From owner-freebsd-ipfw@FreeBSD.ORG  Sun Nov  3 16:04:26 2013
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 39145ABA
 for <freebsd-ipfw@freebsd.org>; Sun,  3 Nov 2013 16:04:26 +0000 (UTC)
 (envelope-from pchychi@gmail.com)
Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com
 [IPv6:2607:f8b0:4001:c03::22d])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id F174E2520
 for <freebsd-ipfw@freebsd.org>; Sun,  3 Nov 2013 16:04:25 +0000 (UTC)
Received: by mail-ie0-f173.google.com with SMTP id u16so10544975iet.4
 for <freebsd-ipfw@freebsd.org>; Sun, 03 Nov 2013 08:04:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=date:from:to:cc:message-id:in-reply-to:references:subject
 :mime-version:content-type;
 bh=bZ9Di4GEqITno+JouFKsmAX9njG04ehFOS4/7oVLERk=;
 b=zmbmxe3KHX8/WJLmSWVCsIc5VFqtI9U0yyU0rxL/MvVlr4CJXlom4oM3LAMDsm8F1Q
 M4+YU2ekQnhREc6ej+wWMtNRQFICPl4OKh0dPJazlfOBiiFxPAEzB9lSpDFQi52gzo3A
 qsnKXd7kdbEYIdWWZrdtHXSNdWaLjYmavLBdB5JjtUzichUh/nNsjU1iQYRHXkH/eSUc
 KT9Q0VVgTwSH3zAXlTi7SVCvP2VE3ZKfXC7G+n3aj5E9/mrpTjol/xNBZTTTlBmyVGPh
 Su56UEUxvyvHOcn+YI9y6H9KTXCs1kghmpqRO1kJJ+zcgezVbumFMa+7xjVCOGGgea8N
 JkFQ==
X-Received: by 10.42.47.201 with SMTP id p9mr7515899icf.4.1383494664918;
 Sun, 03 Nov 2013 08:04:24 -0800 (PST)
Received: from [192.168.1.82] ([50.98.200.189])
 by mx.google.com with ESMTPSA id i11sm15925395igh.0.2013.11.03.08.04.21
 for <multiple recipients>
 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sun, 03 Nov 2013 08:04:23 -0800 (PST)
Date: Sun, 3 Nov 2013 08:04:20 -0800
From: Payam Chychi <pchychi@gmail.com>
To: Casey Scott <casey@scottmail.org>
Message-ID: <CF592C15C48942B1A7DB05E5DBE51834@gmail.com>
In-Reply-To: <1695827686.288.1383250242478.JavaMail.root@phantombsd.org>
References: <789665157.296.1383076677766.JavaMail.root@phantombsd.org>
 <1695827686.288.1383250242478.JavaMail.root@phantombsd.org>
Subject: Re: NAT/ipfw blocking internal traffic
X-Mailer: sparrow 1.3.5 (build 507.62)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: freebsd-ipfw@freebsd.org
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2013 16:04:26 -0000

Fo you have logs of whats being dropped? 



-- 
Payam Chychi
Network Engineer / Security Specialist


On Thursday, October 31, 2013 at 1:10 PM, Casey Scott wrote:

> Hello,
> 
> My NAT and ipfw ruleset follow almost exactly what is given at
> http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
> 
> The problem I'm encountering is that a portion of my outbound internal
> traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so
> I'm kind of at a loss since the config matches the handbook. Any suggestions
> are appreciated.
> 
> uname -a
> ***********************************************
> FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18
> 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname
> amd64
> ***********************************************
> 
> /var/log/security:
> ***********************************************
> Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915
> 174.129.210.177:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> ***********************************************
> 
> firewall script:
> ***********************************************
> #!/bin/sh
> cmd="ipfw -q add"
> skip="skipto 500"
> pif=fxp0
> ks="keep-state"
> good_tcpo="22,25,37,43,53,80,443"
> 
> ipfw -q -f flush
> 
> $cmd 002 allow all from any to any via em0 # exclude LAN traffic
> $cmd 003 allow all from any to any via lo0 # exclude loopback traffic
> 
> $cmd 100 divert natd ip from any to any in via $pif
> $cmd 101 check-state
> 
> # Authorized outbound packets
> $cmd 136 $skip udp from any to any 53 out via $pif $ks
> $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks
> $cmd 151 $skip icmp from any to any out via $pif $ks
> $cmd 152 $skip udp from any to any 123 out via $pif $ks
> 
> # Deny all inbound traffic from non-routable reserved address spaces
> $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private
> IP
> $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private
> IP
> $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private
> IP
> $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
> $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
> $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
> $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
> $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E
> multicast
> 
> # Authorized inbound packets
> $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2
> $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2
> $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> 
> $cmd 450 deny log ip from any to any
> 
> # This is skipto location for outbound stateful rules
> $cmd 500 divert natd ip from any to any out via $pif
> ***********************************************
> 
> natd run options:
> ***********************************************
> /sbin/natd -dynamic -m -n fxp0
> ***********************************************
> 
> -Casey
> 
> ----- Forwarded Message ----- 
> 
> Hello,
> 
> My NAT and ipfw ruleset follow almost exactly what is given at
> http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
> 
> The problem I'm encountering is that a portion of my outbound internal
> traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so
> I'm kind of at a loss since the config matches the handbook. Any suggestions
> are appreciated.
> 
> uname -a
> ***********************************************
> FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18
> 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname amd64
> ***********************************************
> 
> /var/log/security:
> ***********************************************
> Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80
> 192.168.1.6:61681 in via fxp0
> Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915
> 174.129.210.177:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877
> 65.126.84.88:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921
> 208.85.40.45:80 out via fxp0
> ***********************************************
> 
> firewall script:
> ***********************************************
> #!/bin/sh
> cmd="ipfw -q add"
> skip="skipto 500"
> pif=fxp0
> ks="keep-state"
> good_tcpo="22,25,37,43,53,80,443"
> 
> ipfw -q -f flush
> 
> $cmd 002 allow all from any to any via em0 # exclude LAN traffic
> $cmd 003 allow all from any to any via lo0 # exclude loopback traffic
> 
> $cmd 100 divert natd ip from any to any in via $pif
> $cmd 101 check-state
> 
> # Authorized outbound packets
> $cmd 136 $skip udp from any to any 53 out via $pif $ks
> $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks
> $cmd 151 $skip icmp from any to any out via $pif $ks
> $cmd 152 $skip udp from any to any 123 out via $pif $ks
> 
> # Deny all inbound traffic from non-routable reserved address spaces
> $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
> $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
> $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
> $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
> $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
> $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
> $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
> $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
> 
> # Authorized inbound packets
> $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2
> $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2
> $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2
> 
> $cmd 450 deny log ip from any to any
> 
> # This is skipto location for outbound stateful rules
> $cmd 500 divert natd ip from any to any out via $pif
> ***********************************************
> 
> natd run options:
> ***********************************************
> /sbin/natd -dynamic -m -n fxp0
> ***********************************************
> 
> -Casey
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> 
>