keep-state and divert

[Michael Powell]

Victor Sudakov wrote:

> Colleagues,
> 
> I have read some recommendations on combining a stateful firewall with
> divert, e.g.
> http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> and http://nuclight.livejournal.com/124348.html (the latter is in
> Russian).
> 
> Do I understand correctly that it is (mathematically?) impossible to
> use the two together without also using "skipto"?
> 
> If we consider a simple example below, how would you replace the 600th
> rule for a stateful one?
> 
> 00100 divert 8668 ip from any to table(1) out via rl0
> 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
> 
> 00500 divert 8668 ip from table(1) to any in via rl0
> 00600 allow ip from table(1) to any in via rl0
> 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
> 
> 65535 allow ip from any to any
> 
> Thank you in advance for any input.
> 

I haven't used ipfw for a very long time, and haven't kept current with any 
changes. Below is an example (using kernel pppd) that I used to use a long 
time ago. For example purposes only, extract what you need for your specific 
configuration needs.

# Firewall rules

fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add allow all from any to any via lo0
$fwcmd add allow all from any to any via xl0
$fwcmd add deny log all from any to 127.0.0.0/8

# Stop private networks (RFC1918) from entering the outside interface.  
$fwcmd add deny log ip from 192.168.0.0/16 to any in via ppp0  
$fwcmd add deny log ip from 172.16.0.0/12 to any in via ppp0  
$fwcmd add deny log ip from 10.0.0.0/8 to any in via ppp0  
$fwcmd add deny log ip from any to 192.168.0.0/16 in via ppp0  
$fwcmd add deny log ip from any to 172.16.0.0/12 in via ppp0  
$fwcmd add deny log ip from any to 10.0.0.0/8 in via ppp0  

# Stop draft-manning-dsua-01.txt nets on the outside interface  
$fwcmd add deny all from 0.0.0.0/8 to any in via ppp0  
$fwcmd add deny all from 169.254.0.0/16 to any in via ppp0  
$fwcmd add deny all from 192.0.2.0/24 to any in via ppp0  
$fwcmd add deny all from 224.0.0.0/4 to any in via ppp0  
$fwcmd add deny all from 240.0.0.0/4 to any in via ppp0  
$fwcmd add deny all from any to 0.0.0.0/8 in via ppp0  
$fwcmd add deny all from any to 169.254.0.0/16 in via ppp0  
$fwcmd add deny all from any to 192.0.2.0/24 in via ppp0  
$fwcmd add deny all from any to 224.0.0.0/4 in via ppp0  
$fwcmd add deny all from any to 240.0.0.0/4 in via ppp0

#$fwcmd add divert natd all from any to any via ppp0
$fwcmd add divert natd ip from any to me in via ppp0
$fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0
$fwcmd add check-state

$fwcmd add allow log tcp from 209.67.60.33 to any 113 via ppp0


$fwcmd add deny log udp from any to me in recv ppp0
$fwcmd add allow udp from any to any via ppp0 keep-state
$fwcmd add allow log icmp from any to any icmptypes 3,4

$fwcmd add allow tcp from any to me 80 via ppp0 keep-state

$fwcmd add deny log tcp from any to any in recv ppp0 setup
$fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state
$fwcmd add allow tcp from any to any via ppp0 established keep-state

$fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0
$fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0
$fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0

$fwcmd add 65432 deny log tcp from any to any
$fwcmd add 65433 deny log udp from any to any
$fwcmd add 65434 deny log icmp from any to any
$fwcmd add 65435 deny log ip from any to any

----------------------------------------------------------------

This was used in conjunction with the natd.conf here:

interface ppp0
use_sockets yes
same_ports yes
dynamic yes

For example purposes only - this is a very very old config.

-Mike