Firewall Rules/connection troubles

Giorgos Keramidas keramida at
Fri Apr 11 22:48:49 PDT 2003

On 2003-04-11 20:24, Tommy Forrest - KE4PYM <tforrest at> wrote:
> Recently, I upgraded to FreeBSD 4.8.  I decided to use a closed
> firewall.  I did some research and found some sample statefull
> firewall rules.  I've worked them somewhat into my requirements.
> I'm having some trouble.  My main complaint is that my telnet and ssh
> connections to the net timeout.  In the script you see below you do
> not see the setup or keep-state comments for telnet/ssh.  I've tried
> it with both and to no avail.  IRC connections also time out rather
> quickly.  FTP connections to the machine are very slow and web sites
> seem to lag unless you click on the links several times (all of these
> behaviors are noted from an internal w2k machine.
> [snip large ruleset]

There are various problems with your ruleset.  I'll try to describe some,
but you'll probably have to ditch the entire mess of it all and start again
with a simpler set of rules.

  a. You're using explicit numbers for your rules.

     This isn't really a problem, but it's a shotgun begging for
     permission to have fun with your toes.  Just drop the numbers
     altogether, and let ipfw number the rules with whatever numbers it
     pleases.  You only have a few dozens of rules.  There's still a lot
     of free space up to the limit of 600 or so rules that ipfw can use
     before being in need of smaller inter-rule space.

  b. You're using both 'check-state' and 'established'.

     With check-state and smart use of keep-state for new connections
     you don't need 'established'.  It's probably better to check-state,
     then allow selectively *some* tcp connections, reject all other
     connection setup attempts with a port-unreachable ICMP and just
     drop dead on the floor all other packets.

  	  allow tcp from any to any 22 out xmit $oif setup keep-state
  	  unreach port tcp from any to any in recv $oif setup
  	  deny tcp from any to any

  c. You're only letting DNS requests to your ISPs name servers through,
     but haven't mentioned anything about your local DNS configuration.
     It's not a wise thing to block all DNS traffic if you haven't set
     up a local named that forwards all requests to your ISPs servers.

     This would probably explain some of the telnet/ssh problems you're
     having when keep-state is enabled.  When keep-state is disabled,
     you're blocking yourself out of the world anyway.

  d. You're not letting NTP replies back in.  At all!

  e. You don't have keep-state in your outgoing telnet/ssh/MSN-chat
     rules.  Put it back there, or there isn't any point in letting
     outgoing packets through since you'll never 'see' a reply.

  f. The MSN file transfers rule in your incoming section lack
     keep-state too, so it needs fixing too.

  g. You do allow outgoing connections to port 6667 for IRC, but bear in
     mind that many servers accept connections to other ports too.  You
     might want to consider enabling ports 6668, 7325, 10000 and a few
     others too.  If not all outgoing connections, that is . . .

     Another potential source of IRC problems is the fact that you're
     not allowing through incoming auth/ident connections.  Many IRC
     servers will block for long periods, waiting for an ident reply and
     reject you when it eventually times out.

  h. You're blocking fragments.  It's not always a good idea.

  i. Your incoming ftp port 20 rule only claims to be 'incoming'.  It
     uses 'out via' which isn't quite the same thing.

  k. You're not allowing any icmp packets through.  This can result in some
     pretty bizzare things.  You should probably allow all icmp packets
     through and tune net.inet.icmp.icmplim for incoming icmp packets and
     net.inet.icmp.icmplim_output for outgoing.

A much cleaner ruleset that works in a similar way could be written as shown
below.  I haven't used a lot of comments, but I'm sure you'll quickly grasp
what's going on.  It wasn't very clear if you wanted to allow incoming or
outgoing irc connections, so I've added rules to allow both.  Delete or
comment the one you don't need.




    $fw -q -f flush
    $fw add divert natd ip from any to any via "${ifout}"

    # loopback traffic
    $fw add pass all from to via lo0
    $fw add deny all from any to
    $fw add deny ip from to any

    # pass icmp or evil things can happen
    $fw add allow icmp from any to any

    # inside interface isn't limited in any way
    $fw add allow all from any to any via "${ifin}"

    # stateful rules follow ------------------------------------------------
    $fw add check-state

    # outbound section -----------------------------------------------------
    # You might want to allow *any* sort of dns/ntp traffic, but the following
    # seems to work fine if you increase net.inet.ip.fw.dyn_udp_lifetime a
    # bit.  Its default is too short for some slow links (like my dialup).
    $fw add allow udp from any to any 53,123 keep-state

    # Allow outgoing connections: ssh, telnet, mail, web, ntp and msn-chat.
    $fw add allow tcp from any to any 22,23,25,80,110,123,443,1863,6667 \
        out xmit "${ifout}" setup keep-state
    # irc
    $fw add allow tcp from any to any 6667,6668,7325,10000 \
        out xmit "${ifout}" setup keep-state limit src-addr 4

    # inbound section -----------------------------------------------------
    $fw add allow tcp from any to any 21,22,25,80 \
        in recv "${ifout}" setup keep-state limit src-addr 4
    $fw add allow tcp from any 20 to any 1024-49151 \
        in recv "${ifout}" setup keep-state limit src-addr 4
    $fw add allow tcp from any to any 22,25 \
        in recv "${ifout}" setup keep-state limit src-addr 5
    # kazaa & msn file transfers
    $fw add allow tcp from any to any 1214,6891-6900 \
        in recv "${ifout}" setup keep-state
    # irc
    $fw add allow tcp from any to any 6667,6668,7325,10000 \
        in recv "${ifout}" setup keep-state limit src-addr 4
    # fast reset of all auth/ident requests.
    $fw add unreach port tcp from any to any 113 in recv "${ifout}" setup

    # default policy ------------------------------------------------------
    $fw add deny ip from any to any


More information about the freebsd-questions mailing list