IPFW via command problem

imoore at picknowl.com.au imoore at picknowl.com.au
Sat Dec 13 23:45:48 PST 2003 

Jaime writes: 

> On Sunday, December 14, 2003, at 01:49  AM, Ian Moore wrote:
>> # Allow outgoing pings
>> ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
>> ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} 
>> 
>> where I have defined ${oif} as
>> oif="xl1"
>> where xl1 is my external interface 
>> 
>> The above lines don't allow pings to the outside world, but if I comment 
>> out
>> via ${oif} then it does allow them.
> 
> 	I'd have to know more about your firewall to be certain, but it looks 
> kind of like you've over-looked the IFPW rules that would be needed by 
> your internal interface.  If the external interface allows pings but the 
> internal doesn't, then it won't let pings pass through the box.  They will 
> be stopped at the internal interface on their way from your internal 
> workstation to the firewall. 
> 
> 								Hope that helps,
> 								Jaime 
> 

Perhaps I should have posted the whole script, though you can see it at the 
web site I mentioned. There is a rule just before those 2 to allow icmp on 
the internal interface:
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif} 

Here is my config in full, except for the external address & dns addresses: 

# Suck in the configuration variables.
if [ -r /etc/defaults/rc.conf ]; then
       . /etc/defaults/rc.conf
       source_rc_confs
elif [ -r /etc/rc.conf ]; then
       . /etc/rc.conf
fi 

if [ -n "${1}" ]; then
       firewall_type="${1}"
fi 

# Firewall program
fwcmd="/sbin/ipfw" 

# Outside interface network and netmask and ip
oif="xl1"
onet="x.x.x.0"
omask="255.255.255.0"
oip="x.x.x.y" 

# Inside interface network and netmask and ip
iif="xl0"
inet="192.168.0.0"
imask="255.255.255.0"
iip="192.168.0.9" 

# My ISP's DNS servers
dns1="z.z.z.z"
dns2="y.y.y.y" 

# Flush previous rules
${fwcmd} -f flush 

# Allow loopbacks, deny imposters
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8 

# If you're using 'options BRIDGE', uncomment the following line to pass ARP
${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 

# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} 

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} 

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} 

# Network Address Translation.  This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules.  If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above.  Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
${fwcmd} add divert natd all from any to any via ${natd_interface} 

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} 

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} 

# Allow established connections with minimal overhead
${fwcmd} add pass tcp from any to any established 

# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag 

### TCP RULES 

# HTTP - Allow access to our web server
${fwcmd} add pass tcp from any to any 80 setup
${fwcmd} add pass tcp from any to any 25 setup 

# FTP - Allow incoming data channel for outgoing connections,
# reject & log all incoming control connections
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup
${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup 

# SSH Login - Allow & Log all incoming
${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup 

# IDENT - Reset incoming connections
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup 

# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup 

# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup 


### UDP RULES 

# DNS - Allow queries out in the world
${fwcmd} add pass udp from any to ${dns1} 53
${fwcmd} add pass udp from any to ${dns2} 53
${fwcmd} add pass udp from ${dns1} 53 to any
${fwcmd} add pass udp from ${dns2} 53 to any 

# SMB - Allow local traffic
${fwcmd} add pass udp from any to any 137-139 via ${iif} 

# SYSLOG - Allow machines on inside net to log to us.
${fwcmd} add pass log udp from any to any 514 via ${iif} 

# NTP - Allow queries out in the world
${fwcmd} add pass udp from any 123 to any 123 via ${oif}
${fwcmd} add pass udp from any 123 to any via ${iif}
${fwcmd} add pass udp from any to any 123 via ${iif} 

# TRACEROUTE - Allow outgoing
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} 


### ICMP RULES 

# ICMP packets
# Allow all ICMP packets on internal interface
${fwcmd} add pass icmp from any to any via ${iif} 

# Allow outgoing pings
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} 

# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad 
Header
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} 

# Deny the rest of them
${fwcmd} add deny log icmp from any to any 

### MISCELLANEOUS REJECT RULES 

# Reject broadcasts from outside interface
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
# Allow broadcasts from inside interface
${fwcmd} add 63000 allow ip from any to 0.0.0.255:0.0.0.255 in via ${iif}
${fwcmd} add 63000 allow ip from any to 0.0.0.255:0.0.0.255 out via ${oif} 


# Reject&Log SMB connections on outside interface
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} 

# Reject&Log all other connections from outside interface
${fwcmd} add 65000 deny log ip from any to any via ${oif} 

# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel

More information about the freebsd-questions mailing list