ipf out rule

Chris Knipe savage at savage.za.org
Mon May 2 03:19:27 PDT 2005 

Ok, that is fair enough.

I did manage to get it up and running without locking myself out though 
*yay*

I am having 2 issues mainly.

FTP doesn't work at all (PASV or not), and I am getting allot of false drops 
on packets which *should* be allowed...

Quick dump from the log file:
May  2 12:11:03 pyro ipmon[8689]: 12:11:02.335403 rl0 @0:62 b 
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:05 pyro ipmon[8689]: 12:11:04.760397 rl0 @0:62 b 
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:10 pyro ipmon[8689]: 12:11:09.787481 rl0 @0:62 b 
y.y195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:20 pyro ipmon[8689]: 12:11:19.744860 rl0 @0:62 b 
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN
May  2 12:11:40 pyro ipmon[8689]: 12:11:39.760718 rl0 @0:62 b 
y.y.195.133,1201 -> x.x.x.123,3128 PR tcp len 20 40 -AF IN

/etc/ipf.rules:
# lo0 - Loopback
pass in  quick on lo0 all keep state
pass out quick on lo0 all keep state

# Bad Packet Murder
block in log quick all with ipopts
block in log quick all with short
block in log quick all with frag
block return-rst in log quick proto tcp all flags FUP
block return-rst in log quick proto tcp all flags FSRPAU

#################################################################
# Outside Interfaces
#################################################################
# rl0 - Outgoing
pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S keep state 
keep frags
pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state keep 
frags
pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state keep 
frags
block out log quick on rl0 all

#################################################################
# Block and log all remaining traffic coming into the firewall
# - Block  TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining  traffic the good 'ol fashioned way
#################################################################
# rl0 - Global Incoming
block in quick on rl0 from 0.0.0.0/7 to any
block in quick on rl0 from 2.0.0.0/8 to any
block in quick on rl0 from 5.0.0.0/8 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 23.0.0.0/8 to any
block in quick on rl0 from 27.0.0.0/8 to any
block in quick on rl0 from 31.0.0.0/8 to any
block in quick on rl0 from 69.0.0.0/8 to any
block in quick on rl0 from 70.0.0.0/7 to any
block in quick on rl0 from 72.0.0.0/5 to any
block in quick on rl0 from 82.0.0.0/7 to any
block in quick on rl0 from 84.0.0.0/6 to any
block in quick on rl0 from 88.0.0.0/5 to any
block in quick on rl0 from 96.0.0.0/3 to any
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 128.0.0.0/16 to any
block in quick on rl0 from 128.66.0.0/16 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 191.255.0.0/16 to any
block in quick on rl0 from 192.0.0.0/19 to any
block in quick on rl0 from 192.0.48.0/20 to any
block in quick on rl0 from 192.0.64.0/18 to any
block in quick on rl0 from 192.0.128.0/17 to any
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 197.0.0.0/8 to any
block in quick on rl0 from 201.0.0.0/8 to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 219.0.0.0/8 to any
block in quick on rl0 from 220.0.0.0/6 to any
block in quick on rl0 from 224.0.0.0/3 to any

# rl0 - ICMP, 0 = Echo Reply, 3 = Arb Unreachable, 11 = TTL
pass in quick on rl0 proto icmp all icmp-type 0
pass in quick on rl0 proto icmp all icmp-type 3
pass in quick on rl0 proto icmp all icmp-type 11

# rl0 - x.x.x.122 FTP, FTP-DATA
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 21 flags S keep 
state
pass in quick on rl0 proto tcp from any to x.x.x.122 port > 49151 flags S 
keep state
pass out quick on rl0 proto tcp from x.x.x.122 port = 20 to any flags S keep 
state

# rl0 - x.x.x.122 SSH
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 22 flags S keep 
state keep frags

# rl0 - x.x.x.122 SMTP
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 25 flags S keep 
state keep frags

# rl0 - x.x.x.122 DNS
pass in quick on rl0 proto udp from any to x.x.x.122 port = 53 keep state 
keep frags
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 53 flags S keep 
state keep frags

# rl0 - x.x.x.122 HTTP, HTTPS
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 80 flags S keep 
state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 443 flags S keep 
state keep frags

# rl0 - x.x.x.122 POP3
pass in quick on rl0 proto tcp from any to x.x.x.122 port = 110 flags S keep 
state keep frags

# rl0 - x.x.x.122 NTP
pass in quick on rl0 proto udp from a.a.a.a to x.x.x.122 port = 123 keep 
state keep frags
pass in quick on rl0 proto udp from b.b.b.b to x.x.x.122 port = 123 keep 
state keep frags
pass in quick on rl0 proto udp from c.c.c.c to x.x.x.122 port = 123 keep 
state keep frags

# rl0 - x.x.x.122 MySQL
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.122 port = 3306 
flags S keep state keep frags

# rl0 - x.x.x.123 DNS
pass in quick on rl0 proto udp from x.x.x.120/29 to x.x.x.123 port = 53 keep 
state keep frags

# rl0 - x.x.x.123 Squid
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3128 
flags S keep state keep frags
pass in quick on rl0 proto tcp from y.y.0.0/16 to x.x.x.123 port = 3128 
flags S keep state keep frags
pass in quick on rl0 proto tcp from z.z.0.0/16 to x.x.x.123 port = 3128 
flags S keep state keep frags
pass in quick on rl0 proto tcp from x.x.x.120/29 to x.x.x.123 port = 3130 
flags S keep state keep frags

# rl0 - x.x.x.123 PMX
pass in quick on rl0 proto tcp from x.x.x.122 to x.x.x.123 port = 10024 
flags S keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 18080 flags S 
keep state keep frags
pass in quick on rl0 proto tcp from any to x.x.x.123 port = 28080 flags S 
keep state keep frags

# Le Grande Finale
block in log quick on rl0 all

As always, looking forward to some help :)

--
Chris.

I love deadlines. I especially love the whooshing sound they make as they 
fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'

----- Original Message ----- 
From: <bob at a1poweruser.com>
To: "Chris Knipe" <savage at savage.za.org>; 
<freebsd-questions at lists.freebsd.org>
Sent: Monday, May 02, 2005 1:56 AM
Subject: RE: ipf out rule


> When asking for help with firewall rules you have to post complete
> content of firewall rule set file because some previous rule may be
> dropping all packets. If this is your complete rule set them you are
> missing the mandatory L0 interface rule to pass quick all.  rl0 must
> be Nic connected to public internet. x.x.x.120/29 is ip address
> range of pc's on private LAN behind firewall. This is not much of
> firewall with everything being allowed out.  You could replace all
> of these meaning less statements with   pass quick all from any to
> any
>
> You really need to read firewall section of the official handbook.
> It has working examples of ipf.rules rule set along with detailed
> explanation of how to build firewall rules.
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Chris Knipe
> Sent: Sunday, May 01, 2005 6:56 PM
> To: freebsd-questions at lists.freebsd.org
> Subject: ipf out rule
>
>
> Hi,
>
> Can anyone take a minute to just explain to me why ipf is blocking
> this...
>
> ipf.rules:
> # rl0 - Outgoing
> pass out quick on rl0 proto tcp from x.x.x.120/29 to any flags S
> keep state
> keep frags
> pass out quick on rl0 proto udp from x.x.x.120/29 to any keep state
> keep
> frags
> pass out quick on rl0 proto icmp from x.x.x.120/29 to any keep state
> keep
> frags
> block out log quick on rl0 all
>
> ipftest:
> opening rule file "ipf.new"
> in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
> input: in on rl0 tcp 196.25.1.1,2210 x.x.x.122,22
> pass ip 40(20) 6 196.25.1.1,2210 > x.x.x.122,22
> --------------
> out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
> input: out on rl0 tcp x.x.x.122,22 196.25.1.1,2210
> block ip 40(20) 6 x.x.x.122,22 > 196.25.1.1,2210
>
> Thanks.
>
>
> --
> Chris.
>
> I love deadlines. I especially love the whooshing sound they make as
> they
> fly by..." - Douglas Adams, 'Hitchhiker's Guide to the Galaxy'
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list