ipfw2 problem

Sun Jan 4 18:01:57 PST 2004

First, although this probably wont help you, this might help someone else optimize their ipfw2 ruleset.
I see alot of 'in via' which doesnt mean what i suspect you believe it means.
'in via' is two separate options. 
'in' means it matches when packet is incoming.
'via' means it matches when packet is either received or transmitted on said interface.

try replacing them with 'in recv' (and 'out xmit' when it's 'out via').
Optimize your rules to do less checks;

> ${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0 
> ${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0 
> ${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0

could be written as;

${fwcmd} add 21 deny via fxp0 src-ip 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Now it would drop packets from above nets when a packet enters or exits fxp0.
Also if i'm not mistaken 'via fxp0' is less expensive than 'src-ip' so it should go first.

A side note, you could also reorder your rules so that it looks somewhat like this.

add 100 allow via lo0
add 100 check-state
add 101 deny proto icmp iplen 92
add 102 skipto 1000 via fxp0
add 103 skipto 2000 via fxp1
...

add 1000 [ handle rules going in and out on fxp0 here ]
...

add 2000 [ handle rules going in and out on fxp1 here ] 
...

This way you dont have to do via/recv/xmit checks on each rule and packets 
not concerned with that interface doesnt get checked.
Also bridged packets only get checked on 'incoming', - this might have changed in 5.0.

Someone please correct me if i'm wrong.

// Sten

> 
> ${fwcmd} add 34 deny all from 127.0.0.0/8 to any in via fxp0
> 
> ################### stop Welcia/Nachi 
> ########################### ${fwcmd} add 35 deny icmp from 
> any to any iplen 92
> 
> ####################### DUMMYNET config #########################
> 
> ##################### 64KB #######################################
> #
> # selenge
> ${fwcmd} pipe 41 config bw 64kbit/s
> ${fwcmd} pipe 42 config bw 64kbit/s
> ${fwcmd} add 62 pipe 41 all from 202.179.x.x/30 to any in via 
> fxp1 ${fwcmd} add 63 pipe 42 all from any to 202.179.x.x/30 
> in via fxp0
> 
> # khentii
> ${fwcmd} pipe 43 config bw 64kbit/s
> ${fwcmd} pipe 44 config bw 64kbit/s
> ${fwcmd} add 64 pipe 43 all from 202.179.x.x/30 to any in via 
> fxp1 ${fwcmd} add 65 pipe 44 all from any to 202.179.x.x/30 
> in via fxp0
> 
> # arkhangai
> ${fwcmd} pipe 45 config bw 64kbit/s
> ${fwcmd} pipe 46 config bw 64kbit/s
> ${fwcmd} add 66 pipe 45 all from 202.179.x.x/30 to any in via 
> fxp1 ${fwcmd} add 67 pipe 46 all from any to 202.179.x.x/30 
> in via fxp0
> 
> # traffic police
> ${fwcmd} pipe 47 config bw 64kbit/s
> ${fwcmd} pipe 48 config bw 64kbit/s
> ${fwcmd} add 68 pipe 47 all from 
> 202.179.x.x/30,202.179.x.x/28 to any in via fxp1 ${fwcmd} add 
> 69 pipe 48 all from any to 202.179.x.x/30,202.179.x.x/28 in via fxp0
> 
> ##################### 128KB #######################################
> #
> # glencore
> ${fwcmd} pipe 49 config bw 128kbit/s
> ${fwcmd} pipe 50 config bw 128kbit/s
> ${fwcmd} add 70 pipe 49 all from 
> 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add 
> 71 pipe 50 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0
> 
> # ikh tenger
> ${fwcmd} pipe 51 config bw 128kbit/s
> ${fwcmd} pipe 52 config bw 128kbit/s
> ${fwcmd} add 72 pipe 51 all from 202.179.x.x/29 to any in via 
> fxp1 ${fwcmd} add 73 pipe 52 all from any to 202.179.x.x/29 
> in via fxp0
> 
> # xas
> ${fwcmd} pipe 53 config bw 128kbit/s
> ${fwcmd} pipe 54 config bw 128kbit/s
> ${fwcmd} add 74 pipe 53 all from 
> 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add 
> 75 pipe 54 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0
> 
> 
> ##################### 256KB #######################################
> #mtc
> ${fwcmd} pipe 55 config bw 256kbit/s
> ${fwcmd} pipe 56 config bw 256kbit/s
> 
> ${fwcmd} add 76 pipe 55 all from 
> 202.179.x.x/30,202.179.x.x/29 to any in via fxp1 ${fwcmd} add 
> 77 pipe 56 all from any to 202.179.x.x/30,202.179.x.x/29 in via fxp0
> 
> #gtz
> ${fwcmd} pipe 57 config bw 256kbit/s
> ${fwcmd} pipe 58 config bw 256kbit/s
> 
> ${fwcmd} add 78 pipe 57 all from 202.179.x.x/28 to any in via 
> fxp1 ${fwcmd} add 79 pipe 58 all from any to 202.179.x.x/28 
> in via fxp0
> 
> ######################### STANDARDS ######################### 
> # Allow TCP through if setup succeeded ${fwcmd} add 100 pass 
> tcp from any to any established
> 
> # Allowing connections through localhost.
> ${fwcmd} add 300 pass all from any to any via lo0
> 
> # pass ARP
> ${fwcmd} add 301 allow layer2 mac-type arp
> 
> # Allow the inside hosts to say anything they want ${fwcmd} 
> add pass tcp from any to any in via fxp1 setup keep-state 
> ${fwcmd} add pass udp from any to any in via fxp1 keep-state 
> ${fwcmd} add pass ip from any to any in via fxp1
> 
> # Allowing SSH,web connection and LOG all incoming connections.
> ${fwcmd} add pass tcp from any to any 22 in via fxp0 setup 
> keep-state ${fwcmd} add pass tcp from any to any 80,443 in 
> via fxp0 setup keep-state
> 
> # Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, 
> POP3, ident, imap conections.
> ${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 
> in via fxp0  setup keep-state ${fwcmd} add pass udp from any 
> to any 20-21,23,25,110,113,143 in via fxp0 keep-state
> 
> # Pass the "quarantine" range
> ${fwcmd} add pass tcp from any to any 18198,18211,40000-65535 
> in via fxp0 setup keep-state ${fwcmd} add pass udp from any 
> to any 18198,18211,40000-65535 in via fxp0 keep-state
> 
> # MSN, Yahoo ports
> ${fwcmd} add pass tcp from any to any
> 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 setup 
> keep-state ${fwcmd} add pass udp from any to any
> 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 keep-state
> 
> # additional h323,yahoo,remote admin,vnc ports ${fwcmd} add 
> pass tcp from any to any 1719-1725,2082,5000-6000,8010,8100 
> in via fxp0 setup keep-state ${fwcmd} add pass udp from any 
> to any 1719-1725,2082,5000-6000,8010,8100 in via fxp0 keep-state
> 
> # Allowing mysql,Jabber,IRC,chat.
> ${fwcmd} add pass tcp from any to any 
> 3306,4899,6155,6502,6667,8000 in via fxp0  setup keep-state 
> ${fwcmd} add pass udp from any to any 
> 3306,4899,6155,6502,6667,8000 in via fxp0 keep-state
> 
> # allow radius
> ${fwcmd} add pass tcp from any to any 
> 1645,1646,1812,1813,9000-9002 in via fxp0  setup keep-state 
> ${fwcmd} add pass udp from any to any 
> 1645,1646,1812,1813,9000-9002 in via fxp0 keep-state
> 
> # additional eMule ports
> ${fwcmd} add pass tcp from any to any 
> 2323,4242,4243,4661-4672,7700-7800 in via fxp0 setup 
> keep-state ${fwcmd} add pass udp from any to any 
> 2323,4242,4243,4661-4672,7700-7800 in via fxp0 keep-state
> 
> # Allowing DNS lookups.
> ${fwcmd} add pass tcp from any to any 53 in via fxp0 setup 
> keep-state ${fwcmd} add pass udp from any to any 53 in via 
> fxp0 keep-state ${fwcmd} add pass udp from any 53 to any in 
> via fxp0 keep-state
> 
> ${fwcmd} add pass icmp from 202.179.x.x/19 to any icmptypes 
> 0,3,4,8,11,12 ${fwcmd} add pass icmp from not 202.179.x.x/19 
> to 202.179.x.x/19 icmptypes
> 0,3,4,11,12
> 
> # Allowing SOCKS,HTTP proxy to outside only ${fwcmd} add pass 
> tcp from 202.179.x.x/19 to any 1080,8080 in via fxp0  setup 
> keep-state ${fwcmd} add pass udp from 202.179.x.x/19 to any 
> 1080,8080 in via fxp0 keep-state
> 
> # Allow the bridge machine to say anything it wants ${fwcmd} 
> add pass tcp from 202.179.x.x to any setup keep-state 
> ${fwcmd} add pass udp from  202.179.x.x  to any keep-state 
> ${fwcmd} add pass ip from  202.179.x.x  to any
> 
> ${fwcmd} add pass tcp from any to any in via fxp2 setup 
> keep-state ${fwcmd} add pass udp from any to any in via fxp2 
> keep-state ${fwcmd} add pass ip from any to any in via fxp2
> 
> # Allow NTP queries out in the world
> ${fwcmd} add pass udp from any to any 123 in via fxp0 keep-state
> 
> # allow multicast
> ${fwcmd} add pass all from 202.179.x.x/19 to 224.0.0.0/4 via 
> fxp0 ${fwcmd} add pass all from 224.0.0.0/4 to 202.179.x.x/19 via fxp0
> 
> # Allowing OSPF
> ${fwcmd} add pass ospf from any to any
> 
> # Allowing GRE
> ${fwcmd} add pass gre from any to any
> 
> # Allowing IP fragments to pass through.
> ${fwcmd} add 65001 pass all from any to any frag
> 
> # Everything else is suspect
> ${fwcmd} add drop log ip from any to any ...
> --------------------------------------------------------------
> ---------------------------------------------------------------
> 
> /etc/sysctl.conf file.
> --------------------------------------------------------------
> ---------------------------------------------------------------
> net.link.ether.bridge_cfg=fxp0:0,fxp1:0
> net.link.ether.bridge_ipfw=1
> net.link.ether.bridge.enable=1
> 
> net.inet.ip.fw.one_pass=0
> security.bsd.see_other_uids=0
> net.link.ether.inet.max_age=1200
> kern.ipc.somaxconn=1024
> net.inet.tcp.sendspace=32768
> net.inet.tcp.recvspace=32768
> 
> net.inet.ip.sourceroute=0
> net.inet.ip.accept_sourceroute=0
> 
> # Stop broadcast ECHO response
> net.inet.icmp.bmcastecho=0
> 
> # Stop other broadcast probes
> net.inet.icmp.maskrepl=0
> 
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> 
> net.inet.ip.fw.dyn_max=8192
> net.inet.ip.fw.dyn_ack_lifetime=3600
> net.inet.ip.fw.dyn_udp_lifetime=10
> net.inet.ip.fw.dyn_buckets=1024
> 
> --------------------------------------------------------------
> ---------------------------------------------------------------
> 
> tia,
> 
> Ganbold
> 
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to 
> "freebsd-ipfw-unsubscribe at freebsd.org"
> 