IPFW: Blocking me out. How to debug?
W. D.
WD at US-Webmasters.com
Wed Jan 2 22:08:16 PST 2008
At 08:34 12/30/2007, Ian Smith, wrote:
>On Sat, 29 Dec 2007, W. D. wrote:
> > At 08:49 12/22/2007, Ian Smith wrote:
> > >Warning: overlong message.
> > >access to only your LAN. Will this webserver later have a public IP
> > >address, or run behind NAT with port forwarding?
> >
> > Public IP.
>
>So will your LAN also have access to services on this machine? ie will
>this box have an address on your LAN also? alias on the same interface?
Nope. Will have to go through the public IP.
>
> > > > > > >> # FTP:
> > > > > > >> add allow tcp from any to any ftp in setup
> > > > > > >> add allow tcp from any to any ftp\-data in setup
> > > > > > >> add allow tcp from any ftp\-data to any setup out
> > >
> > > > >Mmm, I prefer using and enforcing FTP passive mode, but YMMV.
> > > >
> > > > How would I do that? This guy doesn't think it's even
> > > > possible:
> > > > http://tinyurl.com/2z6ynr
> > >
> > >Mmm, ok. Passive mode needs allowing connections to this port range
> > > net.inet.ip.portrange.hifirst: 49152
> > > net.inet.ip.portrange.hilast: 65535
> > >which is adjustable, but I'm unsure of my ground regarding ftp - pass.
> >
> > How would I write this as a rule?
>
>I did try to pass ..
>
># ipfw add allow tcp from any to me 49152-65535 in setup
>
>but that's only safe if you'll run no other services in that range.
>
>Below in your new ruleset you specify as a range:
>
> > # FTP Passive (Ports 10000-65000):
> > add allow tcp from me to any 10000-65000 in setup
>
>but I think you mean 'any to me'?, and the range is unnecesarily larger
>than ftpd uses, ie .hifirst to .hilast and you can probably limit your
>range further - I'm unsure how hard passive mode ftpd hunts for free
>ports to bind to, or what. Maybe someone else can help out here .. ?
OK:
# FTP Passive (Ports 49152-65535):
add allow tcp from any to me 49152-65535 in setup
There seems to be very sparse documentation on these higher
ports, passive FTP, and /etc/sysctl.conf. I am hoping
that these settings for sysctl.conf are proper:
net.inet.ip.portrange.lowfirst=1023
net.inet.ip.portrange.lowlast=600
net.inet.ip.portrange.first=32768
net.inet.ip.portrange.last=49151
net.inet.ip.portrange.hifirst=49152
net.inet.ip.portrange.hilast=65535
>
>
> > > > Am using this link, since "man ipfw" doesn't work on 6.2. (I dare
> > > > someone to explain to me how to get it to work):
> > > > http://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8
> > >
> > >That's weird. Does man work for others in section 8, eg man mount ?
> >
> > Nope. How to get working?
>
>(re)install the manpages and doc distributions from the distribution CD,
>or by FTP or whatever you used or want to use.
>
>You can use sysinstall / configure / distributions, select manpages and
>doc, select media when asked, visit options if you need to set anything
>else, then install. Don't go _anywhere near_ partitioning or labelling
>disks or mess with anything else, even for a peek, in my experience.
Hmmm. I guess sysinstall didn't do this to begin with. Did this:
sysinstall -> Configure -> Distributions -> man -> OK -> FTP ->
Primary #12 (ftp12.freebsd.org) ->
Running multi-user, assume that the network is already configured?
-> Yes
Extracting manpages into / directory...
Exit out, then test:
man ipfw
> > # Stop, then restart ipfw:
> > # ipfw disable firewall; /etc/rc.d/ipfw start
>
>Or '/etc/rc.d/ipfw stop; /etc/rc.d/ipfw start' which includes the
>dis/enabling. '/etc/rc.d/ipfw restart' probably works too, modulo
>caveats in ipfw(8) about doing these sorts of things remotely.
Yeppers. What I use (ipfw disable firewall; /etc/rc.d/ipfw start)
seems to not lock out my remote connection. The others do.
> > # List firewall hits:
> > # ipfw -a -S -N -t list
>
>-S is overkill/noise unless actually using sets. -N can be slow if any
>addresses prove hard to resolve, but I guess that info may be useful :)
OK:
# List firewall hits:
# ipfw -a -N -t list
>
> > # Zero out hits counter:
> > # ifpw zero
>
><shudder> I'd never use this command without including rule number/s,
>but then I use counters for um, accounting. Fine while testing ..
OK:
# Zero out hits for a specific rule number:
ipfw zero 05200
# Zero out hits counter for ALL rules:
ifpw zero
Additions:
# Log Viewing/Searching/Studying:
# tail -f /var/log/ipfw/ipfw.log
# Study:
less -S /var/log/ipfw/ipfw.log*
# With grep filtering:
cat /var/log/ipfw/ipfw.log | grep 192.168.1.103 | grep UDP | more
>
> > # Allow anything on the local loopback:
> > add allow all from any to any via lo0
> >
> > # Disallow Spoofers: =========================
> > # For more info, see:
> > # RFC3330
> > # http://en.wikipedia.org/wiki/Private_network
# If you are actually using a particular
# subnet, then be sure to comment out
# the appropriate section.
> > #
> > # "This" Network:
> > add deny log ip from any to 0.0.0.0/8 in
> > add deny log ip from 0.0.0.0/8 to any in
.
.
.
> > # Class E Reserved:
> > add deny log ip from any to 240.0.0.0/4 in
> > add deny log ip from 240.0.0.0/4 to any in
> >
> > # Spoofers ===================================
>
>Every one of those, except of course any RFC1918 net like 192.168/16 you
>may be serving on the LAN (?) that you need to allow, you can drop the
>'in' from, so they work to stop _outbound_ spoofing by/from your system
>also. The spoofing section in /etc/rc.firewall 'simple' works for me.
OK, dropping "in". The subnet ranges can be
commented out if they are actually used on
on the internal LAN.
>
> > # Initialize the system to keep track of states:
> > add check-state
.
.
.
> > # DNS Zone transfers in
> > # ??? add allow tcp from $secondaries to me 53 setup
> > # DNS ========================================
>
>As discussed above.
>
> > # SSH (Port 22) ==============================
> > # Note that /etc/hosts.allow has restrictions
> > # on which IP addresses are allowed.
> > #
> > add allow tcp from any to me ssh in setup
> > add allow tcp from me to any ssh in setup
> > # SSH ========================================
>
>Drop the 'in' from the second one (or use 'out'). It's not needed on
>the first either, now that you're specifying direction and preventing
>spoofing, you can let these sort of rules work on either or both passes.
OK, dropping "in".
>
> > # HTTP: ======================================
> > # HTTP (Port 80):
> > add allow tcp from any to me http in setup
> > add allow tcp from me to any http in setup
>
>As the previous.
Dropping "in".
>
> > # HTTPS (Port 443):
> > add allow tcp from any to me https in setup
> >
> > # HTTPS for Plesk Server Administrator (Port 8443):
> > add allow tcp from any to me dst-port 8443 in setup
> > # HTTP = ======================================
> >
> > # MAIL: ======================================
> > # POP3 (Port 110)
> > add allow tcp from any to me pop3 in setup
> >
> > # POP3S (Port 995)
> > add allow tcp from any to me pop3s in setup
> >
> > # SMTP (Port 25):
> > add allow tcp from any to me smtp in setup
>
>Won't you need 'me to any smtp out setup' too?
Why would would "me" ever send any mail? ;^)
(Changes in new version below.)
>
> > # SMTPS (Port 465):
> > add allow tcp from any to me smtps in setup
> >
> > # IMAP (Port 143):
> > add allow tcp from any to me imap in setup
> >
> > # IMAPS (Port 993):
> > add allow tcp from any to me imaps in setup
> > # MAIL =======================================
> >
> >
> > # FTP (Port 21): =============================
> > add allow tcp from any to me ftp in setup
> > add allow tcp from me to any ftp in setup
>
>second one, should be out, or both (ie omitted) as the others above?
OK. In the latest version below, do you see any
other places where I could omit "in" or "out"?
>
> > # FTP Data (Port 20):
> > add allow tcp from any to me ftp\-data in setup
> > add allow tcp from any ftp\-data to me setup out
> >
> > # FTP Passive (Ports 10000-65000):
> > add allow tcp from me to any 10000-65000 in setup
> >
> > # FTPS (Port 990):
> > add allow tcp from any to me ftps in setup
> > add allow tcp from me to any ftps in setup
> >
> > # FTP ========================================
>
>second one, out?
OK.
> > # Allow UserID of "root" unfettered access:
> > add allow tcp from me to any out setup uid root
> > # ============================================
>
>Ah, ok, that would cover your outbound mail connects too.
>
>There may be other users (ie you) needing outbound access too, but you
>can always find out from logging why something expected to work isn't :)
Yeppers. Don't open it up unless you really need
to.
>
> > # MySQL (Port 3306): =========================
> > # add allow tcp from any to me 3306 in setup
> > # add allow tcp from me to any 3306 in setup
> > # MySQL ======================================
>
>again, second one, going out?
.
.
.
> > # Deny and log everything else: ==============
> > add deny log ip from any to me in
> > add deny log ip from any to me out
> > add deny log ip from me to any in
> > add deny log ip from me to any out
>
>Nothing survives the above gauntlet, so nothing reaches below. If you
>put these above the 'ip' = 'all' rules above, they'd count the denied
>udp first, then the rest, if that's what you want.
Sure. Swapped.
>
> > add deny log udp from any to me in
> > add deny log udp from any to me out
> > add deny log udp from me to any in
> > add deny log udp from me to any out
> > # ============================================
>
>cheers, Ian
Thanks again, Ian. Hopefully, we can get this
cleaned up and documented for me (and for others
to use as a reference).
Would you (and anyone else) please critique this
latest iteration?
# Filename: ipfw.rules
# Description: ipfw firewall ruleset
# Locattion: /etc/ipfw.rules
# Date: 2008 Jan 2
# By default, everything is denied access. You
# need to specifically allow something for it
# to work.
# Debugging tools:
#
# Check the syntax of the rules file:
#
# ipfw -n /etc/ipfw.rules
#
#
# Stop, then restart ipfw:
#
# ipfw disable firewall; /etc/rc.d/ipfw start
#
#
# Flush rules:
#
# ipfw -f flush
#
#
# List firewall hits:
#
# ipfw -a -N -t list
#
#
# Zero out hits for a specific rule number:
# ipfw zero 05200
#
# Zero out hits counter for ALL rules:
# ifpw zero
#
# Log Viewing/Searching/Studying:
# tail -f /var/log/ipfw/ipfw.log
#
# Study:
# less -S /var/log/ipfw/ipfw.log*
#
# With grep filtering:
# cat /var/log/ipfw/ipfw.log | grep 192.168.1.103 | grep UDP | more
#
#
# Others:
#
# tcpdump -i nve0 'proto \tcp && port http'
# netstat -finet -a
# Loopback: ==================================
# Allow anything on the local loopback:
add allow all from any to any via lo0
# ============================================
# Disallow Spoofers: =========================
#
# If you are actually using a particular
# subnet, then be sure to comment out
# the appropriate section.
#
# For more info, see:
# RFC3330
# http://en.wikipedia.org/wiki/Private_network
#
# "This" Network:
add deny log ip from any to 0.0.0.0/8
add deny log ip from 0.0.0.0/8 to any
# IANA Reserved:
add deny log ip from any to 1.0.0.0/8
add deny log ip from 1.0.0.0/8 to any
# IANA Reserved:
add deny log ip from any to 2.0.0.0/8
add deny log ip from 2.0.0.0/8 to any
# Class A Private Network:
add deny log ip from any to 10.0.0.0/8
add deny log ip from 10.0.0.0/8 to any
# Localhost:
add deny log ip from any to 127.0.0.0/8
add deny log ip from 127.0.0.0/8 to any
# Link Local/Auto-Config:
add deny log ip from any to 169.254.0.0/16
add deny log ip from 169.254.0.0/16 to any
# Class B Private Network:
add deny log ip from any to 172.16.0.0/12
add deny log ip from 172.16.0.0/12 to any
# TEST-NET/Examples:
add deny log ip from any to 192.0.2.0/24
add deny log ip from 192.0.2.0/24 to any
# Class C Private Network:
add deny log ip from any to 192.168.0.0/16
add deny log ip from 192.168.0.0/16 to any
# IPV6to4 relay anycast addresses:
add deny log ip from any to 192.88.99.0/24
add deny log ip from 192.88.99.0/24 to any
# Interconnect Benchmarks:
add deny log ip from any to 198.18.0.0/15
add deny log ip from 198.18.0.0/15 to any
# Multicast:
add deny log ip from any to 224.0.0.0/3
add deny log ip from 224.0.0.0/3 to any
# Class E Reserved:
add deny log ip from any to 240.0.0.0/4
add deny log ip from 240.0.0.0/4 to any
# Spoofers ===================================
# Initialize the system to keep track of states:
add check-state
# ============================================
# Allow already established connections. These
# connections are allowed by the subsequent
# rules listed below this one.
add allow tcp from any to me in established
add allow tcp from me to any out established
# ============================================
# Deny fragmented packets: ===================
add deny log ip from any to any frag
# ============================================
# ICMP - Pings: ==============================
# Count inbound pings (8 = Echo Request)
add count icmp from any to any icmptypes 8 in
# Allow pings, ping replies, and host unreach:
# 0 = Echo Reply
# 3 = Destination Unreachable
# 8 = Echo Request
# 11 = Time-to-Live exceeded (for traceroute)
add allow icmp from any to any icmptypes 0,8,3,11
# ICMP =======================================
# Allow UDP traceroutes: =====================
add allow udp from any to any 33434-34458 in
add allow udp from any 33434-34458 to any out
# ============================================
# DNS (Port 53): ============================
#
# Be sure to protect "named" with Access
# Control Lists (ACLs) for xfers as well.
# (See named.conf(5) and the section in the
# BIND 9 Administrator Reference Manual)
# My DNS requests
add allow udp from me to any 53 out keep-state
# Serve outside DNS requests
add allow udp from any to me 53 in keep-state
# DNS Zone transfers out for axfrs to refresh
# domains
#
# add allow tcp from me to $secondaries 53 setup
# DNS Zone transfers in for axfrs to refresh
# domains
#
# add allow tcp from $secondaries to me 53 setup
# DNS ========================================
# SSH (Port 22) ==============================
# Note that /etc/hosts.allow has restrictions
# on which IP addresses are allowed.
#
add allow tcp from any to me ssh setup
add allow tcp from me to any ssh setup
# SSH ========================================
# HTTP: ======================================
# HTTP (Port 80):
add allow tcp from any to me http setup
add allow tcp from me to any http setup
# HTTPS (Port 443):
add allow tcp from any to me https setup
add allow tcp from me to any https setup
# HTTPS for Plesk Server Administrator (Port 8443):
add allow tcp from any to me dst-port 8443 in setup
# HTTP = ======================================
# MAIL: ======================================
# POP3 (Port 110)
add allow tcp from any to me pop3 in setup
# POP3S (Port 995)
add allow tcp from any to me pop3s in setup
# SMTP (Port 25):
add allow tcp from any to me smtp in setup
add allow tcp from me to any smtp out setup
# SMTPS (Port 465):
add allow tcp from any to me smtps in setup
add allow tcp from me to any smtps out setup
# IMAP (Port 143):
add allow tcp from any to me imap in setup
# IMAPS (Port 993):
add allow tcp from any to me imaps in setup
# MAIL =======================================
# FTP (Port 21): =============================
add allow tcp from any to me ftp in setup
add allow tcp from me to any ftp out setup
# FTP Data (Port 20):
add allow tcp from any to me ftp\-data in setup
add allow tcp from any ftp\-data to me setup out
# FTP Passive (Ports 49152-65535):
add allow tcp from any to me 49152-65535 in setup
# FTPS (Port 990):
add allow tcp from any to me ftps in setup
add allow tcp from me to any ftps out setup
# FTP ========================================
# Allow NTP in and out to Navobs.WUstl.edu:
add allow udp from me ntp to 128.252.19.1 ntp out
add allow udp from 128.252.19.1 ntp to me ntp in
# NTP ========================================
# Allow UserID of "root" unfettered access:
add allow tcp from me to any out setup uid root
# ============================================
# MySQL (Port 3306): =========================
# add allow tcp from any to me 3306 in setup
# add allow tcp from me to any 3306 out setup
# MySQL ======================================
# PgSQL (Port 5432): =========================
# add allow tcp from any to me 5432 in setup
# add allow tcp from me to any 5432 out setup
# PgSQL ======================================
# TomCat (Port 9080): ========================
# add allow tcp from any to me 9080 in setup
# add allow tcp from me to any 9080 out setup
# TomCat =====================================
# Plesk Server Administrator - PSA ===========
# Get updates on port 5224
add allow tcp from me to 64.131.90.31 dst-port 5224 out setup
# add allow tcp from 64.131.90.31 to me dst-port 5224 in setup
# ============================================
# Deny and log everything else: ==============
add deny log udp from any to me in
add deny log udp from any to me out
add deny log udp from me to any in
add deny log udp from me to any out
add deny log ip from any to me in
add deny log ip from any to me out
add deny log ip from me to any in
add deny log ip from me to any out
# ============================================
Start Here to Find It Fast!™ -> http://www.US-Webmasters.com/best-start-page/
$8.77 Domain Names -> http://domains.us-webmasters.com/
More information about the freebsd-questions
mailing list