How to use IPFW to filter routing

Thomas thoms3rd at gmail.com
Thu Feb 2 22:37:57 UTC 2017 

Sun, Jan 29, 2017 at 06:52:58PM +0100, Rakor:
> Hi and thanks for your reply!

Hello! Sorry for not following up, I was busy and forgot.

> I also tried it using recv and xmit rules.
> [...] 
> So to me it looks like he does not know that the packet will be transmitted via igb2 at the moment it is inspected.

Yeah, if via doesn't work, recv and xmit probably won't either. I can't
tell at a glance why your out rule is not working =\.

> > Have you tried something like this?
> > 
> > ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state
> > ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state
> > ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
> 
> This will work. But for any new subnet I’ll have to remember to deny it for any other subnets. I think this can become unhandy very soon.
> [...]
> OK. So I’d like to have deny by default (as ipfw is working). Then I’d like to say exactly which traffic is allowed. So in my mind I’ll have no additional deny-rules. I’d like to say from which interface to which interface the traffic is traveling, because this respects my VLANs. OK, because there is an IP attached to the devices using the subnets would do it also (but I feel more comfortable seeing my interfaces - maybe it’s stupid).
> 
> So the rules I’d like to write say:
> "allow tcp from VLAN3 to Internet using ports 80,443 coming from igb0.3 going to igb2 and deny all the rest."

Of course, our mileages will be different, but avoiding deny rules can
make things more complicated. A simpler, more explicit ruleset, even if
it's a little longer, is generally safer and better. Performance (if
it's at all a concern to you) may also suffer, as packets traverse more
rules.

As far as the number of subnets becoming unhandy, that is unavoidable if
you're managing them individually like that. It may help to group them
into zones and write your ruleset in terms of that. Use variables in
your firewall script, and tables; "skipto" also comes in handy.

Finally, filtering based on interfaces is good, but it's seldom enough.
At least *I* could never avoid having addresses in the rules and still
manage to filter everything I needed to. Also, using only the in/out
interfaces in your rules makes them much more broad, and less flexible.

Hope some of the above is useful to you, as it is to me when writing my
rulesets.


Cheers,

- Thomás

More information about the freebsd-ipfw mailing list