ipfw/nated stateful rules example

Thomas T. Veldhouse veldy at veldy.net
Mon Jan 19 14:26:34 PST 2004 

fbsd_user wrote:
> I disagree with you that the /etc/rc.firewall is the best example.
> It's really a good example of stateless rules, & how to use
> scripting Symbolic substitution.
>
> I have working keep-state rule set using user-ppp -nat, but as soon
> as I add that darn legacy divert rule and drop user-ppp -nat it will
> not work. Dynamic stateful rules table always ends up with an
> mis-match between public and private ip address. Moving the divert
> rule around only changes which ip address gets posted to the
> stateful table(ie: the private or public one).
>
> Test results look like that legacy divert subroutine call to NATD is
> the problem. See same mis-match ip address problem when stateless
> rules are used, but since there is no stateful table involved it
> just slips by un-noticed.
>
> Was hoping that the ipfw2 rewrite would have fixed this problem.
>
>
>
>
>
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Thomas T.
> Veldhouse
> Sent: Monday, January 19, 2004 1:41 PM
> To: fbsd_user at a1poweruser.com; freebsd-questions at FreeBSD. ORG
> Subject: Re: ipfw/nated stateful rules example
>
> fbsd_user wrote:
>> Friends
>> In both 4.9 and 5.2 I can not get an rules set to function that only
>> uses keep-state' rules for outbound and inbound selection control
>> and the divert rule.
>>
>> Does anybody have an rules set they can share with me as an sample
>> for me to see.
>>
>> Thanks
>>
>
> The best sample is /etc/rc.firewall [and look in
> /usr/share/examples/ipfw
> for a potentially useful script to use while testing].  I have moved
> over to
> IPFILTER due to the fact that natd is userland based and is more
> problematic
> [than ipnat] because of it.
>
> Tom Veldhouse

Here are the contents of one that I used to use when I used IPFW ... it was
originally and loosely based off of /etc/rc.firewall.

#
# Setup system for firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush

# set these to your outside interface network and netmask and ip
oif="dc0"
onet="x.y.z.32"
omask="255.255.255.240"
oip="x.y.z.33"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.3"
# outlaw addresses, never allow traffic from these
outlaws="24.93.67.0/24"

############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 105 deny all from any to 127.0.0.0/8
${fwcmd} add 110 deny ip from 127.0.0.0/8 to any
# ip-options (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)
${fwcmd} add deny log ip from any to any ipoptions ssrr,lsrr,ts,rr via
${oif}
# allow certain ICMP through (allows ping, traceroute, plus
# the required source quence and similar)
${fwcmd} add pass icmp and to any icmptypes 0,3,4,8,11,12 via ${oif}
${fwcmd} add deny icmp from any to any icmptypes 9 via ${oif} # silent block
on router advertisements
${fwcmd} add pass icmp from any to any via ${iif} # allow all internally
${fwcmd} add deny icmp from any to any
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# block all outlaw address
for outlaw in ${outlaws}; do
${fwcmd} add deny all from ${outlaw} to any
done
# Allow stateful connections
${fwcmd} add check-state
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to me established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to services
#${fwcmd} add pass tcp from any to me 20 # ftp
#${fwcmd} add pass tcp from any to me 21 # ftp
${fwcmd} add pass tcp from any to me 22 setup # ssh
${fwcmd} add pass tcp from any to me 25 setup # smtp
${fwcmd} add pass tcp from any to me 53 setup # dns
${fwcmd} add pass udp from any to me 53 # dns
${fwcmd} add pass udp from me 53 to any # dns
${fwcmd} add pass tcp from any to me 80 setup # http
${fwcmd} add pass tcp from any to me 443 setup # https
${fwcmd} add pass tcp from any to me 993 setup # imap-ssl
${fwcmd} add pass tcp from any to me 995 setup # pop3-ssl
# Allow access to internal services
${fwcmd} add pass tcp from ${inet}:${imask} to me 110 # pop3
${fwcmd} add pass tcp from ${inet}:${imask} to me 143 # imap
${fwcmd} add pass tcp from ${inet}:${imask} to me 3128 # squid
${fwcmd} add pass tcp from ${inet}:${imask} to me 3306 # mysql
${fwcmd} add pass tcp from ${inet}:${imask} to me 8080 # tomcat
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to me setup
# block all other udp traffic
${fwcmd} add deny udp from any to me
# Allow all outgoing traffic from the lan
${fwcmd} add pass tcp from ${inet}:${imask} to any keep-state
${fwcmd} add pass udp from ${inet}:${imask} to any keep-state
# Allow setup of any other TCP and all UDP connections
${fwcmd} add pass tcp from me to any setup keep-state
${fwcmd} add pass udp from me to any keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.

Tom Veldhouse

More information about the freebsd-questions mailing list