ipfw rules help.

Saint Aardvark the Carpeted aardvark at saintaardvarkthecarpeted.com
Wed Feb 4 07:35:08 PST 2004 

Marwan Sultan disturbed my sleep to write:
>     I compiled ipfw to accept by default.
>     This is my ipfw list:
> 
> 00050 divert 8668 ip from any to any via rl0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 65000 allow ip from any to any
> 65535 allow ip from any to any

Hm...this may not be a big deal, but is there any reason you're putting
the divert rule before the rules dealing with lo0/127.0.0.0/8?  The
default FreeBSD open firewall ruleset usually puts the divert rule after
-- this would be rule 400 in your example.  

> a)   lets say I want to deny everything except a range of IPs
>      starting from 192.168.1.1 to 192.168.1.50.
>      what rule set should be? how to set range of IPs? to pass
>      and deny rest of the C class. FreeBSD Doc's doesnot cover this?
>      or i didnot see.!

man ipfw(8) will help you.  Depending on the version of ipfw (I forget
when this syntax was added), you may be able to do this:

	ipfw allow all from 192.168.1.{1,50} to any 
	ipfw deny all from any to any

As for which rule it should be...typically what I do is write down
my firewall rules in a separate file, try to make sure that they make
sense (allow rules before deny rules, for example), then try them
out...always making sure that I have some way into the machine if I'm
working remotely!  Usually you can let ipfw take care of assigning rule
numbers, unless you've got something fairly special going on.

> b)   If i want to deny everything except ip 192.168.1.5 as follow
>      00400 allow all from 192.168.1.5 to any
>      01000 deny all from any to any.
> 
>      when ipfw reads the rules and pass by 00400 then comes to 01000
>      then it denies even the 192.168.1.5, althou i put this rule before the 
>      deny ? what im missing? how should i pass 1 ip and deny all?

I'm not sure why that would happen, but you can find out.  If you change
that deny rule to a deny-and-log rule, like this:

	ipfw deny log all from any to any

you can then run "tail -f /var/log/security" and see what packets are
being caught by the deny rule.  You can also run "ipfw show", which
will show you how many packets/bytes are being caught by which rules.
Again, read the man page for ipfw.

Off the top of my head, I suspect you're allowing traffic out, but not
back in -- you haven't listed a rule that would allow replies to TCP
traffic back in, or DNS queries.  Denying either of these would make it
look like nothing is working.  Try this:

	allow tcp from 192.168.1.5 to any
	allow udp from 192.168.1.5 to any keep-state
	check-state
	allow tcp from any to any established
	deny all from any to any

> c)   If I want rule 00400 to expire in 9PM and be active in 8AM.(EXAMPLE)
>      how do we do that? is it by set a cron job to delete and add
>      the ipfw rule? or there is something to do from the ipfw it self?

As far as I know, you can only do this with a cron job.  Test carefully,
though -- it's frighteningly easy to lock yourself out while doing this
sort of thing.  I speak from bitter experience. :-)

> D)   Last Q: IF I restart the box all the rules will be reset,
>              and comes to default. which is reasonable.
>              How to keep it everytime I restart?
>              do i create a file somewhere, and i tell my rc.conf for it?
>              what the rc.conf line should be? and file format?

man rc.conf(5) will show you firewall options.  What I usually do is
write my own and keep it in a separate file -- I find rc.firewall too
confusing when trying to customize it.  But have a look at
/etc/rc.firewall and the "simple" option -- it probably does a lot of
what you want.

>     Question out of subject, 
>     How i can do something thro cronjob to make the box Email me the
>     log of firewall everyday on certain time, lets say 9PM ?

Well, you could just have a script that would, say, grep for today's
date in your firewall logs and email that.  Another thing you could
consider doing, though, is signing up at dshield.org and using one of
their clients to parse your logs.  Dshield collects firewall information
from volunteers around the world, and uses it to alert people to new
or fast-moving threats.  It's an excellent idea, and a lot of help to
security people.  I use ipfw2dshield to parse and mail my logs, and as a
bonus I get a copy of the email myself to see if there's anything
interesting.

Hope that helps!

Hugh
-- 
Saint Aardvark the Carpeted
aardvark at saintaardvarkthecarpeted.com
Because the plural of Anecdote is Myth.

More information about the freebsd-questions mailing list