From owner-freebsd-questions@FreeBSD.ORG Fri Jul 2 09:40:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6410216A4CE for ; Fri, 2 Jul 2004 09:40:26 +0000 (GMT) Received: from cyclone.emea.mci.com (cyclone.wcom.co.uk [193.131.254.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38FF343D1F for ; Fri, 2 Jul 2004 09:40:21 +0000 (GMT) (envelope-from philip.payne@uk.mci.com) Received: from localhost ([127.0.0.1] helo=cyclone.emea.mci.com) by cyclone.emea.mci.com with esmtp (Exim 4.12) id 1BgKVs-0004wR-00; Fri, 02 Jul 2004 10:39:20 +0100 Received: from ocampa.emea.mci.com (borasco [170.127.64.31]) by cyclone.emea.mci.com (4.7.0.120) with ESMTP id ; Fri, 2 Jul 2004 10:39:18 +0100 (BST) Received: from [170.127.79.25] (helo=gblon1exch06.uk.mcilink.com) by ocampa.emea.mci.com with esmtp (Exim 4.14) id 1BgKVq-0003rz-3C; Fri, 02 Jul 2004 09:39:18 +0000 Received: by gblon1exch06.uk.mcilink.com with Internet Mail Service (5.5.2653.19) id ; Fri, 2 Jul 2004 10:42:51 +0100 Message-ID: From: Philip Payne To: whizkid@ValueDJ.com, Steve Bertrand Date: Fri, 2 Jul 2004 10:42:50 +0100 X-Mailer: Internet Mail Service (5.5.2653.19) MIME-Version: 1.0 (Generated by NET-TEL Mailguard SMTP version 4.0.1.40) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Score: -201.7 (------------------------------------------) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1BgKVs-0004wR-00*EBHfKY3KyP6* cc: freebsd-questions@freebsd.org Subject: RE: IPFW acting weird OR invalid ruleset? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jul 2004 09:40:26 -0000 > steve, > Yes everything else seems to work fine. There are > currently 2 PCs > with this issue. 1 is XP the other is Win2k. This ruleset worked > fine on FreeBSD 5.1, but I reformatted the box, and install 5.2.1 > uploaded the rc.firewall.rules and natd.conf files, since the network > interfaces where the same I didn't really have to change anything. Ok... so reading the ruleset the traffic will behave (referring to your rc.firewall): Outgoing FTP session is passed first by rule 04109 (with a keep-state) and then by 61001 (without a keep-state). So, will the returning traffic get passed by the check-state on the way back in?... I'm not sure, possibly. Also, funny that it works for 5.1 and not 5.2.1, which implies bugs. The general consensus from my & Steve's response is we don't understand the ruleset. Using skipto just to divert to natd and pass outgoing traffic does seem overly complicated and I've not seen anyone else use that approach. Maybe I am missing some advantage that it gives you. I figure you have two approaches to solve this: 1) If you want to debug the current ruleset add logging to the deny rules and check where the traffic is being dropped. If it is the ruleset at fault then the traffic MUST be being dropped by it on one of the rules. Remember.... logging is your friend. Or 2) There may be some benefit to re-writing the ruleset in a format you personally understand rather than using a template. Your general approach to firewall ruleset should be: a) First section contains any anti-spoofing and then rules to divert traffic going via the outside interface to natd and to check-state b) Second section to allow/deny traffic directly to the firewall. c) Then a section to allow the incoming services to your site. You should then end this section with something like "deny all traffic coming in via my external interface" as unless you specifically want the traffic you should drop it d) Then a section to permit the required traffic out from your site. You should end this section with something like "deny & log all traffic" as if you haven't specified it to pass, it shouldn't. Then you can refine this approach by adding deny rules without logging to only log what's required and pick up on traffic that you should be passing but you are not. I'm afraid it's very difficult to be specific on writing firewall policy as it will be unique to your needs but I hope that general approach will help. Tools like /usr/ports/security/fwbuilder (home www.fwbuilder.org) can help in generating policy but the install features for IPFW are not quite working. I have posted a script to help with this previously. Thanks, Phil. > I found these rules on this website: > > http://www.lugbe.ch/lostfound/contrib/freebsd_router/ > > here is the sample I used from the website: > > # be quiet and flush all rules on start > -q flush > > # allow local traffic, deny RFC 1918 addresses on the outside > add 00100 allow ip from any to any via lo0 > add 00110 deny ip from any to 127.0.0.0/8 > add 00120 deny ip from any to any not verrevpath in > add 00301 deny ip from 10.0.0.0/8 to any in via ep0 > add 00302 deny ip from 172.16.0.0/12 to any in via ep0 > add 00303 deny ip from 192.168.0.0/16 to any in via ep0 > > # check if incoming packets belong to a natted session, > allow through > if yes > add 01000 divert natd ip from any to me in via ep0 > add 01001 check-state > > # allow some traffic from the local net to the router > # SSH > add 04000 allow tcp from 192.168.1.0/24 to me dst-port 22 > in via ep1 > setup keep-state > # ICMP > add 04001 allow icmp from 192.168.1.0/24 to me in via ep1 > # NTP > add 04002 allow tcp from 192.168.1.0/24 to me dst-port > 123 in via ep1 > setup keep-state > add 04003 allow udp from 192.168.1.0/24 to me dst-port > 123 in via ep1 > keep-state > # DNS > add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 > in via ep1 > > # drop everything else > add 04009 deny ip from 192.168.1.0/24 to me > > # pass outgoing packets (to be natted) on to a special NAT rule > add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via ep1 > keep-state > > # allow all outgoing traffic from the router (maybe you > should be more > restrictive) > add 05010 allow ip from me to any out keep-state > > # drop everything that has come so far. This means it > doesn't belong > to an > established connection, don't log the most noisy scans. > add 59998 deny icmp from any to me > add 59999 deny ip from any to me dst-port 135,137-139,445,4665 > add 60000 deny log tcp from any to any established > add 60000 deny log ip from any to any > > # this is the NAT rule. Only outgoing packets from the > local net will > come here. > # First, nat them, then pass them on (again, you may > choose to be more > restrictive) > add 61000 divert natd ip from 192.168.1.0/24 to any out via ep0 > add 61001 allow ip from any to any > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >