ipfw/nated stateful rules example

fbsd_user fbsd_user at a1poweruser.com
Mon Jan 19 14:55:37 PST 2004


Sorry but the rule set you posted is doing 'keep-state' on the lan
interface and not the interface facing the public internet. All the
rule statements processing against the public interface are
stateless.  Doing stateful testing on the private lan is just waste
of cpu cycles, it proves nothing other than you have less turst in
your lan users that you have in unknown public internet users.

Like I said in previous post the /etc/rc.firewall file is useless as
it does not use stateful rules on the interface facing the public
internet where it will do the most good.

But thanks for taking the time to reply.  So if  you no longer use
ipfw what do you use? And why did you change?

-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Thomas T.
Veldhouse
Sent: Monday, January 19, 2004 5:26 PM
To: fbsd_user at a1poweruser.com; freebsd-questions at FreeBSD. ORG
Subject: Re: ipfw/nated stateful rules example

fbsd_user wrote:
> I disagree with you that the /etc/rc.firewall is the best example.
> It's really a good example of stateless rules, & how to use
> scripting Symbolic substitution.
>
> I have working keep-state rule set using user-ppp -nat, but as
soon
> as I add that darn legacy divert rule and drop user-ppp -nat it
will
> not work. Dynamic stateful rules table always ends up with an
> mis-match between public and private ip address. Moving the divert
> rule around only changes which ip address gets posted to the
> stateful table(ie: the private or public one).
>
> Test results look like that legacy divert subroutine call to NATD
is
> the problem. See same mis-match ip address problem when stateless
> rules are used, but since there is no stateful table involved it
> just slips by un-noticed.
>
> Was hoping that the ipfw2 rewrite would have fixed this problem.
>
>
>
>
>
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Thomas T.
> Veldhouse
> Sent: Monday, January 19, 2004 1:41 PM
> To: fbsd_user at a1poweruser.com; freebsd-questions at FreeBSD. ORG
> Subject: Re: ipfw/nated stateful rules example
>
> fbsd_user wrote:
>> Friends
>> In both 4.9 and 5.2 I can not get an rules set to function that
only
>> uses keep-state' rules for outbound and inbound selection control
>> and the divert rule.
>>
>> Does anybody have an rules set they can share with me as an
sample
>> for me to see.
>>
>> Thanks
>>
>
> The best sample is /etc/rc.firewall [and look in
> /usr/share/examples/ipfw
> for a potentially useful script to use while testing].  I have
moved
> over to
> IPFILTER due to the fact that natd is userland based and is more
> problematic
> [than ipnat] because of it.
>
> Tom Veldhouse

Here are the contents of one that I used to use when I used IPFW ...
it was
originally and loosely based off of /etc/rc.firewall.

#
# Setup system for firewall service.
#
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush

# set these to your outside interface network and netmask and ip
oif="dc0"
onet="x.y.z.32"
omask="255.255.255.240"
oip="x.y.z.33"
# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.3"
# outlaw addresses, never allow traffic from these
outlaws="24.93.67.0/24"

############
# Only in rare cases do you want to change these rules
#
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 105 deny all from any to 127.0.0.0/8
${fwcmd} add 110 deny ip from 127.0.0.0/8 to any
# ip-options (per FreeBSD Security Advisory:
FreeBSD-SA-00:23.ip-options)
${fwcmd} add deny log ip from any to any ipoptions ssrr,lsrr,ts,rr
via
${oif}
# allow certain ICMP through (allows ping, traceroute, plus
# the required source quence and similar)
${fwcmd} add pass icmp and to any icmptypes 0,3,4,8,11,12 via ${oif}
${fwcmd} add deny icmp from any to any icmptypes 9 via ${oif} #
silent block
on router advertisements
${fwcmd} add pass icmp from any to any via ${iif} # allow all
internally
${fwcmd} add deny icmp from any to any
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding
address-checking
# rules.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# block all outlaw address
for outlaw in ${outlaws}; do
${fwcmd} add deny all from ${outlaw} to any
done
# Allow stateful connections
${fwcmd} add check-state
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to me established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow access to services
#${fwcmd} add pass tcp from any to me 20 # ftp
#${fwcmd} add pass tcp from any to me 21 # ftp
${fwcmd} add pass tcp from any to me 22 setup # ssh
${fwcmd} add pass tcp from any to me 25 setup # smtp
${fwcmd} add pass tcp from any to me 53 setup # dns
${fwcmd} add pass udp from any to me 53 # dns
${fwcmd} add pass udp from me 53 to any # dns
${fwcmd} add pass tcp from any to me 80 setup # http
${fwcmd} add pass tcp from any to me 443 setup # https
${fwcmd} add pass tcp from any to me 993 setup # imap-ssl
${fwcmd} add pass tcp from any to me 995 setup # pop3-ssl
# Allow access to internal services
${fwcmd} add pass tcp from ${inet}:${imask} to me 110 # pop3
${fwcmd} add pass tcp from ${inet}:${imask} to me 143 # imap
${fwcmd} add pass tcp from ${inet}:${imask} to me 3128 # squid
${fwcmd} add pass tcp from ${inet}:${imask} to me 3306 # mysql
${fwcmd} add pass tcp from ${inet}:${imask} to me 8080 # tomcat
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to me setup
# block all other udp traffic
${fwcmd} add deny udp from any to me
# Allow all outgoing traffic from the lan
${fwcmd} add pass tcp from ${inet}:${imask} to any keep-state
${fwcmd} add pass udp from ${inet}:${imask} to any keep-state
# Allow setup of any other TCP and all UDP connections
${fwcmd} add pass tcp from me to any setup keep-state
${fwcmd} add pass udp from me to any keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.

Tom Veldhouse


_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"



More information about the freebsd-questions mailing list