Struggling with IPFW on CURRENT

Guido Falsi mad at madpilot.net
Wed Oct 7 14:31:53 UTC 2015 

On 10/07/15 15:57, Mark Felder wrote:
> Hi all,
> 
> I've only used IPFW in the past for the most basic of tasks. I'd like to
> use it with in-kernel NAT protecting both v4 and v6 and add
> dummynet/pipe later, but I have to get the basic working first. I'm
> either overlooking something obvious or there's a major issue. Has there
> been work in CURRENT? I haven't tried on any RELEASE....

My experience with ipfw is almost exclusively on RELEASE, but I don't
think that much has changed in the rules syntax.

> 
> Problems I'm running into:
> 
> * Inbound v4 traffic to the firewall is blocked, but inbound v6 traffic
> to firewall and hosts behind it are not. Both v4 and v6 should be
> handled by keywords: tcp, udp, ip, me.

I'm sorry but I have made no tests with IPv6, so I can't help you on
this one.


I suspect you should also investigate using sysctl
net.inet.ip.fw.one_pass=0. The ruleset below seems to require it in a
few places.

> 
> * TCP sessions seem to be killed every ~300s

sysctl net.inet.ip.fw.dyn_ack_lifetime=<seconds>

default is 300.

> 
> * "in via $pif" doesn't seem to work. ex: block icmp from internet to
> $pif fails to do anything. However, "block out via $pif" blocks it...

I suspect this is related to one pass above.

> 
> * Does IPFW not track outbound traffic to allow it back through --
> related/established ? I have trouble blocking inbound traffic without
> blocking originated/outbound traffic because the firewall blocks the
> return packets.

It does only for stateful rules, with keep-state, which you are using.
Which rules are failing to do that?

> 
> * Port forwarding is failingl, probably due to the issues with the "in
> via" that I'm experiencing. Research says once I have the redirect_port
> configured I should be good to go as long as I match the traffic and
> skip to the NAT rule. Skip rules don't stop processing, so it should hit
> the next rule which is the last rule in my config -- allow from any to
> any. (Documentation for in-kernel NAT is nonexistent and really needs
> help). The rule 425 below should be working, but logs show that rule is
> ignored and it's being blocked at 550. Comment out 550 and it works...

As above, if I remember correctly this setup requires one_pass=1 to
work, I'm not completely sure this is your problem though. I think it's
worth a try.


Please note that my structure is just an example, there are many other
ways to organize your firewall. I have a setup that uses many stateful
rules, but some people prefer stateless firewalling, which requires
rules for both inbound and outbound traffic.

Hope this helps.

-- 
Guido Falsi <mad at madpilot.net>

More information about the freebsd-net mailing list