Firewall Rules/connection troubles

Tommy Forrest - KE4PYM tforrest at shellworld.net
Fri Apr 11 17:23:57 PDT 2003 

Recently, I upgraded to FreeBSD 4.8.  I decided to use a closed
firewall.  I did some research and found some sample statefull firewall
rules.  I've worked them somewhat into my requirements.

I'm having some trouble.  My main complaint is that my telnet and ssh
connections to the net timeout.  In the script you see below you do not
see the setup or keep-state comments for telnet/ssh.  I've tried it
with both and to no avail.  IRC connections also time out rather
quickly.  FTP connections to the machine are very slow and web sites
seem to lag unless you click on the links several times (all of these
behaviors are noted from an internal w2k machine.

The FBSD box should have plenty of ooompf.  It is a dual P3/500 with
1GB of physical RAM.

How is this resolved/where have I gone wrong with my script?

---------------Start, my rc.firewall script------------------
#   These rules can be reloaded with out rebooting by issuing this
command
#   sh /etc/ipfw.rules.conf

/sbin/ipfw -q -f flush

# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to see.
cmd="/sbin/ipfw add"

# Set defaults
oif="xl0"                # Nic card to cable modem public internet
connection
iif="xl1"                # Internal NIC card
odns1="24.93.68.64"      # ISP's dns server primary IP address
odns2="24.93.68.65"      # ISP's dns server secondary IP address

$cmd 00200 divert natd ip from any to any via $oif

#Setup Loop back
$cmd 00100 pass all from any to any via lo0
$cmd 00101 deny all from any to 127.0.0.0/8
$cmd 00102 deny ip from 127.0.0.0/8 to any

########  control section  ############################################
# Start of IPFW advanced Stateful Filtering using "dynamic" rules.
# The check-state statement behavior is to match bi-directional packet
traffic
# flow between source and destination using
protocol/IP/port/sequencenumber.
# The dynamic rule has a limited lifetime which is controlled by a set
of
# sysctl(8) variables. The lifetime is refreshed every time a matching
# packet is found in the dynamic table.

# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
$cmd 00400 check-state

# Run all private LAN $iif packet traffic through the dynamic rules
# table so the IP address are in sync with Natd.
$cmd 00500 allow all from any to any via $iif keep-state

# Deny all fragments as bogus packets
$cmd 00530 deny all from any to any frag in via $oif

# Deny  ACK packets that did not match the dynamic rule table
$cmd 00540 deny tcp from any to any established in via $oif

########  outbound section 
############################################
# Interrogate packets originating from behind the firewall, private
net.
# Upon a rule match, it's keep-state option will create a dynamic rule.

# Allow out non-secure standard http function
$cmd 00600 allow tcp from any to any 80 out via $oif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00601 allow tcp from any to any 443 out via $oif setup keep-state

# Allow out access to my ISP's Domain name server.
$cmd 00610 allow tcp from any to $odns1 53 out via $oif setup
keep-state
$cmd 00611 allow udp from any to $odns1 53 out via $oif
$cmd 00612 allow tcp from any to $odns2 53 out via $oif setup
keep-state
$cmd 00613 allow udp from any to $odns2 53 out via $oif

# Allow out send & get email function
$cmd 00630 allow tcp from any to any 25,110 out via $oif setup
keep-state

# Allow out & in FBSD (make install & CVSUP)  functions
# Basically give user id [ROOT]  "GOD"  privileges.
$cmd 00640 allow tcp from me to any out via $oif setup keep-state uid
root

# Allow NTP out
$cmd 00700 allow tcp from any to any 123 out via $oif
$cmd 00701 allow udp from any to any 123 out via $oif

# Allow telnet out
$cmd 00835 allow tcp from any to any 23 out via $oif

# Allow SSH out
$cmd 00840 allow tcp from any to any 22 out via $oif

# Allow MSN Chat out
$cmd 00850 allow tcp from any to any 1863 out via $oif

########  inbound section  ############################################
# Interrogate packets originating from in front of the firewall, public
net.

# Allow in www http access to my apache server
#$cmd 00800 allow tcp from any to any 80 in via $oif setup keep-state
limit src-addr 4

# Allow in SMTP
$cmd 00900 allow tcp from any to any 25 in via $oif setup keep-state
limit src-addr 5

# Allow TCP FTP control channel in & data channel out
$cmd 01000 allow tcp from any to me 21 in via $oif setup keep-state
limit src-addr 4
$cmd 01001 allow tcp from any 20 to any 1024-49151 out via $oif setup
keep limit src-addr 4

# Allow in ssh function
$cmd 01001 allow log tcp from any to me 22 in via $oif setup keep-state
limit src-addr 5

# Allow MSN file transfers in
$cmd 01100 allow tcp from any to any 6891-6900 in via $oif

# Allow Kazaa in and out
$cmd 01200 allow tcp from any to any 1214 via $oif setup keep-state

# IRC access
$cmd 01300 allow tcp from any to any 6667 via $oif setup keep-state



Tommy Forrest - KE4PYM -  tforrest at shellworld.net
My two cents:
Dos: Venerable.  Windows: Vulnerable.  OS/2: Viable.

More information about the freebsd-questions mailing list