How to use IPFW to filter routing

Rakor freebsd at rakor-net.de
Sun Jan 29 17:53:07 UTC 2017 

Hi and thanks for your reply!

> Am 29.01.2017 um 17:40 schrieb Thomás <thoms3rd at gmail.com>:
> 
> Sat, Jan 28, 2017 at 01:58:01PM +0100, Rakor:
>> As far as I know a packet is once scanned by IPFW an then first hit wins. So, if I set the following a packet coming from VLAN3 for port 80 is permitted to travel all way it wants, even to VLAN2. Putting an
> +other rule behind just allowing to travel out using igb2 is not checked, because the search terminated after first hit.
>>      ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
> 
> Have you tried something like this?
> 
> ipfw add deny tcp 10.10.30.0/24 to 10.10.10.0/24 setup keep-state
> ipfw add deny tcp 10.10.30.0/24 to 10.10.20.0/24 setup keep-state
> ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state

This will work. But for any new subnet I’ll have to remember to deny it for any other subnets. I think this can become unhandy very soon.


>> If I try the follwing the packets are all rejected. I think the inspection is done before the routing, so IPFW does not know it should be forwarded using igb2.
>>      ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup keep-state
> 
> IPFW can do routing table lookups as needed. Something else must be
> going on here. Log rules may be of help to debug and understand your
> ruleset.

I also tried it using recv and xmit rules.

First I tried:
	ipfw add allow tcp from 10.10.30.0/24 to any out recv igb0.30 xmit igb2 setup keep-state
it does not work.

and later I tried this 
	ipfw add allow tcp from 10.10.30.0/24 to any out xmit igb2 setup keep-state 
also not working

Anytime it was caught by my default rule at the end:
	00150 deny log logamount 5 ip from any to any

/var/log/security said:

	150 Deny TCP 10.10.30.5:51145 82.193.243.115:80 in via igb0.30

So to me it looks like he does not know that the packet will be transmitted via igb2 at the moment it is inspected.


>> So I don’t know how to filter packets that should be routed in a exact manner. Can you help me?
> 
> There are plenty of ways to filter packets in that setup, the "exact"
> one depends on what you are trying to achieve.

OK. So I’d like to have deny by default (as ipfw is working). Then I’d like to say exactly which traffic is allowed. So in my mind I’ll have no additional deny-rules. I’d like to say from which interface to which interface the traffic is traveling, because this respects my VLANs. OK, because there is an IP attached to the devices using the subnets would do it also (but I feel more comfortable seeing my interfaces - maybe it’s stupid).

So the rules I’d like to write say:
"allow tcp from VLAN3 to Internet using ports 80,443 coming from igb0.3 going to igb2 and deny all the rest."

More information about the freebsd-ipfw mailing list