ipf stateful rules

Nathan Watson nwatson at nwatson.org
Sun Dec 10 15:11:05 PST 2006 

Hello,
I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my rules to work. The problem is mainly that I want no restrictions on outbound traffic, and I'm not sure how to apply stateful filtering to that. I have the following rule (hme0 is my external interface):

pass out quick on hme0 all

If I change that to "pass out quick on hme0 all keep state," will that only open the port that the outbound packet was on? Are there any problems that can arise from allowing all outbound traffic? At the moment, my ruleset doesn't pass packets at all... I'm just having lots of troubles here. My ruleset is below, and everything seems to be caught by the last block all rule. Any suggestions?

Thanks,
nwatson

# no restrictions on internal LAN
pass out quick on hme1 all
pass in quick on hme1 all

# no restrictions on loopback
pass out quick on lo0 all
pass in quick on lo0 all

# no outbound restrictions
pass out quick on hme0 all keep state

# block all from non-routable or reserved address space

block in quick on hme0 from 172.16.0.0/12 to any        # private
block in quick on hme0 from 10.0.0.0/8 to any           # private
block in quick on hme0 from 127.0.0.0/8 to any          # loopback
block in quick on hme0 from 0.0.0.0/8 to any            # loopback
block in quick on hme0 from 169.254.0.0/16 to any       # dhcp auto-config
block in quick on hme0 from 192.0.2.0/24 to any         # reserved for docs
block in quick on hme0 from 204.152.64.0/23 to any      # sun cluster interconnect
block in quick on hme0 from 224.0.0.0/3 to any          # class d & e multicast

# inbound blocks

block in quick on hme0 all with frags   # frags
block in quick on hme0 proto tcp all with short # short tcp packets
block in quick on hme0 all with opt lsrr        # source routed packets
block in quick on hme0 all with opt ssrr        # source routed packets
block in log first quick on hme0 proto tcp from any to any flags FUP    # nmap os fingerprint attempts, log
block in quick on hme0 all with ipopts  # anything with special options
block in quick on hme0 proto icmp all icmp-type 8       # public pings
block in log first quick on hme0 proto tcp/udp from any to any port = 137       # netbios name
block in log first quick on hme0 proto tcp/udp from any to any port = 138       # netbios datagram
block in log first quick on hme0 proto tcp/udp from any to any port = 139       # netbios session
block in log first quick on hme0 proto tcp/udp from any to any port = 81        # hosts2 name server requests

# allow these

pass in quick on hme0 proto tcp from any to any port = 22 flags S keep state   # ssh
pass in quick on hme0 proto tcp from any to any port = 25 flags S keep state   # smtp
pass in quick on hme0 proto tcp from any to any port = 236 flags S keep state  # http
pass in quick on hme0 proto tcp from any to any port = 237 flags S keep state  # zimbra https
pass in quick on hme0 proto tcp from any to any port = 113 flags S keep state  # ident
pass in quick on hme0 proto tcp from any to any port 5800 >< 5900 flags S keep state   # vnc
pass in quick on hme0 proto tcp/udp from any to any port 6881 >< 6889 keep state       # bittorrent
pass in quick on hme0 proto tcp from any to any port = 7071 flags S keep state         # zimbra admin https

# block, log all remaining traffic

block in log first quick on hme0

More information about the freebsd-questions mailing list