From owner-freebsd-questions@FreeBSD.ORG Fri Nov 2 10:25:08 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD89116A41B for ; Fri, 2 Nov 2007 10:25:08 +0000 (UTC) (envelope-from jackbarnett@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.236]) by mx1.freebsd.org (Postfix) with ESMTP id 5F03013C447 for ; Fri, 2 Nov 2007 10:25:08 +0000 (UTC) (envelope-from jackbarnett@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so676690wxd for ; Fri, 02 Nov 2007 03:24:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; bh=SOKWeQeCycxk4e3b3DP9MklBssvUr1RDpCMzfeQRQgI=; b=EqGtqvvd0SymsrxhWpLUCCAQrC0uXZQpLT72z5U06IDNH64/CKXhKkgc51s8lIX0ElH2qfbEeH9sc37Ngsw2h4SFh8nr3DfTZxjytjXXC4DBLZj84NCqqiyJgGcE+2jVnwufA3otUiP30UTSSQ5jm7hFfS44FybBuROjLCJemCA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=fzlXL1n5DwzuScIliFvv3tvD8TQEndJg9uwtf82d9OTRVubkIqbUgoPLHbA8VJ7CUqfgUcRnL/Botg//r/cZJ9CWMEyBomJuvzBB3216hnLgaKjmuW4POeqbZXNcRQMFR1CvlNeSehKXEsjXqR6oiGPkkS6mI2Qvo242THuIS04= Received: by 10.70.29.7 with SMTP id c7mr2368522wxc.1193997570681; Fri, 02 Nov 2007 02:59:30 -0700 (PDT) Received: from ?192.168.17.10? ( [67.190.229.42]) by mx.google.com with ESMTPS id h36sm7721321wxd.2007.11.02.02.59.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Nov 2007 02:59:29 -0700 (PDT) Message-ID: <472AF4FF.9000803@gmail.com> Date: Fri, 02 Nov 2007 04:59:27 -0500 From: Jack Barnett User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Freebsd questions Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW Rules and Games X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jackbarnett@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Nov 2007 10:25:08 -0000 Lots of people play games here and basically a pain to keep trying to get these stupid things to work with individual rules for each. I'm running FreeBSD 6.x with IPFW/natd I get a dynamic IP from my ISP and the internal nic is 192.168.17.1 Everything inside the network is 192.168.17.xxx The setup is this: 192.168.17.x <--> 192.168.17.1 <[FreeBSD]> Dynamic IP <--> {Random Game Server on the Internets} [Internet Network(GAME)] <--> [FreeBSD] <--> {Internets} There are a bunch of games that send out TCP/UDP packets (and who knows what else) on different ports to different destinations and then receive data back on "random" ports. Basically, anything on any protocol from the internal network should be able to establish and setup connections out AND be allowed to receive data back from whomever they connected out to; but "random" hosts trying to connect in should be blocked. I added this for a temporary fix: ${fwcmd} add pass all from any to any I don't think that is the right answer; That allows to much in? I've tried these per the docs: ${fwcmd} add allow all from any to any out via {$iip} setup ${fwcmd} add allow all from any to any out via {$iip} established ${fwcmd} add allow all from any to any in via {$iip} established and also a bunch of others; but none of them worked. Here is my full config: # simple [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a DNS and NTP server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="xl0" onet=`ifconfig xl0 | grep "inet " | awk '{print $6}'` omask="0xfffffe00" oip=`ifconfig xl0 | grep "inet " | awk '{print $2}'` # set these to your inside interface network and netmask and ip iif="dc1" inet="192.168.17.0" imask="0xffffff00" iip="192.168.17.1" setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow internal traffic ${fwcmd} add allow all from any to any via ${iif} # Allow all local traffic ${fwcmd} add allow all from ${inet}:${imask} to ${inet}:${imask} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email #${fwcmd} add pass tcp from any to ${oip} 25 setup #${fwcmd} add pass tcp from any to ${iip} 25 setup ${fwcmd} add pass tcp from any to any 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${iip} 53 setup ${fwcmd} add pass udp from any to ${iip} 53 ${fwcmd} add pass udp from ${iip} 53 to any #${fwcmd} add pass tcp from {$inet}:{$imask} to ${oip} 53 setup #${fwcmd} add pass udp from {$inet}:{$imask} to ${oip} 53 #${fwcmd} add pass udp from ${oip} 53 to {$inet}:{$imask} # SMB - Samba #${fwcmd} add pass tcp from any to ${iip} 137 #${fwcmd} add pass udp from any to ${iip} 137 #${fwcmd} add pass tcp from any to ${iip} 138 #${fwcmd} add pass udp from any to ${iip} 138 #${fwcmd} add pass udp from any to ${iip} 791 # Allow access to our WWW #${fwcmd} add pass tcp from any to ${oip} 80 setup ${fwcmd} add pass tcp from any to any 80 setup ${fwcmd} add pass tcp from any to ${iip} 888 setup # Allow access to our SSH #${fwcmd} add pass tcp from any to ${oip} 22 setup ${fwcmd} add pass tcp from any to any 22 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world #${fwcmd} add pass udp from ${oip} to any 53 keep-state ${fwcmd} add pass udp from any to any 53 keep-state # Allow NTP queries out in the world #${fwcmd} add pass udp from ${oip} to any 123 keep-state ${fwcmd} add pass udp from any to any 123 keep-state # NWN/NWN2 Client #http://nwn2forums.bioware.com/forums/viewtopic.html?topic=507894&forum=116&sp=30 #http://nwn.bioware.com/forums/viewtopic.html?topic=387975&forum=56&sp=135 #add 123 allow udp from any to 1.2.3.4 5120-5300,6500,6667,27900,28900 #UDP 5120 - Outbound and Inbound packets #UDP 2485 - Outbound and Inbound packets #TCP 2486 - Outbound and Inbound packets #TCP 2487 - Outbound and Inbound packets #TCP 2488 - Outbound and Inbound packets #UDP 2489 - Outbound and Inbound packets #TCP 28910 - Server port #UDP 5121 - Server port #UDP 5122 - Server port #UDP 27900 - Server port #UDP 50643 - Server port #UDP 6121 - Server port # not working. #add allow all from any to any 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643 #add pass all from any to any 2485-2490,5210-5230,6121-6500,27900,27900-28910,50643 #add allow all from any to any 5120-5300,6500,6667,27900,28900 #allow outbound setup connections # not working. #${fwcmd} add allow tcp from any to any out via {$iip} setup #allow in and outbound established connections #${fwcmd} add allow tcp from any to any out via {$iip} established #${fwcmd} add allow tcp from any to any in via {$iip} established ${fwcmd} add pass all from any to any # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;;