Re: ipfw syntax clarification

Reply: Michael Sierchio : "Re: ipfw syntax clarification"
In reply to: Tim Daneliuk via freebsd-questions : "ipfw syntax clarification"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kurt Hackenberg <kh_at_panix.com>
Date: Thu, 30 Dec 2021 06:08:04 UTC

On Wed, Dec 29, 2021 at 05:32:15PM -0600, Tim Daneliuk via freebsd-questions wrote:

>We have a FBSD firewall/gateway/natd server on the permimeter of one of our networks.
>
>We have an ipfw table that is loaded with pesky IPs like this:
>
>   ipfw add deny all from table\(10\) to any via ${OIF}
>
>This does block traffic which originates from those IPs to our server.
>However, it also prevents our server from originating requests TO those IPs.
>
>This is an issue because some of the table entries are CIDR blocks intended
>to geoblock known problem areas.  However, it's sometimes desirable to, say,
>connect to a web server within one of those CIDR blocks.
>
>How/can the rule above be modified to let no one in the table to connect or
>ping to the server, but still allow the server to connect to something in
>the forbidden blocks/IPs?

Your browser tries to make a TCP connection to a web server in the
hostile zone, but establishing that connection takes two-way
communication.  Blocking all incoming traffic from that outside web
server makes it impossible to establish the connection.

You can deny incoming TCP connections from the hostile zone, but still
allow outgoing connections to it, with something like this:

    ipfw add pass tcp from me to table\(10\) via ${OIF} established
    ipfw add pass tcp from table\(10\) to me via ${OIF} established
    ipfw add pass tcp from me to table\(10\) via ${OIF} setup
    ipfw add deny all from table\(10\) to any via ${OIF}

The deny-all rule will be applied only if none of the preceding ones
match.

Those TCP flags "setup" and "established" just match TCP messages with
certain flags set; this example doesn't keep track of existing TCP
connections.  (ipfw can do that, with other rules, but you may not
need it.)

To be able to ping things in the hostile zone, you'll have to let in
ICMP echo replies.

What about UDP?  For example, domain name lookups.  You probably want
to query name servers in the hostile zone, to connect to web servers
there.  DNS can use either TCP or UDP.  Outgoing TCP connections would
be covered by the example above, but UDP doesn't do connections; you'd
have to handle that somewhat differently.

"Me" above is just addresses on the computer where the firewall runs.
If this computer routes between the local net and the world, you'd do
the same firewalling of some but not all traffic between other
computers on the local net and the hostile zone.

And there's IPv6, which has its own version of ICMP.