31:05 GMT 2005 

jstarng <jstarng at gmail.com> wrote:
 > i have two networks one: 192.0.0.1-192.0.0.255 and the other
 > 192.168.1.1-192.168.1.255

So that be 192.0.0.0/24 and 192.168.1/24.

BTW, are you aware that the former is reserverd to the IANA
("ROOT-NS-LAB") and is _not_ available for use?  So, unless
you are working for them, you should better use a different
subnet.

 > I want to prevent anyone from using services (like sharing folders)
 > from one network to the other
 > 
 > i tried a line:
 > $c 00450 deny UDP from 192.0.0.0/16 to 192.168.1.1/16

That should be:  from 192.0.0.0/24 to 192.168.1.0/24

Since the last byte is masked out, it doesn't really matter
what you specify, but it's convention to specify the net-
work address (base address), which would be .0 in this
case.

NB:  Some software allows ommitting the insignificant bytes
entirely, so you could write 192.0.0/24 and 192.168.1/24,
respectively.  However, the ipfw(8) parser doesn't seem to
like that, so you have to fill with trailing zeros so there
are always 4 bytes.

 > I guess i'm not really understanding how bit masks work on ip ranges.
 > what's the correct range i should use

The number after the slash specifies the number of the
leftmost significant bits of the address.  A complete
IP (v4) address has 4 bytes which is 32 bits.  So if you
want to specify a (sub-) network by the left 3 bytes,
that's 24 bits.  (Historically those are sometimes called
"class-C nets", but that's not entirely correct nowadays.)

 > #Divert
 > #############################
 > $c 00001 divert natd all from any to any

So NAT is involved.  That complicates things somewhat,
because all following rules work on the rewritten
addresses, not on the original ones.  Keep that in mind.

You should specify an interface on the "divert natd" rule,
e.g. "via fxp0".  Otherwise, _all_ packets will go through
natd, even lo0 packets, which is unnecessary overhead and
might even have adverse side effects.

 > $c 00002 check-state

A general advise:  When numbering your rules, make the
spacing between the numbers larger than 1, otherwise you
cannot insert rules later (e.g. for testing or debugging)
without flushing and reloading the whole set.

I'd recommend a spacing of 10, at least.  The default
spacing of ipfw (when no numbers are given explicitly)
is even 100.  Consider that the numbers can go as high
as 65534, so there's plenty of space.

 > $c 00007 $skip TCP from 127.0.0.1 25 to 127.0.0.1 in via lo0

I don't understand the purpose of that rule.

Usually you want to allow all traffic on the lo0 interface
while denying the 127/8 network everywhere else.  These
rules will do that:

pass all from any to any via lo0
deny all from any to 127.0.0.0/8
deny all from 127.0.0.0/8 to any

 > #In via ed0 100
 > #############################
 > $c 00100 $skip UDP from any to 255.255.255.255 in via ed0 #Broadcast

Uhm.  The broadcast addresses of your interfaces are
192.0.0.255 and 192.168.1.255, respectively.  Normally
you don't need to handle broadcasted packets in a
special way in your rule set.

 > $c 00102 $skip UDP from any 137 to 192.168.1.255 137 in via ed0 #shares
 > $c 00103 $skip UDP from any 138 to 192.168.1.255 138 in via ed0 #shares

I'm not 100% familiar with those protocols, but I very much
doubt that they use the same number for the source _and_
destination port.

 > $c 00104 $skip UDP from $iDNS 53 to $iInternet in via ed0 #DNS

That rule would match only DNS reply packets from your
internal DNS servers to the internet (if I understand your
variables correctly).  Doesn't seem to make sense, because
I don't see any rules for matching appropriate request
packets.

 > $c 00110 $skip TCP from 192.168.1.235 to $iMe 22 in via ed0 #SSH from me

Either the rule is wrong, or the comment.  :-)
The rule matches SSH _to_ the host.
I don't see a rule which allows outgoing SSH connections.

 > $c 00199 $skiplog all from any to any in via ed0

You can omit the "in via ed0", saving a few cycles.  The
check isn't necessary at this point.

But where's your $denylog rule?  You're basically allowing
all remaining packets.

 > $c 00295 $skip UDP from any to 255.255.255.255 60001 in via vr0 #Broadcast

Please excuse my, but your rules keep confusing me more and
more.  :-)

So you're allowing broadcasts on 255.255.255.255 port 60001.
The only thing using that port (AFAICT) is a trojan called
Trinity.  So is it your intention to broadcast that trojan
to the whole internet?  :-)

The following rules have similar issues as those already
mentioned above, so I won't repeat it.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"A language that doesn't have everything is actually easier
to program in than some that do."
        -- Dennis M. Ritchie

More information about the freebsd-ipfw mailing list