Struggling with IPFW on CURRENT

Mark Felder feld at FreeBSD.org
Wed Oct 7 13:57:43 UTC 2015 

Hi all,

I've only used IPFW in the past for the most basic of tasks. I'd like to
use it with in-kernel NAT protecting both v4 and v6 and add
dummynet/pipe later, but I have to get the basic working first. I'm
either overlooking something obvious or there's a major issue. Has there
been work in CURRENT? I haven't tried on any RELEASE....

Problems I'm running into:

* Inbound v4 traffic to the firewall is blocked, but inbound v6 traffic
to firewall and hosts behind it are not. Both v4 and v6 should be
handled by keywords: tcp, udp, ip, me.

* TCP sessions seem to be killed every ~300s

* "in via $pif" doesn't seem to work. ex: block icmp from internet to
$pif fails to do anything. However, "block out via $pif" blocks it...

* Does IPFW not track outbound traffic to allow it back through --
related/established ? I have trouble blocking inbound traffic without
blocking originated/outbound traffic because the firewall blocks the
return packets.

* Port forwarding is failingl, probably due to the issues with the "in
via" that I'm experiencing. Research says once I have the redirect_port
configured I should be good to go as long as I match the traffic and
skip to the NAT rule. Skip rules don't stop processing, so it should hit
the next rule which is the last rule in my config -- allow from any to
any. (Documentation for in-kernel NAT is nonexistent and really needs
help). The rule 425 below should be working, but logs show that rule is
ignored and it's being blocked at 550. Comment out 550 and it works...

#!/bin/sh

#
http://blog.pcbsd.org/2015/01/using-trueos-as-a-ipfw-based-home-router/
# Below based on example from Kris Moore

# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw add"
pif="re0"     # interface name of NIC attached to Internet
pif6="gif0"   # interface name of NIC attached to Internet IPv6 (tunnel)
iif="bridge0"    # interface name of NIC attached to LAN (re1, wlan0
bridged)
ks="keep-state" # Laziness
skip="skipto 600"

# Create the NAT redirect rules
######################################
ipfw -q nat 1 config if $pif unreg_only reset \
    redirect_port tcp 172.16.1.122:32400 32400

######################################

# Allow everything through the local NIC
######################################
$cmd 00020 allow log all from any to any via $iif
######################################

# No restrictions on Loopback Interface
######################################
$cmd 00025 allow log all from any to any via lo0
######################################

# Catch spoofing from outside
######################################
$cmd 00090 deny log ip from any to any not antispoof in
######################################

# NAT the inbound stuff
######################################
$cmd 0100 nat 1 ip from any to any in via $pif
######################################

# Allow packet through if it matches existing entry in dynamic rules
######################################
$cmd 00101 check-state
######################################

# Allow all outgoing packets
######################################
$cmd 00110 $skip tcp from any to any out via $pif setup $ks
$cmd 00111 $skip udp from any to any out via $pif $ks
######################################

# Deny all inbound traffic from non-routable reserved address spaces
######################################
$cmd 00300 deny log all from 192.168.0.0/16 to any in via $pif   #RFC
1918 private IP
$cmd 00301 deny log all from 172.16.0.0/12 to any in via $pif    #RFC
1918 private IP
$cmd 00302 deny log all from 10.0.0.0/8 to any in via $pif       #RFC
1918 private IP
$cmd 00303 deny log all from 127.0.0.0/8 to any in via $pif     
#loopback
$cmd 00304 deny log all from 0.0.0.0/8 to any in via $pif       
#loopback
$cmd 00305 deny log all from 169.254.0.0/16 to any in via $pif   #DHCP
auto-config
$cmd 00306 deny log all from 192.0.2.0/24 to any in via $pif    
#reserved for doc
$cmd 00307 deny log all from 204.152.64.0/23 to any in via $pif  #Sun
cluster interconnect
$cmd 00308 deny log all from 224.0.0.0/3 to any in via $pif      #Class
D & E multicast
######################################

# Deny public pings
######################################
$cmd 00310 deny log icmp from any to any in via $pif  # This does not
work
######################################

# Allow specific ports IN now (for services behind NAT)
######################################
$cmd 00425 $skip tcp from any to any 32400 in via $pif setup $ks
######################################

# Deny all other troublemakers
$cmd 00550 deny log tcp from any to any via $pif
$cmd 00551 deny log udp from any to any via $pif
$cmd 00552 deny log tcp from any to any via $pif6  # Added just-in-case
because v6 
$cmd 00553 deny log udp from any to any via $pif6 # uses gif0, but
doesn't work

# Skip location for NAT
$cmd 600 nat 1 ip from any to any out via $pif
$cmd 610 allow log ip from any to any setup $ks


-- 
  Mark Felder
  ports-secteam member
  feld at FreeBSD.org

More information about the freebsd-net mailing list