Need help: fwd on ipfw

Tue Oct 4 22:40:40 PDT 2005

On 10/5/05, Foo Ji-Haw <jhfoo at nexlabs.com> wrote:
> Hello Anderson,
>
> I hope you can lend me your experience and generosity again in a follow-up
> question I have with ipfw. Basically I have much help from the Handbook.
> It's some small things that I get stuck with. Unfortunately I can't figure a
> way around it.
>
> Below is my firewall configuration:
> 00100 check-state
> 00300 allow ip from any to 192.168.0.4 in via dc0
> 00400 allow ip from 192.168.0.4 to any out via dc0
> 00600 allow ip from 127.0.0.1 to 127.0.0.1
> 00700 allow icmp from 10.10.0.0/16 to 10.10.0.0/16
> 00900 allow ip from 10.10.0.0/16 to 10.10.0.0/16 dst-port 67,68,80
> 01000 allow ip from 10.10.0.0/16 to 10.10.0.0/16 dst-port 53
> 01050 allow ip from 10.10.0.0/16 to 10.10.0.0/16
> 01060 allow ip from any to any MAC any 00:90:d1:00:80:00/33
> 01100 fwd 10.10.10.10,80 tcp from 10.10.0.0/16 to any dst-port 80 in via vr0
> 01200 allow ip from any to any
> 65535 deny ip from any to any
>
> My box has 2 interfaces. dc0 is the trusted network, vr0 is the untrusted
> network (the implementation is for a captive portal). The server's IP on vr0
> is 10.10.10.10.
>
> Problem 1:
> My rule (900) to allow the clients on vr0 to talk to the server's dhcpd
> service works well. But I can't get them to connect to the DNS service (rule
> 1000). I don't understand why this is so, because the same DNS service works
> well for clients on dc0. DNS will work if rule 1200 is in place (of course,
> 1200 should not be there).
>
> Problem 2:
> Rule 1100 is key for captive portal setup. Any web outgoing traffic from vr0
> will be redirected to the 'login' page at 10.10.10.10:80. And it works
> (fortunately!). But only with 1200 in place. Does this mean that after
> processing rule 1100 the ipfw continues to process the rest of the rules?
>
> Problem 3:
> I need to grant authenticated a client with the specified MAC address (1060)
> full access to the Internet, thereby bypassing fwd 1100. If I replace 1060
> with:
> 01060 allow ip from 10.10.10.100 to any
> The access is ok. But I need to lock down at the MAC level (to prevent IP
> spoofing). Can you advice me on the correct statement? This is the most
> frustrating question I have among the 3.
>
> Appreciate your time on this. Thanks again!
>

Please, cc the mailing list unless your problem is
purely between you and me.

Before I start answering your questions, let me give
you some advice.

1. Don't do check-state, unless you really need
(and have configured) a stateful firewall

2. Use "xmit" and "recv" instead of "via" whenever
possible. In your case rule 300 should contain
"in recv" and the next one - "out xmit".

3. A much better way to pass loopback traffic is:
"allow ip from any to any via lo0"
"deny ip from any to 127.0.0.0/8"
"deny ip from 127.0.0.0/8 to any"
(these should usually be at the very top)

4. It's a wonder that your rule 900 somehow
allows dhcp to work. It certainly shouldn't.
Dhcp requires much less restrictive rules
(including broadcasts and undefined source).

5. You must always keep in mind that any
communication between a server and a
client requires packet to go both ways,
sometimes passing firewall 2 times in
each direction. Your rule 1000 only allows
dns queries to get through to the dns server,
the corresponding answers will be blocked.
I suppose that rule 1050 or 1200 solves the
problem, but if you want to restrict traffic
you should come up with something else.
Same goes for your rule 1100: you block
all the http answers.

6. Sad, but true, you can never rely on MAC-
bindings security in a production network.
MAC address is as easily spoofed as
anything. Moreover, ipfw has not been
designed for layer-2 packet inspection, so
you'll stumble upon many problems and
unexpected results.
You'd better come up with a VPN/IPSec
solution.

Cheerz,
Andrew P.